-
Notifications
You must be signed in to change notification settings - Fork 0
90 lines (74 loc) · 2.92 KB
/
Copy pathci.yml
File metadata and controls
90 lines (74 loc) · 2.92 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
name: CI
on:
push:
branches: [master, main]
pull_request:
# Cancel a previous run if a new commit lands while the prior is in flight.
concurrency:
group: ci-${{ github.ref }}
cancel-in-progress: true
jobs:
test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install pandoc
# The integration tests (recipedown, postcard) shell out to the
# system pandoc binary. ubuntu-latest ships pandoc 3.x.
run: sudo apt-get update && sudo apt-get install -y pandoc
- name: Pandoc version (sanity)
run: pandoc --version | head -1
- uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Typecheck
run: bun run typecheck
- name: Test
run: bun test
publish:
# Only publish on direct pushes to the main branch — never from
# PRs. Requires npm trusted-publisher access on the workflow.
needs: test
if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
runs-on: ubuntu-latest
permissions:
id-token: write # OIDC for npm trusted publishing
steps:
- uses: actions/checkout@v4
- uses: oven-sh/setup-bun@v2
with:
bun-version: latest
- uses: actions/setup-node@v4
with:
node-version: '24'
# Intentionally NO `registry-url` — that sets NODE_AUTH_TOKEN
# which would shadow npm's built-in OIDC flow for trusted
# publishers. Trusted publishing on npm CLI ≥11.5 detects
# the GitHub OIDC environment automatically when no token
# is set.
- name: Use npm ≥11.5 for trusted-publisher OIDC
run: npm install -g npm@latest
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Check if current version is already published
id: check
run: |
PKG_NAME=$(jq -r .name package.json)
PKG_VERSION=$(jq -r .version package.json)
echo "name=$PKG_NAME" >> "$GITHUB_OUTPUT"
echo "version=$PKG_VERSION" >> "$GITHUB_OUTPUT"
# `npm view <pkg>@<version> version` prints the version on
# success and exits non-zero (or empty) if the version
# doesn't exist. We tolerate either failure mode.
if PUBLISHED=$(npm view "${PKG_NAME}@${PKG_VERSION}" version 2>/dev/null) && [ -n "$PUBLISHED" ]; then
echo "Version ${PKG_VERSION} is already published — skipping."
echo "should_publish=false" >> "$GITHUB_OUTPUT"
else
echo "Version ${PKG_VERSION} is new — will publish."
echo "should_publish=true" >> "$GITHUB_OUTPUT"
fi
- name: Publish to npm (trusted publisher)
if: steps.check.outputs.should_publish == 'true'
run: npm publish --provenance --access public