Skip to content

Commit 39cebef

Browse files
NathanWalkerNathanWalker
committed
chore: oidc npm workflow
1 parent 19dd1b0 commit 39cebef

File tree

2 files changed

+35
-4
lines changed

2 files changed

+35
-4
lines changed

.github/scripts/npm-publish-ci.sh

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
#!/usr/bin/env bash
2+
set -euo pipefail
3+
4+
TAG="${NPM_TAG:-next}"
5+
6+
args=(
7+
--tag "$TAG"
8+
--access public
9+
--provenance
10+
)
11+
12+
log_file="$(mktemp)"
13+
14+
set +e
15+
npm publish "${args[@]}" 2>&1 | tee "$log_file"
16+
status=${PIPESTATUS[0]}
17+
set -e
18+
19+
if [ "$status" -eq 0 ]; then
20+
exit 0
21+
fi
22+
23+
# Ignore "already published" errors, but fail on everything else.
24+
if grep -qiE '(previously published|cannot publish over|EPUBLISHCONFLICT)' "$log_file"; then
25+
echo "Publish skipped (already published)."
26+
exit 0
27+
fi
28+
29+
exit "$status"

.github/workflows/publish_npm.yml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ env:
1010
jobs:
1111
release:
1212
runs-on: ubuntu-latest
13+
environment: npm-publish
1314
permissions:
1415
contents: read
1516
id-token: write
@@ -38,15 +39,16 @@ jobs:
3839
unset NODE_AUTH_TOKEN
3940
if [ -n "${NPM_CONFIG_USERCONFIG:-}" ]; then
4041
rm -f "$NPM_CONFIG_USERCONFIG"
42+
unset NPM_CONFIG_USERCONFIG
4143
fi
42-
# run publish in every package, ignore failures (ie no publish required if the version is already published)
43-
npx lerna exec --no-bail --stream --concurrency 1 -- "npm publish --tag \"$NPM_TAG\" --access public --provenance || true"
44+
# run publish in every package; only ignore "already published" errors
45+
npx lerna exec --no-bail --stream --concurrency 1 -- "bash \"$GITHUB_WORKSPACE/.github/scripts/npm-publish-ci.sh\""
4446
4547
- name: Publish All Templates (granular token)
4648
if: ${{ vars.USE_NPM_TOKEN == 'true' }}
4749
env:
4850
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
4951
run: |
5052
echo "Publishing templates to npm with tag $NPM_TAG via granular token..."
51-
# run publish in every package, ignore failures (ie no publish required if the version is already published)
52-
npx lerna exec --no-bail --stream --concurrency 1 -- "npm publish --tag \"$NPM_TAG\" --access public --provenance || true"
53+
# run publish in every package; only ignore "already published" errors
54+
npx lerna exec --no-bail --stream --concurrency 1 -- "bash \"$GITHUB_WORKSPACE/.github/scripts/npm-publish-ci.sh\""

0 commit comments

Comments
 (0)