Release #37
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| # Manual-only: pick the bump from the Actions UI, or | |
| # gh workflow run release.yml -f version_bump=patch|minor|major | |
| # No daily schedule on purpose. A timed cron auto-published unwanted releases on | |
| # the WordPress plugin, so a spec change here never publishes without review. | |
| # repository_dispatch (openapi-updated) is reserved for the planned main-app | |
| # integration; keep it off until the manual pipeline is proven. | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| version_bump: | |
| description: 'patch | minor | major' | |
| required: false | |
| default: 'patch' | |
| # repository_dispatch: | |
| # types: [openapi-updated] | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v7 | |
| with: | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: '24' | |
| registry-url: 'https://registry.npmjs.org' | |
| - uses: oven-sh/setup-bun@v2 | |
| - run: bun install --frozen-lockfile | |
| # Trusted publishing (OIDC) CANNOT create a package. npmjs.com requires the | |
| # package to already exist before a Trusted Publisher can be configured on it, | |
| # so the first version of any new package must be pushed by a human once | |
| # (npm/cli#8544, still open). | |
| # | |
| # Without this gate the run would publish @roxyapi/ui and @roxyapi/ui-react, | |
| # THEN die on the first-ever @roxyapi/ui-vue publish. The job aborts before | |
| # "Commit, tag, push", so npm ends up bumped while the repo has no version | |
| # commit, no tag and no GitHub release, and the re-run is then rejected for | |
| # republishing an existing version. Fail BEFORE anything is published instead. | |
| - name: Preflight — every package must already exist on npm | |
| run: | | |
| MISSING="" | |
| for pkg in packages/ui packages/ui-react packages/ui-vue; do | |
| NAME=$(jq -r '.name' "$pkg/package.json") | |
| npm view "$NAME" version >/dev/null 2>&1 || MISSING="$MISSING $NAME" | |
| done | |
| if [ -n "$MISSING" ]; then | |
| echo "::error::Never published, so OIDC cannot publish it either:$MISSING" | |
| echo "Bootstrap each package ONCE from a logged-in machine:" | |
| echo " (cd packages/<name> && npm publish --access public)" | |
| echo "then on npmjs.com open the package and set" | |
| echo " Trusted Publisher -> GitHub Actions -> RoxyAPI/ui -> release.yml" | |
| echo "Re-run this workflow afterwards. See npm/cli#8544." | |
| exit 1 | |
| fi | |
| echo "All packages exist on npm. Trusted publishing can proceed." | |
| - name: Regenerate types from spec | |
| run: bun run generate | |
| - name: Spec drift gate | |
| run: | | |
| if ! git diff --exit-code -- specs/openapi.json packages/ui/src/types/; then | |
| echo "OpenAPI spec or generated types are stale relative to live API. Local must be in sync before release." | |
| exit 1 | |
| fi | |
| - name: Sync docs from spec | |
| run: bun run docs:sync | |
| - name: Check if spec changed | |
| id: diff | |
| run: | | |
| OLD=$(git show HEAD:specs/openapi.json 2>/dev/null | jq -cS '{paths, components}' || echo '') | |
| NEW=$(jq -cS '{paths, components}' specs/openapi.json) | |
| if [ "$OLD" = "$NEW" ]; then | |
| echo "changed=false" >> $GITHUB_OUTPUT | |
| else | |
| echo "changed=true" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Lint | |
| if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch' | |
| run: bun run check | |
| - name: Typecheck | |
| if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch' | |
| run: bun run typecheck | |
| - name: Build | |
| if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch' | |
| run: bun run build | |
| - name: Unit tests | |
| if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch' | |
| run: bun run test | |
| - name: Provision Playwright browsers from MCR image (bypass cdn.playwright.dev) | |
| if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch' | |
| # cdn.playwright.dev browser-binary downloads stall from GitHub runners | |
| # (the binaries never finish, hanging the job). Pull the exact matching | |
| # browsers from the official Playwright image on Microsoft Container | |
| # Registry instead, then copy them into the default browser cache. | |
| # install-deps is apt-only (no CDN download). Keep the image tag in | |
| # lockstep with @playwright/test in package.json (currently 1.59.1). | |
| run: | | |
| bunx playwright install-deps | |
