Fix npm publish workflow for trusted publishing #78
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Build CI/CD | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| push: | |
| tags: | |
| - 'v*' | |
| env: | |
| GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }} | |
| GAR_LOCATION: europe-west3 | |
| PROJECT_ID: o1labs-192920 | |
| REGISTRY: euro-docker-repo | |
| NPM_REGISTRY_LOCATION: europe-southwest1-npm.pkg.dev | |
| NPM_REGISTRY: euro-npm | |
| jobs: | |
| build-and-deploy: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Checkout PR branch | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| git fetch origin ${{github.event.pull_request.head.ref}} | |
| git checkout ${{github.event.pull_request.head.sha}} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3.6.1 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx- | |
| - name: Authenticate to Google Cloud | |
| uses: google-github-actions/auth@v2.1.5 | |
| with: | |
| credentials_json: ${{ env.GCP_SA_KEY }} | |
| - name: Configure Docker for Artifact Registry | |
| run: | | |
| gcloud auth configure-docker ${{ env.GAR_LOCATION }}-docker.pkg.dev | |
| - name: Login to GitHub Container Registry | |
| if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Configure npm authentication for Artifact Registry | |
| run: | | |
| # Only set authentication, not the default registry | |
| # This allows dependencies to install from public npm | |
| echo "//europe-southwest1-npm.pkg.dev/o1labs-192920/euro-npm/:_authToken=$(gcloud auth print-access-token)" > .npmrc | |
| - name: Determine npm version | |
| id: determine_npm_version | |
| run: | | |
| # Save original version BEFORE any modifications | |
| ORIGINAL_VERSION=$(node -p "require('./package.json').version") | |
| echo "original_version=${ORIGINAL_VERSION}" >> $GITHUB_OUTPUT | |
| if [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == refs/tags/* ]]; then | |
| # Release build - use version from package.json | |
| echo "version=${ORIGINAL_VERSION}" >> $GITHUB_OUTPUT | |
| echo "needs_version_update=false" >> $GITHUB_OUTPUT | |
| echo "Publishing release version from package.json: ${ORIGINAL_VERSION}" | |
| else | |
| # PR build - use dev version with SHA | |
| SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7) | |
| DEV_VERSION="${ORIGINAL_VERSION}-dev.${SHORT_SHA}" | |
| echo "version=${DEV_VERSION}" >> $GITHUB_OUTPUT | |
| echo "needs_version_update=true" >> $GITHUB_OUTPUT | |
| echo "Publishing dev version: ${DEV_VERSION}" | |
| fi | |
| - name: Update package version for dev builds | |
| if: steps.determine_npm_version.outputs.needs_version_update == 'true' | |
| run: | | |
| node -e "const fs = require('fs'); const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8')); pkg.version = '${{ steps.determine_npm_version.outputs.version }}'; fs.writeFileSync('package.json', JSON.stringify(pkg, null, 2) + '\n');" | |
| - name: Build npm package | |
| run: | | |
| npm ci | |
| npm run build | |
| - name: Publish to npm registry | |
| run: | | |
| if [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == refs/tags/* ]]; then | |
| # Release version - publish with 'latest' tag | |
| npm publish --registry=https://europe-southwest1-npm.pkg.dev/o1labs-192920/euro-npm/ --tag latest | |
| else | |
| # Dev version - publish with 'dev' tag | |
| npm publish --registry=https://europe-southwest1-npm.pkg.dev/o1labs-192920/euro-npm/ --tag dev | |
| fi | |
| - name: Restore original package version for dev builds | |
| if: always() && steps.determine_npm_version.outputs.needs_version_update == 'true' | |
| run: | | |
| node -e "const fs = require('fs'); const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8')); pkg.version = '${{ steps.determine_npm_version.outputs.original_version }}'; fs.writeFileSync('package.json', JSON.stringify(pkg, null, 2) + '\n');" | |
| rm -f .npmrc | |
| - name: Determine tags | |
| id: determine_tags | |
| run: | | |
| GCP_IMAGE="${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.PROJECT_ID }}/${{ env.REGISTRY }}/archive-node-api" | |
| GITHUB_IMAGE="ghcr.io/${{ github.repository_owner }}/archive-node-api" | |
| if [[ "${{ github.event_name }}" == "push" && "${{ github.ref }}" == refs/tags/* ]]; then | |
| # Release build from tag (e.g., v1.2.3) | |
| TAG_NAME=${GITHUB_REF#refs/tags/} | |
| VERSION=${TAG_NAME#v} # Remove 'v' prefix | |
| # Generate GCP semantic version tags | |
| TAGS="${GCP_IMAGE}:${VERSION}" | |
| TAGS="${TAGS},${GCP_IMAGE}:latest" | |
| # Add GCP major.minor and major tags if it's a semantic version | |
| if [[ $VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+) ]]; then | |
| MAJOR="${BASH_REMATCH[1]}" | |
| MINOR="${BASH_REMATCH[2]}" | |
| TAGS="${TAGS},${GCP_IMAGE}:${MAJOR}.${MINOR}" | |
| TAGS="${TAGS},${GCP_IMAGE}:${MAJOR}" | |
| fi | |
| # Add GitHub Container Registry tags for releases | |
| TAGS="${TAGS},${GITHUB_IMAGE}:${VERSION}" | |
| TAGS="${TAGS},${GITHUB_IMAGE}:latest" | |
| # Add GitHub major.minor and major tags if it's a semantic version | |
| if [[ $VERSION =~ ^([0-9]+)\.([0-9]+)\.([0-9]+) ]]; then | |
| TAGS="${TAGS},${GITHUB_IMAGE}:${MAJOR}.${MINOR}" | |
| TAGS="${TAGS},${GITHUB_IMAGE}:${MAJOR}" | |
| fi | |
| echo "tags=${TAGS}" >> $GITHUB_OUTPUT | |
| echo "Building release tags for GCP and GitHub: ${TAGS}" | |
| else | |
| # PR build - use dev tags with SHA (GCP only) | |
| SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7) | |
| FULL_TAG="${GCP_IMAGE}:dev-${{ github.sha }}" | |
| SHORT_TAG="${GCP_IMAGE}:dev-${SHORT_SHA}" | |
| echo "tags=${FULL_TAG},${SHORT_TAG}" >> $GITHUB_OUTPUT | |
| echo "Building dev tags (GCP only): ${FULL_TAG},${SHORT_TAG}" | |
| fi | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v6.7.0 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ steps.determine_tags.outputs.tags }} | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max | |
| - name: Move cache | |
| run: | | |
| rm -rf /tmp/.buildx-cache | |
| mv /tmp/.buildx-cache-new /tmp/.buildx-cache |