From ecc291138ee4573f5acb5ec922762d976e414cdd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Gon=C3=A7alo=20M=2E?= <goncalo.martins@outsystems.com>
Date: Mon, 17 Nov 2025 18:09:29 +0000
Subject: [PATCH] chore(npm): attempt to fix issue with Trusted Publishers when
 using reusable workflows (#30787)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Issue number: resolves #

---------

<!-- Please do not submit updates to dependencies unless it fixes an
issue. -->

<!-- Please try to limit your pull request to one type (bugfix, feature,
etc). Submit multiple pull requests if needed. -->

## What is the current behavior?
<!-- Please describe the current behavior that you are modifying. -->
- Publishing to npm is failing due to the changes to move to Trusted
Publishers, since it seems that they still don't support reusable
workflows, as mentioned
[here](https://github.com/orgs/community/discussions/174507)
- The action to which we grant permissions on npm needs to follow a
strict path location `.github/workflows/` in your repository.

## What is the new behavior?
<!-- Please describe the behavior or changes that are being added by
this PR. -->

- Fixed permissions mismatch by applying the orchestrator method for npm
publish:
release-orchestrator.yml (contents: read, id-token: write)

  ├─→ nightly.yml (contents: read, id-token: write)
  │   └─→ release-ionic.yml (contents: read, id-token: write)
  │       └─→ publish-npm.yml (contents: read, id-token: write) ✅

  ├─→ dev-build.yml (contents: read, id-token: write)
  │   └─→ release-ionic.yml (contents: read, id-token: write)
  │       └─→ publish-npm.yml (contents: read, id-token: write) ✅

  └─→ release.yml (contents: read, id-token: write)
      └─→ release-ionic.yml (contents: read, id-token: write)
          └─→ publish-npm.yml (contents: read, id-token: write) ✅

- `release-orchestrator.yml` calls three workflows: `nightly.yml`,
`dev-build.yml`, and `release.yml`.
- All three call `release-ionic.yml`, which handles publishing multiple
packages.
- `release-ionic.yml` calls `publish-npm.yml` multiple times (once per
package).
- All workflows have `contents: read` and `id-token: write` permissions.
- `publish-npm.yml` is in `.github/workflows/`, which satisfies npm
Trusted Publishers requirements.
- This shows that `publish-npm.yml` is reachable through all three
release paths, and moving it to `.github/workflows/` ensures npm Trusted
Publishers can authenticate it correctly.




## Does this introduce a breaking change?

- [ ] Yes
- [x] No

<!--
  If this introduces a breaking change:
1. Describe the impact and migration path for existing applications
below.
  2. Update the BREAKING.md file with the breaking change.
3. Add "BREAKING CHANGE: [...]" to the commit description when merging.
See
https://github.com/ionic-team/ionic-framework/blob/main/docs/CONTRIBUTING.md#footer
for more information.
-->

- Run pipelines after merge


## Other information

<!-- Any other information that is important to this PR such as
screenshots of how the component looks before and after the change. -->
- The workflow `release-orchestrator.yml` needs to be the one set up in
the npm package settings for the Trusted Publishers
---
 .github/workflows/dev-build.yml               |  5 ++
 .github/workflows/nightly.yml                 |  5 ++
 .../action.yml => publish-npm.yml}            |  1 +
 .github/workflows/release-ionic.yml           | 16 ++--
 .github/workflows/release-orchestrator.yml    | 73 +++++++++++++++++++
 .github/workflows/release.yml                 | 38 ++++++++++
 6 files changed, 130 insertions(+), 8 deletions(-)
 rename .github/workflows/{actions/publish-npm/action.yml => publish-npm.yml} (98%)
 create mode 100644 .github/workflows/release-orchestrator.yml

diff --git a/.github/workflows/dev-build.yml b/.github/workflows/dev-build.yml
index 0f554f4d27..0231e43f66 100644
--- a/.github/workflows/dev-build.yml
+++ b/.github/workflows/dev-build.yml
@@ -2,6 +2,11 @@ name: 'Ionic Dev Build'
 
 on:
   workflow_dispatch:
+  workflow_call:
+
+permissions:
+  contents: read
+  id-token: write
 
 jobs:
   create-dev-hash:
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
index 504a1b14aa..e2f5d57c78 100644
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -5,6 +5,11 @@ on:
     # Run every Monday-Friday
     # at 6:00 UTC (6:00 am UTC)
     - cron: '00 06 * * 1-5'
+  workflow_call:
+
+permissions:
+  contents: read
+  id-token: write
 
