-
Notifications
You must be signed in to change notification settings - Fork 0
226 lines (202 loc) · 9.62 KB
/
Copy pathrelease.yml
File metadata and controls
226 lines (202 loc) · 9.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
name: Release
# Manual-only: pick the bump from the Actions UI, or
# gh workflow run release.yml -f version_bump=patch|minor|major
# No daily schedule on purpose. A timed cron auto-published unwanted releases on
# the WordPress plugin, so a spec change here never publishes without review.
# repository_dispatch (openapi-updated) is reserved for the planned main-app
# integration; keep it off until the manual pipeline is proven.
on:
workflow_dispatch:
inputs:
version_bump:
description: 'patch | minor | major'
required: false
default: 'patch'
# repository_dispatch:
# types: [openapi-updated]
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
steps:
- uses: actions/checkout@v7
with:
token: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/setup-node@v6
with:
node-version: '24'
registry-url: 'https://registry.npmjs.org'
- uses: oven-sh/setup-bun@v2
- run: bun install --frozen-lockfile
# Trusted publishing (OIDC) CANNOT create a package. npmjs.com requires the
# package to already exist before a Trusted Publisher can be configured on it,
# so the first version of any new package must be pushed by a human once
# (npm/cli#8544, still open).
#
# Without this gate the run would publish @roxyapi/ui and @roxyapi/ui-react,
# THEN die on the first-ever @roxyapi/ui-vue publish. The job aborts before
# "Commit, tag, push", so npm ends up bumped while the repo has no version
# commit, no tag and no GitHub release, and the re-run is then rejected for
# republishing an existing version. Fail BEFORE anything is published instead.
- name: Preflight — every package must already exist on npm
run: |
MISSING=""
for pkg in packages/ui packages/ui-react packages/ui-vue; do
NAME=$(jq -r '.name' "$pkg/package.json")
npm view "$NAME" version >/dev/null 2>&1 || MISSING="$MISSING $NAME"
done
if [ -n "$MISSING" ]; then
echo "::error::Never published, so OIDC cannot publish it either:$MISSING"
echo "Bootstrap each package ONCE from a logged-in machine:"
echo " (cd packages/<name> && npm publish --access public)"
echo "then on npmjs.com open the package and set"
echo " Trusted Publisher -> GitHub Actions -> RoxyAPI/ui -> release.yml"
echo "Re-run this workflow afterwards. See npm/cli#8544."
exit 1
fi
echo "All packages exist on npm. Trusted publishing can proceed."
- name: Regenerate types from spec
run: bun run generate
- name: Spec drift gate
run: |
if ! git diff --exit-code -- specs/openapi.json packages/ui/src/types/; then
echo "OpenAPI spec or generated types are stale relative to live API. Local must be in sync before release."
exit 1
fi
- name: Sync docs from spec
run: bun run docs:sync
- name: Check if spec changed
id: diff
run: |
OLD=$(git show HEAD:specs/openapi.json 2>/dev/null | jq -cS '{paths, components}' || echo '')
NEW=$(jq -cS '{paths, components}' specs/openapi.json)
if [ "$OLD" = "$NEW" ]; then
echo "changed=false" >> $GITHUB_OUTPUT
else
echo "changed=true" >> $GITHUB_OUTPUT
fi
- name: Lint
if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch'
run: bun run check
- name: Typecheck
if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch'
run: bun run typecheck
- name: Build
if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch'
run: bun run build
- name: Unit tests
if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch'
run: bun run test
- name: Provision Playwright browsers from MCR image (bypass cdn.playwright.dev)
if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch'
# cdn.playwright.dev browser-binary downloads stall from GitHub runners
# (the binaries never finish, hanging the job). Pull the exact matching
# browsers from the official Playwright image on Microsoft Container
# Registry instead, then copy them into the default browser cache.
# install-deps is apt-only (no CDN download). Keep the image tag in
# lockstep with @playwright/test in package.json (currently 1.61.1).
run: |
bunx playwright install-deps
docker create --name pwbrowsers mcr.microsoft.com/playwright:v1.61.1-noble
mkdir -p "$HOME/.cache/ms-playwright"
docker cp pwbrowsers:/ms-playwright/. "$HOME/.cache/ms-playwright/"
docker rm pwbrowsers
ls -1 "$HOME/.cache/ms-playwright"
- name: E2E tests
if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch'
run: bun run test:e2e
- name: UI audit (no [object Object], no empty-state drift)
if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch'
run: |
bun run preview &
PREVIEW_PID=$!