| docker create --name pwbrowsers mcr.microsoft.com/playwright:v1.59.1-noble | |
| mkdir -p "$HOME/.cache/ms-playwright" | |
| docker cp pwbrowsers:/ms-playwright/. "$HOME/.cache/ms-playwright/" | |
| docker rm pwbrowsers | |
| ls -1 "$HOME/.cache/ms-playwright" | |
| - name: E2E tests | |
| if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch' | |
| run: bun run test:e2e | |
| - name: UI audit (no [object Object], no empty-state drift) | |
| if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch' | |
| run: | | |
| bun run preview & | |
| PREVIEW_PID=$! | |
| for i in $(seq 1 30); do | |
| curl -sf http://localhost:3001 > /dev/null && break | |
| sleep 1 | |
| done | |
| bun run audit | |
| AUDIT_EXIT=$? | |
| kill $PREVIEW_PID 2>/dev/null || true | |
| exit $AUDIT_EXIT | |
| - name: Bump versions and rebuild | |
| id: bump | |
| if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch' | |
| run: | | |
| BUMP="${{ github.event.inputs.version_bump || 'patch' }}" | |
| bump() { | |
| local file="$1/package.json" | |
| local current new | |
| current=$(jq -r '.version' "$file") | |
| IFS='.' read -r MA MI PA <<< "$current" | |
| case "$BUMP" in | |
| major) MA=$((MA+1)); MI=0; PA=0 ;; | |
| minor) MI=$((MI+1)); PA=0 ;; | |
| *) PA=$((PA+1)) ;; | |
| esac | |
| new="$MA.$MI.$PA" | |
| jq --arg v "$new" '.version = $v' "$file" > "$file.tmp" && mv "$file.tmp" "$file" | |
| echo "$1 -> $new" | |
| } | |
| bump packages/ui | |
| bump packages/ui-react | |
| bump packages/ui-vue | |
| VERSION=$(jq -r '.version' packages/ui/package.json) | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| bun run build | |
| # ORDER IS LOAD-BEARING: least-proven package FIRST. | |
| # | |
| # npm publishes cannot be rolled back, so a publish that dies halfway leaves | |
| # npm bumped while the repo has no version commit, no tag and no release, and | |
| # the re-run is then rejected for republishing an existing version. The | |
| # preflight above proves each package EXISTS, but it cannot prove a Trusted | |
| # Publisher is configured on it — a package can exist and still reject OIDC. | |
| # | |
| # Publishing the newest package first turns that unverifiable risk into a safe | |
| # failure: if its trust config is missing, the job dies before the established | |
| # packages are touched and nothing is published at all. Whenever a new wrapper | |
| # package is added, move it to the top of this list until it has shipped once. | |
| - name: Publish @roxyapi/ui-vue | |
| if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch' | |
| run: | | |
| npm install -g npm@latest | |
| (cd packages/ui-vue && npm publish --access public --provenance) | |
| - name: Publish @roxyapi/ui | |
| if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch' | |
| run: | | |
| (cd packages/ui && npm publish --access public --provenance) | |
| - name: Publish @roxyapi/ui-react | |
| if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch' | |
| run: | | |
| (cd packages/ui-react && npm publish --access public --provenance) | |
| - name: Commit, tag, push | |
| if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch' | |
| run: | | |
| git config user.name "github-actions[bot]" | |
| git config user.email "github-actions[bot]@users.noreply.github.com" | |
| VERSION=$(node -p "require('./packages/ui/package.json').version") | |
| # dist/ is gitignored: npm publish (above) already shipped it via the | |
| # package.json `files` allowlist. Commit only source, version bumps, | |
| # and the committed codegen (registry, manifest, docs tables). | |
| git add packages/ registry/ apps/docs/manifest.js README.md AGENTS.md | |
| git commit -m "release: v$VERSION" | |
| git tag "v$VERSION" | |
| git push --follow-tags | |
| - name: Pack npm tarballs for release assets | |
| if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch' | |
| run: | | |
| mkdir -p .release-assets | |
| (cd packages/ui && npm pack --pack-destination ../../.release-assets) | |
| (cd packages/ui-react && npm pack --pack-destination ../../.release-assets) | |
| (cd packages/ui-vue && npm pack --pack-destination ../../.release-assets) | |
| ls -la .release-assets/ | |
| - name: Create GitHub release | |
| if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch' | |
| uses: softprops/action-gh-release@v3 | |
| with: | |
| tag_name: v${{ steps.bump.outputs.version }} | |
| generate_release_notes: true | |
| make_latest: 'true' | |
| files: | | |
| .release-assets/*.tgz |