flpdiff/.github/workflows/release.yml at main · dawhubapp/flpdiff · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
name: Release

on:
  push:
    tags:
      - "v*"

permissions:
  contents: write  # needed to create the GitHub Release + upload assets

jobs:
  # Build standalone binaries for each supported platform.
  # bun build --compile can cross-target from a single host, so one
  # matrix cell per target is enough; no per-OS runner required.
  build-binaries:
    name: Build ${{ matrix.target }}
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        include:
          - target: bun-darwin-arm64
            artifact: flpdiff-darwin-arm64
          - target: bun-darwin-x64
            artifact: flpdiff-darwin-x64
          - target: bun-linux-x64
            artifact: flpdiff-linux-x64
          - target: bun-linux-arm64
            artifact: flpdiff-linux-arm64
          - target: bun-windows-x64
            artifact: flpdiff-windows-x64.exe
    steps:
      - uses: actions/checkout@v4
      - uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest
      - run: bun install --frozen-lockfile
      - name: Build standalone binary
        run: |
          mkdir -p dist
          bun build src/cli.ts --compile --target=${{ matrix.target }} --outfile dist/${{ matrix.artifact }}
      - name: Upload binary artifact
        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.artifact }}
          path: dist/${{ matrix.artifact }}
          if-no-files-found: error
          retention-days: 7

  # Create a GitHub Release with the tag's name and attach all binaries.
  github-release:
    name: Publish GitHub Release
    needs: build-binaries
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - name: Download all binaries
        uses: actions/download-artifact@v4
        with:
          path: dist
          merge-multiple: true
      - name: Create Release
        uses: softprops/action-gh-release@v2
        with:
          name: ${{ github.ref_name }}
          generate_release_notes: true
          files: |
            dist/flpdiff-darwin-arm64
            dist/flpdiff-darwin-x64
            dist/flpdiff-linux-x64
            dist/flpdiff-linux-arm64
            dist/flpdiff-windows-x64.exe

  # Publish to npm via OIDC trusted publishing. The npm registry is
  # configured to trust this repository + workflow, so no NPM_TOKEN is
  # needed. Requirements:
  #   - id-token: write permission (lets Actions mint an OIDC token)
  #   - npm CLI >= 11.5 (older versions don't speak OIDC)
  #   - --provenance to also generate a provenance attestation
  npm-publish:
    name: Publish to npm
    needs: build-binaries
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
    steps:
      - uses: actions/checkout@v4
      - uses: oven-sh/setup-bun@v2
        with:
          bun-version: latest
      - uses: actions/setup-node@v4
        with:
          node-version: "24"
      # Node 24 ships with npm >= 11, but we need >= 11.5 for OIDC.
      # `npm install -g npm@latest` is unreliable (in-place upgrade
      # races with the running process — promise-retry MODULE_NOT_FOUND).
      # Corepack is the Node-recommended way to swap package managers
      # cleanly: it installs into a separate cache and shims the PATH.
      - name: Ensure npm supports OIDC trusted publishing
        run: |
          corepack enable
          corepack prepare npm@latest --activate
          npm --version
      - run: bun install --frozen-lockfile
      - name: Publish
        run: npm publish --access public --provenance