From 40ac1645012301d280b9828a268fe0fbfaedee55 Mon Sep 17 00:00:00 2001 From: Kevin Codex Date: Sun, 12 Apr 2026 21:57:00 +0800 Subject: [PATCH] ci: add secure automated release workflow (#615) * ci: add secure automated release workflow * ci: fix release-please action pin --- .github/workflows/release.yml | 84 +++++++++++++++++++++++++++++++++++ .release-please-manifest.json | 3 ++ release-please-config.json | 11 +++++ 3 files changed, 98 insertions(+) create mode 100644 .github/workflows/release.yml create mode 100644 .release-please-manifest.json create mode 100644 release-please-config.json diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 00000000..4248f012 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,84 @@ +name: Auto Release + +on: + push: + branches: + - main + +concurrency: + group: auto-release-${{ github.ref }} + cancel-in-progress: false + +jobs: + release-please: + name: Release Please + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + outputs: + release_created: ${{ steps.release.outputs.release_created }} + tag_name: ${{ steps.release.outputs.tag_name }} + version: ${{ steps.release.outputs.version }} + steps: + - name: Run release-please + id: release + uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 + with: + token: ${{ secrets.GITHUB_TOKEN }} + release-type: node + package-name: '@gitlawb/openclaude' + + publish-npm: + name: Publish to npm + needs: release-please + if: ${{ needs.release-please.outputs.release_created == 'true' }} + runs-on: ubuntu-latest + environment: release + permissions: + contents: read + id-token: write + steps: + - name: Checkout release tag + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 + with: + ref: ${{ needs.release-please.outputs.tag_name }} + fetch-depth: 0 + + - name: Set up Node.js + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + with: + node-version: 20 + registry-url: https://registry.npmjs.org + + - name: Set up Bun + uses: oven-sh/setup-bun@0c5077e51419868618aeaa5fe8019c62421857d6 + with: + bun-version: 1.3.11 + + - name: Install dependencies + run: bun install --frozen-lockfile + + - name: Run unit tests + run: bun test --max-concurrency=1 + + - name: Smoke test + run: bun run smoke + + - name: Build + run: bun run build + + - name: Dry-run package + run: npm pack --dry-run + + - name: Publish to npm + run: npm publish --access public --provenance + + - name: Release summary + run: | + { + echo "## Released ${{ needs.release-please.outputs.tag_name }}" + echo + echo "- npm: https://www.npmjs.com/package/@gitlawb/openclaude" + echo "- GitHub: https://github.com/Gitlawb/openclaude/releases/tag/${{ needs.release-please.outputs.tag_name }}" + } >> "$GITHUB_STEP_SUMMARY" diff --git a/.release-please-manifest.json b/.release-please-manifest.json new file mode 100644 index 00000000..a46f2186 --- /dev/null +++ b/.release-please-manifest.json @@ -0,0 +1,3 @@ +{ + ".": "0.1.8" +} diff --git a/release-please-config.json b/release-please-config.json new file mode 100644 index 00000000..41a3040f --- /dev/null +++ b/release-please-config.json @@ -0,0 +1,11 @@ +{ + "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json", + "packages": { + ".": { + "release-type": "node", + "package-name": "@gitlawb/openclaude", + "bump-minor-pre-major": true, + "include-v-in-tag": true + } + } +}