mirror of
https://github.com/ionic-team/ionic-framework.git
synced 2025-12-19 05:19:42 +08:00
c37e2a5d9e
Issue number: internal --------- <!-- Please do not submit updates to dependencies unless it fixes an issue. --> <!-- Please try to limit your pull request to one type (bugfix, feature, etc). Submit multiple pull requests if needed. --> ## What is the current behavior? <!-- Please describe the current behavior that you are modifying. --> - Release workflows still inject a long-lived `NPM_TOKEN` via `.npmrc`, so publishes do not use npm’s trusted OIDC flow. ## What is the new behavior? <!-- Please describe the behavior or changes that are being added by this PR. --> - The shared `actions/publish-npm` composite action now configures `setup-node` with the npm registry, upgrades npm in place, and publishes with `--provenance` without writing `.npmrc`. - `release-dev.yml`, `release-nightly.yml`, and `release-production.yml` call into that trusted flow by removing the token input and (for production) inlining the same OIDC setup before `npm run release.ci`. - Allows npm to authenticate through trusted publishing requirements [docs.npmjs.com/trusted-publishers](https://docs.npmjs.com/trusted-publishers). - Step names were refreshed with emojis, but there are no other behavioral changes. ## Does this introduce a breaking change? - [ ] Yes - [x] No <!-- If this introduces a breaking change: 1. Describe the impact and migration path for existing applications below. 2. Update the BREAKING.md file with the breaking change. 3. Add "BREAKING CHANGE: [...]" to the commit description when merging. See https://github.com/ionic-team/ionic-framework/blob/main/docs/CONTRIBUTING.md#footer for more information. --> ## Other information <!-- Any other information that is important to this PR such as screenshots of how the component looks before and after the change. --> - These changes align the Ionic release automation with npm’s trusted-publisher enforcement while keeping the existing Lerna build/publish process intact. --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
134 lines
4.2 KiB
YAML
134 lines
4.2 KiB
YAML
name: 'Ionic Production Release'
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
version:
|
|
required: true
|
|
type: choice
|
|
description: Which version should be published?
|
|
options:
|
|
- patch
|
|
- minor
|
|
- major
|
|
- prepatch
|
|
- preminor
|
|
- premajor
|
|
- prerelease
|
|
tag:
|
|
required: true
|
|
type: choice
|
|
description: Which npm tag should this be published to?
|
|
options:
|
|
- latest
|
|
- next
|
|
preid:
|
|
type: choice
|
|
description: Which prerelease identifier should be used? This is only needed when version is "prepatch", "preminor", "premajor", or "prerelease".
|
|
default: ''
|
|
options:
|
|
- ''
|
|
- alpha
|
|
- beta
|
|
- rc
|
|
- next
|
|
|
|
jobs:
|
|
release-ionic:
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
uses: ./.github/workflows/release-ionic.yml
|
|
with:
|
|
tag: ${{ inputs.tag }}
|
|
version: ${{ inputs.version }}
|
|
preid: ${{ inputs.preid }}
|
|
|
|
finalize-release:
|
|
needs: [release-ionic]
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
with:
|
|
token: ${{ secrets.IONITRON_TOKEN }}
|
|
fetch-depth: 0
|
|
- name: Configure Identity
|
|
# Commits from github-actions do not
|
|
# trigger other GitHub Actions. As a result,
|
|
# we publish releases from Ionitron instead
|
|
# so actions run when merging the release branch
|
|
# back into main.
|
|
run: |
|
|
git config user.name ionitron
|
|
git config user.email hi@ionicframework.com
|
|
shell: bash
|
|
- name: Create GitHub Release
|
|
run: lerna version ${{ inputs.version }} --yes --force-publish='*' --conventional-commits --create-release github --preid=${{ inputs.preid }}
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
shell: bash
|
|
|
|
update-package-lock:
|
|
# This needs to run after finalize-release
|
|
# because we also push to the repo in that
|
|
# job. If these jobs ran in parallel then it is
|
|
# possible for them to push at the same time.
|
|
needs: [finalize-release]
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
# Pull the latest version of the reference
|
|
# branch instead of the revision that triggered
|
|
# the workflow otherwise we won't get the commit
|
|
# created in the previous job and this next job
|
|
# will fail.
|
|
with:
|
|
ref: ${{ github.ref }}
|
|
- name: Configure Identity
|
|
# Commits from github-actions do not
|
|
# trigger other GitHub Actions. As a result,
|
|
# we push from Ionitron instead so actions
|
|
# run when merging the release branch
|
|
# back into main.
|
|
run: |
|
|
git config user.name ionitron
|
|
git config user.email hi@ionicframework.com
|
|
shell: bash
|
|
# Lerna does not automatically bump versions
|
|
# of Ionic dependencies that have changed,
|
|
# so we do that here.
|
|
- name: Bump Package Lock
|
|
run: |
|
|
lerna exec "npm install --package-lock-only"
|
|
git add .
|
|
git commit -m "chore(): update package lock files"
|
|
git push
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
shell: bash
|
|
|
|
purge-cdn-cache:
|
|
needs: [release-ionic]
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Purge JSDelivr Cache
|
|
run: |
|
|
curl -X POST \
|
|
https://purge.jsdelivr.net/ \
|
|
-H 'cache-control: no-cache' \
|
|
-H 'content-type: application/json' \
|
|
-d '{
|
|
"path": [
|
|
"/npm/@ionic/core@6/dist/ionic/ionic.esm.js",
|
|
"/npm/@ionic/core@7/dist/ionic/ionic.esm.js",
|
|
"/npm/@ionic/core@8/dist/ionic/ionic.esm.js",
|
|
"/npm/@ionic/core@latest/dist/ionic/ionic.esm.js",
|
|
"/npm/@ionic/core@next/dist/ionic/ionic.esm.js",
|
|
"/npm/@ionic/core@6/css/ionic.bundle.css",
|
|
"/npm/@ionic/core@7/css/ionic.bundle.css",
|
|
"/npm/@ionic/core@8/css/ionic.bundle.css",
|
|
"/npm/@ionic/core@latest/css/ionic.bundle.css"
|
|
"/npm/@ionic/core@next/css/ionic.bundle.css"
|
|
]}'
|
|
shell: bash
|