for i in $(seq 1 30); do
curl -sf http://localhost:3001 > /dev/null && break
sleep 1
done
bun run audit
AUDIT_EXIT=$?
kill $PREVIEW_PID 2>/dev/null || true
exit $AUDIT_EXIT
- name: Bump versions and rebuild
id: bump
if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch'
run: |
BUMP="${{ github.event.inputs.version_bump || 'patch' }}"
bump() {
local file="$1/package.json"
local current new
current=$(jq -r '.version' "$file")
IFS='.' read -r MA MI PA <<< "$current"
case "$BUMP" in
major) MA=$((MA+1)); MI=0; PA=0 ;;
minor) MI=$((MI+1)); PA=0 ;;
*) PA=$((PA+1)) ;;
esac
new="$MA.$MI.$PA"
jq --arg v "$new" '.version = $v' "$file" > "$file.tmp" && mv "$file.tmp" "$file"
echo "$1 -> $new"
}
bump packages/ui
bump packages/ui-react
bump packages/ui-vue
VERSION=$(jq -r '.version' packages/ui/package.json)
echo "version=$VERSION" >> $GITHUB_OUTPUT
bun run build
# ORDER IS LOAD-BEARING: least-proven package FIRST.
#
# npm publishes cannot be rolled back, so a publish that dies halfway leaves
# npm bumped while the repo has no version commit, no tag and no release, and
# the re-run is then rejected for republishing an existing version. The
# preflight above proves each package EXISTS, but it cannot prove a Trusted
# Publisher is configured on it — a package can exist and still reject OIDC.
#
# Publishing the newest package first turns that unverifiable risk into a safe
# failure: if its trust config is missing, the job dies before the established
# packages are touched and nothing is published at all. Whenever a new wrapper
# package is added, move it to the top of this list until it has shipped once.
- name: Publish @roxyapi/ui-vue
if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch'
run: |
npm install -g npm@latest
(cd packages/ui-vue && npm publish --access public --provenance)
- name: Publish @roxyapi/ui
if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch'
run: |
(cd packages/ui && npm publish --access public --provenance)
- name: Publish @roxyapi/ui-react
if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch'
run: |
(cd packages/ui-react && npm publish --access public --provenance)
- name: Commit, tag, push
if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch'
run: |
git config user.name "github-actions[bot]"
git config user.email "github-actions[bot]@users.noreply.github.com"
VERSION=$(node -p "require('./packages/ui/package.json').version")
# dist/ is gitignored: npm publish (above) already shipped it via the
# package.json `files` allowlist. Commit only source, version bumps,
# and the committed codegen (registry, manifest, docs tables).
git add packages/ registry/ apps/docs/manifest.js README.md AGENTS.md
git commit -m "release: v$VERSION"
git tag "v$VERSION"
git push --follow-tags
- name: Pack npm tarballs for release assets
if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch'
run: |
mkdir -p .release-assets
(cd packages/ui && npm pack --pack-destination ../../.release-assets)
(cd packages/ui-react && npm pack --pack-destination ../../.release-assets)
(cd packages/ui-vue && npm pack --pack-destination ../../.release-assets)
ls -la .release-assets/
- name: Create GitHub release
if: steps.diff.outputs.changed == 'true' || github.event_name == 'workflow_dispatch'
uses: softprops/action-gh-release@v3
with:
tag_name: v${{ steps.bump.outputs.version }}
generate_release_notes: true
make_latest: 'true'
files: |
.release-assets/*.tgz