 jobs:
   create-nightly-hash:
diff --git a/.github/workflows/actions/publish-npm/action.yml b/.github/workflows/publish-npm.yml
similarity index 98%
rename from .github/workflows/actions/publish-npm/action.yml
rename to .github/workflows/publish-npm.yml
index b4c174ba88..9730f0e43e 100644
--- a/.github/workflows/actions/publish-npm/action.yml
+++ b/.github/workflows/publish-npm.yml
@@ -26,6 +26,7 @@ runs:
       with:
         node-version: ${{ inputs.node-version }}
         registry-url: 'https://registry.npmjs.org'
+        scope: '@ionic'
     # Provenance requires npm 9.5.0+
     - name: 📦 Install latest npm
       run: npm install -g npm@latest
diff --git a/.github/workflows/release-ionic.yml b/.github/workflows/release-ionic.yml
index dfac8f6f16..82d365b0a9 100644
--- a/.github/workflows/release-ionic.yml
+++ b/.github/workflows/release-ionic.yml
@@ -24,7 +24,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-    - uses: ./.github/workflows/actions/publish-npm
+    - uses: ./.github/workflows/publish-npm.yml
       with:
         scope: '@ionic/core'
         tag: ${{ inputs.tag }}
@@ -55,7 +55,7 @@ jobs:
         name: ionic-docs
         path: ./packages/docs
         filename: DocsBuild.zip
-    - uses: ./.github/workflows/actions/publish-npm
+    - uses: ./.github/workflows/publish-npm.yml
       with:
         scope: '@ionic/docs'
         tag: ${{ inputs.tag }}
@@ -74,7 +74,7 @@ jobs:
         name: ionic-core
         path: ./core
         filename: CoreBuild.zip
-    - uses: ./.github/workflows/actions/publish-npm
+    - uses: ./.github/workflows/publish-npm.yml
       with:
         scope: '@ionic/angular'
         tag: ${{ inputs.tag }}
@@ -100,7 +100,7 @@ jobs:
         name: ionic-core
         path: ./core
         filename: CoreBuild.zip
-    - uses: ./.github/workflows/actions/publish-npm
+    - uses: ./.github/workflows/publish-npm.yml
       with:
         scope: '@ionic/react'
         tag: ${{ inputs.tag }}
@@ -125,7 +125,7 @@ jobs:
         name: ionic-core
         path: ./core
         filename: CoreBuild.zip
-    - uses: ./.github/workflows/actions/publish-npm
+    - uses: ./.github/workflows/publish-npm.yml
       with:
         scope: '@ionic/vue'
         tag: ${{ inputs.tag }}
@@ -150,7 +150,7 @@ jobs:
         name: ionic-core
         path: ./core
         filename: CoreBuild.zip
-    - uses: ./.github/workflows/actions/publish-npm
+    - uses: ./.github/workflows/publish-npm.yml
       with:
         scope: '@ionic/angular-server'
         tag: ${{ inputs.tag }}
@@ -176,7 +176,7 @@ jobs:
         name: ionic-react
         path: ./packages/react
         filename: ReactBuild.zip
-    - uses: ./.github/workflows/actions/publish-npm
+    - uses: ./.github/workflows/publish-npm.yml
       with:
         scope: '@ionic/react-router'
         tag: ${{ inputs.tag }}
@@ -201,7 +201,7 @@ jobs:
         name: ionic-vue
         path: ./packages/vue
         filename: VueBuild.zip
-    - uses: ./.github/workflows/actions/publish-npm
+    - uses: ./.github/workflows/publish-npm.yml
       with:
         scope: '@ionic/vue-router'
         tag: ${{ inputs.tag }}
diff --git a/.github/workflows/release-orchestrator.yml b/.github/workflows/release-orchestrator.yml
new file mode 100644
index 0000000000..f14706363a
--- /dev/null
+++ b/.github/workflows/release-orchestrator.yml
@@ -0,0 +1,73 @@
+name: 'Ionic Release'
+
+on:
+  schedule:
+    # Run every Monday-Friday
+    # at 6:00 UTC (6:00 am UTC)
+    - cron: '00 06 * * 1-5'
+  workflow_dispatch:
+    inputs:
+      release-type:
+        description: 'Which Ionic release workflow should run?'
+        required: true
+        type: choice
+        default: nightly
+        options:
+          - dev
+          - nightly
+          - production
+      version:
+        description: 'Which version should be published? (Only for production releases)'
+        required: false
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+          - prepatch
+          - preminor
+          - premajor
+          - prerelease
+      tag:
+        description: 'Which npm tag should this be published to? (Only for production releases)'
+        required: false
+        type: choice
+        default: latest
+        options:
+          - latest
+          - next
+      preid:
+        description: 'Which prerelease identifier should be used? (Only for production releases)'
+        required: false
+        type: choice
+        default: ''
+        options:
+          - ''
+          - alpha
+          - beta
+          - rc
+          - next
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  run-nightly:
+    if: ${{ github.event_name == 'schedule' || (github.event_name == 'workflow_dispatch' && inputs.release-type == 'nightly') }}
+    uses: ./.github/workflows/nightly.yml
+    secrets: inherit
+
+  run-dev:
+    if: ${{ github.event_name == 'workflow_dispatch' && inputs.release-type == 'dev' }}
+    uses: ./.github/workflows/dev-build.yml
+    secrets: inherit
+
+  run-production:
+    if: ${{ github.event_name == 'workflow_dispatch' && inputs.release-type == 'production' }}
+    uses: ./.github/workflows/release.yml
+    secrets: inherit
+    with:
+      version: ${{ inputs.version }}
+      tag: ${{ inputs.tag }}
+      preid: ${{ inputs.preid }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 93938b8bf9..6b20b89689 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -32,9 +32,47 @@ on:
           - beta
           - rc
           - next
+  workflow_call:
+    inputs:
+      version:
+        description: 'Which version should be published?'
+        required: true
+        type: string
+      tag:
+        description: 'Which npm tag should this be published to?'
+        required: true
+        type: string
+      preid:
+        description: 'Which prerelease identifier should be used? This is only needed when version is "prepatch", "preminor", "premajor", or "prerelease".'
+        required: false
+        type: string
+
+permissions:
+  contents: read
+  id-token: write
 
 jobs:
+  validate_version:
+    name: ✅ Validate Version Input
+    runs-on: ubuntu-latest
+    steps:
+      - name: 🔎 Ensure version is allowed
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          case "$VERSION" in
+            patch|minor|major|prepatch|preminor|premajor|prerelease)
+              exit 0
+              ;;
+            *)
+              echo "::error::Invalid version input: '$VERSION'. Allowed values: patch, minor, major, prepatch, preminor, premajor, prerelease."
+              exit 1
+              ;;
+          esac
+        shell: bash
+
   release-ionic:
+    needs: [validate_version]
     permissions:
       contents: read
       id-token: write