Use npm trusted publishing for releases #7
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish | |
| on: | |
| workflow_dispatch: | |
| push: | |
| tags: | |
| - "v*" | |
| concurrency: | |
| group: publish-${{ github.ref }} | |
| cancel-in-progress: false | |
| jobs: | |
| publish: | |
| name: Publish npm package | |
| runs-on: ubuntu-latest | |
| environment: npm-publish | |
| permissions: | |
| contents: read | |
| id-token: write | |
| env: | |
| FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: "true" | |
| TURBO_TELEMETRY_DISABLED: "1" | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Setup Node | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 22 | |
| cache: npm | |
| - name: Restore Turbo local cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: .turbo | |
| key: ${{ runner.os }}-turbo-publish-${{ hashFiles('package-lock.json', 'turbo.json', 'tsconfig*.json', 'biome.json', 'src/**', 'scripts/**', '.github/workflows/**') }} | |
| restore-keys: | | |
| ${{ runner.os }}-turbo-publish- | |
| ${{ runner.os }}-turbo- | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Verify tag matches package version | |
| if: github.event_name == 'push' | |
| run: | | |
| set -euo pipefail | |
| PACKAGE_VERSION="$(node -p "require('./package.json').version")" | |
| TAG_VERSION="${GITHUB_REF_NAME#v}" | |
| if [ "$PACKAGE_VERSION" != "$TAG_VERSION" ]; then | |
| echo "Tag version $TAG_VERSION does not match package version $PACKAGE_VERSION" | |
| exit 1 | |
| fi | |
| - name: Lint, typecheck, and build | |
| run: npx turbo run check:publish-safety lint typecheck build | |
| - name: Pack dry run | |
| run: npx turbo run pack:dry-run | |
| - name: Publish to npm | |
| run: npm publish --provenance |