From dcac60a60fdb5a47b7c23b98467de2fc732314b3 Mon Sep 17 00:00:00 2001
From: Alec Gibson <12036746+alecgibson@users.noreply.github.com>
Date: Thu, 18 Jan 2024 11:21:10 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=91=B7=E2=80=8D=E2=99=80=EF=B8=8F=20Move?=
 =?UTF-8?q?=20publishing=20inside=20single=20workflow?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

At the moment, we have two Github Action workflows:

  - `test.yml`: runs build and test, then tags when bumping the version
    in `main`
  - `publish.yml`: releases the package when a new tag is published

The issue with this setup is that the built-in `GITHUB_TOKEN`
[will not trigger another workflow][1], so we had to add a separate
PAT with write permissions to our repos, which was a bit of a
security concern.

In order to avoid the need for this extra token, with its associated
risks and administrative overheads (like rotating), this change
combines our workflows into a single workflow.

We tweak the `tag.sh` to `release.sh`, and it's now also in charge of
publishing (since it knows when we've pushed a new tag).

[1]: https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
---
 .github/workflows/publish.yml | 12 ++++++------
 .github/workflows/tag.yml     | 20 --------------------
 tag.sh => release.sh          |  2 ++
 3 files changed, 8 insertions(+), 26 deletions(-)
 delete mode 100644 .github/workflows/tag.yml
 rename tag.sh => release.sh (96%)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 39bccc9d6..a73ffb3d9 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -2,18 +2,18 @@ name: Publish
 
 on:
   push:
-    tags:
-    - '*'
+    branches:
+    - master
 
 jobs:
   build:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-    - uses: actions/checkout@v2
-    - uses: actions/setup-node@v2
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
       with:
-        node-version: '14.x'
+        node-version: '20.x'
         registry-url: 'https://npm.pkg.github.com'
     - name: Build reencode action
       run: cd ./.github/actions/reencode-dictionaries && npm install && cd ../../../
@@ -22,6 +22,6 @@ jobs:
     - name: "Change dictionaries encoding to UTF-8"
       uses: ./.github/actions/reencode-dictionaries
     - name: Publish
-      run: npm publish
+      run: ./release.sh
       env:
         NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
deleted file mode 100644
index 4204f0029..000000000
--- a/.github/workflows/tag.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-name: Tag
-
-on:
-  push:
-    branches:
-    - master
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    timeout-minutes: 10
-    steps:
-    - name: Checkout
-      uses: actions/checkout@v2
-      with:
-        # Use PAT instead of default Github token, because the default
-        # token deliberately will not trigger another workflow run
-        token: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
-    - name: Tag
-      run: ./tag.sh
diff --git a/tag.sh b/release.sh
similarity index 96%
rename from tag.sh
rename to release.sh
index 3f55ed2c6..c4ee420ec 100755
--- a/tag.sh
+++ b/release.sh
@@ -17,3 +17,5 @@ fi
 
 git tag $VERSION
 git push origin refs/tags/$VERSION
+
+npm publish