javascript/ionic-framework
1
0
Fork 0
mirror of https://github.com/ionic-team/ionic-framework.git synced 2026-03-13 10:22:08 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
ecc291138ee4573f5acb5ec922762d976e414cdd
ionic-framework/.github/workflows/publish-npm.yml
Gonçalo M. ecc291138e chore(npm): attempt to fix issue with Trusted Publishers when using reusable workflows (#30787) 
Issue number: resolves #

---------

<!-- Please do not submit updates to dependencies unless it fixes an
issue. -->

<!-- Please try to limit your pull request to one type (bugfix, feature,
etc). Submit multiple pull requests if needed. -->

## What is the current behavior?
<!-- Please describe the current behavior that you are modifying. -->
- Publishing to npm is failing due to the changes to move to Trusted
Publishers, since it seems that they still don't support reusable
workflows, as mentioned
[here](https://github.com/orgs/community/discussions/174507)
- The action to which we grant permissions on npm needs to follow a
strict path location `.github/workflows/` in your repository.

## What is the new behavior?
<!-- Please describe the behavior or changes that are being added by
this PR. -->

- Fixed permissions mismatch by applying the orchestrator method for npm
publish:
release-orchestrator.yml (contents: read, id-token: write)

  ├─→ nightly.yml (contents: read, id-token: write)
  │   └─→ release-ionic.yml (contents: read, id-token: write)
  │       └─→ publish-npm.yml (contents: read, id-token: write) 

  ├─→ dev-build.yml (contents: read, id-token: write)
  │   └─→ release-ionic.yml (contents: read, id-token: write)
  │       └─→ publish-npm.yml (contents: read, id-token: write) 

  └─→ release.yml (contents: read, id-token: write)
      └─→ release-ionic.yml (contents: read, id-token: write)
          └─→ publish-npm.yml (contents: read, id-token: write) 

- `release-orchestrator.yml` calls three workflows: `nightly.yml`,
`dev-build.yml`, and `release.yml`.
- All three call `release-ionic.yml`, which handles publishing multiple
packages.
- `release-ionic.yml` calls `publish-npm.yml` multiple times (once per
package).
- All workflows have `contents: read` and `id-token: write` permissions.
- `publish-npm.yml` is in `.github/workflows/`, which satisfies npm
Trusted Publishers requirements.
- This shows that `publish-npm.yml` is reachable through all three
release paths, and moving it to `.github/workflows/` ensures npm Trusted
Publishers can authenticate it correctly.




## Does this introduce a breaking change?

- [ ] Yes
- [x] No

<!--
  If this introduces a breaking change:
1. Describe the impact and migration path for existing applications
below.
  2. Update the BREAKING.md file with the breaking change.
3. Add "BREAKING CHANGE: [...]" to the commit description when merging.
See
https://github.com/ionic-team/ionic-framework/blob/main/docs/CONTRIBUTING.md#footer
for more information.
-->

- Run pipelines after merge


## Other information

<!-- Any other information that is important to this PR such as
screenshots of how the component looks before and after the change. -->
- The workflow `release-orchestrator.yml` needs to be the one set up in
the npm package settings for the Trusted Publishers
2025-11-17 18:09:29 +00:00

60 lines
2.2 KiB
YAML
Raw Blame History

name: 'Release'
description: 'Releases a package'
inputs:
scope:
description: 'The package to release. Must match a package specified in lerna.json.'
version:
description: 'The type of version to release.'
tag:
description: 'The tag to publish to on NPM.'
preid:
description: "Prerelease identifier such as 'alpha', 'beta', 'rc', or 'next'. Leave blank to skip prerelease tagging."
working-directory:
description: 'The directory of the package.'
folder:
default: './'
description: 'A folder containing a package.json file.'
node-version:
description: 'Node.js version to use when publishing.'
required: false
default: '24.x'
runs:
using: 'composite'
steps:
- name: 🟢 Configure Node for Publish
uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
with:
node-version: ${{ inputs.node-version }}
registry-url: 'https://registry.npmjs.org'
scope: '@ionic'
# Provenance requires npm 9.5.0+
- name: 📦 Install latest npm
run: npm install -g npm@latest
shell: bash
# This ensures the local version of Lerna is installed
# and that we do not use the global Lerna version
- name: 🕸️ Install root dependencies
run: npm ci
shell: bash
- name: 📦 Install Dependencies
run: npx lerna@5 bootstrap --include-dependencies --scope ${{ inputs.scope }} --ignore-scripts -- --legacy-peer-deps
shell: bash
working-directory: ${{ inputs.working-directory }}
- name: 🏷️ Set Version
run: |
if [ -z "${{ inputs.preid }}" ]; then
npx lerna@5 version ${{ inputs.version }} --yes --exact --no-changelog --no-push --no-git-tag-version
else
npx lerna@5 version ${{ inputs.version }} --yes --exact --no-changelog --no-push --no-git-tag-version --preid=${{ inputs.preid }}
fi
shell: bash
working-directory: ${{ inputs.working-directory }}
- name: 🏗️ Run Build
run: npm run build
shell: bash
working-directory: ${{ inputs.working-directory }}
- name: 🚀 Publish to NPM
run: npm publish ${{ inputs.folder }} --tag ${{ inputs.tag }} --provenance
shell: bash
working-directory: ${{ inputs.working-directory }}
Reference in New Issue View Git Blame Copy Permalink