@@ -14,8 +14,9 @@ concurrency:
1414 group : release
1515 cancel-in-progress : false
1616
17- # Minimal permissions for security
17+ # Permissions: add id-token for OIDC; keep others for PRs
1818permissions :
19+ id-token : write
1920 contents : write
2021 pull-requests : write
2122 issues : write
6162 runs-on : ubuntu-latest
6263 timeout-minutes : 45
6364 needs : quality
65+ environment : publish
6466 steps :
6567 - name : Checkout
6668 uses : actions/checkout@v4
7375 node-version : " 20"
7476 registry-url : " https://registry.npmjs.org"
7577
78+ - name : Ensure npm >= 11.5.1 for OIDC
79+ run : npm i -g npm@^11.5.1
80+
7681 - name : Enable Corepack
7782 run : corepack enable
7883
9297
9398name : Install dependencies
9499 run : pnpm install
100+ # If you have PRIVATE deps, uncomment and set a read-only token:
101+ # env:
102+ # NODE_AUTH_TOKEN: ${{ secrets.NPM_READ_TOKEN }}
95103
96104 - name : Cache Firebase emulators
97105 uses : actions/cache@v4
@@ -118,7 +126,6 @@ jobs:
118126 - name : Verify build outputs
119127 run : |
120128 echo "Checking build outputs..."
121- # Check all packages for dist directories
122129 MISSING_BUILDS=""
123130 for PKG_DIR in packages/*; do
124131 if [ -d "$PKG_DIR" ] && [ -f "$PKG_DIR/package.json" ]; then
@@ -128,44 +135,23 @@ jobs:
128135 fi
129136 fi
130137 done
131-
132138 if [ -n "$MISSING_BUILDS" ]; then
133139 echo "❌ Build outputs missing for: $MISSING_BUILDS"
134140 exit 1
135141 fi
136-
137142 echo "✅ All build outputs verified"
138143
139- name : Validate changesets
140- run : |
141- set -e
142- CHANGESET_FILES=$(find .changeset -name "*.md" -type f ! -name "README.md" 2>/dev/null || true)
143-
144- if [ -z "$CHANGESET_FILES" ]; then
145- echo "❌ No changesets found!"
146- echo ""
147- echo "Please create changesets locally with: pnpm changeset"
148- echo "Changesets should be created during development, not during release."
149- exit 1
150- fi
151-
152- CHANGESET_COUNT=$(echo "$CHANGESET_FILES" | wc -l | tr -d ' ')
153- echo "✅ Found $CHANGESET_COUNT changeset(s):"
154- echo "$CHANGESET_FILES" | while read -r file; do
155- echo " - $(basename "$file")"
156- done
157-
158144name : Create Release Pull Request or Publish
159145 if : ${{ !inputs.dry_run }}
160146 id : changesets
161147 uses : changesets/action@v1
162148 with :
163- publish : pnpm release
149+ publish : pnpm release # runs: pnpm build && changeset publish
164150 commit : " chore: version packages"
165151 title : " chore: version packages"
166152 env :
167153 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
168- NPM_TOKEN : ${{ secrets.NPM_TOKEN }}
154+ # NPM_TOKEN removed – OIDC will be used automatically
169155
170156 - name : Dry Run - Show Changes
171157 if : ${{ inputs.dry_run }}
@@ -180,24 +166,17 @@ jobs:
180166 echo ""
181167 fi
182168 done
183-
184169 echo "📦 Version changes that would be applied:"
185- # Configure git user for changeset version command
186170 git config user.name "github-actions[bot]"
187171 git config user.email "github-actions[bot]@users.noreply.github.com"
188-
189- # Save current HEAD reference before making changes
190172 ORIGINAL_HEAD=$(git rev-parse HEAD)
191- # Create a temporary branch for dry run with unique name
192173 FALLBACK_ID=${GITHUB_RUN_ID:-$RANDOM$RANDOM}
193174 TEMP_BRANCH="dry-run-temp-$FALLBACK_ID"
194175 git checkout -b "$TEMP_BRANCH"
195176 pnpm changeset version
196-
197177 echo ""
198178 echo "🔍 Changed files:"
199179 git diff --name-status "$ORIGINAL_HEAD"
200-
201180 echo ""
202181 echo "🔍 Package version changes:"
203182 VERSION_CHANGES=$(git diff "$ORIGINAL_HEAD" -- '**/package.json' | grep -E "^[+-]\s*\"version\"" || true)
@@ -206,10 +185,7 @@ jobs:
206185 else
207186 echo "$VERSION_CHANGES"
208187 fi
209-
210- # Clean up
211188 git checkout -
212189 git branch -D "$TEMP_BRANCH"
213-
214190 echo ""
215191 echo "✅ Dry run completed successfully"
0 commit comments