Skip to content

Migrate latest-tagged web-features releases to trusted publishing #3917

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ddbeck wants to merge 9 commits into
base: main
Choose a base branch
from
+113 −130
Open

Migrate latest-tagged web-features releases to trusted publishing #3917

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
0bc33c6
Move `web-features` to trusted publishing
ddbeck Apr 1, 2026
348325c
Avoid template expansion in shell scripts
ddbeck Apr 1, 2026
4b8492e
Make permissions more explicit
ddbeck Apr 1, 2026
d5e9a4f
Duplicate `dist_tag` in `if`, since `env` is unavailable
ddbeck Apr 1, 2026
fee2e9c
Avoid `npm install` in CI
ddbeck Apr 1, 2026
583d157
Merge 'main' into 'trusted-publishing'
ddbeck May 21, 2026
70f209e
Reuse artifacts list
ddbeck May 21, 2026
675b188
Fix always truthy if conditions
ddbeck May 21, 2026
83c4494
Stop persisting credentials
ddbeck May 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 0 additions & 123 deletions .github/workflows/publish_next_web-features.yml
View file
Open in desktop

This file was deleted.

120 changes: 113 additions & 7 deletions .github/workflows/publish_web-features.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,54 +2,160 @@ name: Publish web-features

on:
push:
branches:
- "main"
# Tags on the form v1.2.3 are for releases. Any other tags are ignored.
tags:
- 'v[0-9]+.[0-9]+.[0-9]+'

permissions: {}

env:
package: "web-features"
package_dir: "packages/web-features"
# Publish @next for main, @latest for tags
dist_tag: ${{ case(startsWith(github.ref, 'refs/tags/'), 'latest', 'next') }}
artifacts: >
packages/web-features/data.json
data.extended.json
schemas/data.schema.json
data.proposed.json
schemas/data.proposed.schema.json

jobs:
test:
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version-file: .node-version
cache: npm
- run: npm install -g 'npm@>=11.5.1' # required for trusted publishing
- run: npm ci
- run: npm test
artifacts:
if: github.repository == 'web-platform-dx/web-features'

publish_latest:
name: Publish release
if: ${{ github.repository == 'web-platform-dx/web-features' && case(startsWith(github.ref, 'refs/tags/'), 'latest', 'next') == 'latest' }}
Copy link
Copy Markdown
Contributor

@captainbrosset captainbrosset May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add a comment saying how the workflow runs on each push (because 'next' needs it) but this line filters only tags, for official releasing.

Also, can you explain why we need to filter on github.repository?

runs-on: ubuntu-latest
needs: "test"
permissions:
# Required to modify the release and upload release artifacts
contents: write
# Required for OIDC and trusted publishing. See:
# - https://docs.npmjs.com/trusted-publishers
# - https://docs.github.com/en/actions/concepts/security/openid-connect
id-token: write
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version-file: .node-version
cache: npm
registry-url: "https://registry.npmjs.org"
- run: npm ci
- run: npm run build
- run: gh release upload ${{ github.ref_name }} packages/web-features/data.json data.extended.json schemas/data.schema.json data.proposed.json schemas/data.proposed.schema.json
- run: npm publish
working-directory: ${{ env.package_dir }}
- run: gh release upload "$GITHUB_REF_NAME" $ARTIFACTS
env:
GH_TOKEN: ${{ github.token }}
publish:
if: github.repository == 'web-platform-dx/web-features'
ARTIFACTS: ${{ env.artifacts }}

publish_next:
name: Publish prerelease
if: ${{ github.repository == 'web-platform-dx/web-features' && case(startsWith(github.ref, 'refs/tags/'), 'latest', 'next') == 'next' }}
Copy link
Copy Markdown
Contributor

@captainbrosset captainbrosset May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A comment here explaining the filtering logic would be good here too.

runs-on: ubuntu-latest
needs: "test"
permissions:
# Required to modify the release and upload release artifacts
contents: write
# Required for OIDC and trusted publishing. See:
# - https://docs.npmjs.com/trusted-publishers
# - https://docs.github.com/en/actions/concepts/security/openid-connect
id-token: write
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
- name: Get timestamp and short hash
id: timestamp_and_hash
run: |
echo "TIMESTAMP=$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT
echo "SHORT_HASH=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT

- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
with:
node-version-file: .node-version
cache: npm
registry-url: "https://registry.npmjs.org"

- run: npm install -g 'npm@>=11.5.1' # required for trusted publishing
- run: npm ci

- run: npm run build
- run: npm publish

- name: Get package.json version
id: version
run: echo "VERSION=$(npm version --json | jq --arg package "$PACKAGE" --raw-output '.[$package]')" >> $GITHUB_OUTPUT
working-directory: ${{ env.package_dir }}
env:
PACKAGE: ${{ env.package }}
PACKAGE_DIR: ${{ env.package_dir }}
- run: npm ci
working-directory: ${{ env.package_dir }}
- run: npm version --no-git-tag-version "$VERSION-dev-$TIMESTAMP-$SHORT_HASH"
# The version string template is: <package.json version>-dev-<timestamp>-<commit-hash>
# Why not use SemVer build metadata with a plus sign for some of this?
# Because npm completely ignores it. 😒
working-directory: ${{ env.package_dir }}
env:
VERSION: ${{ steps.version.outputs.VERSION }}
TIMESTAMP: ${{ steps.timestamp_and_hash.outputs.TIMESTAMP }}
SHORT_HASH: ${{ steps.timestamp_and_hash.outputs.SHORT_HASH }}
- run: npm publish --tag "$DIST_TAG"
working-directory: ${{ env.package_dir }}
env:
DIST_TAG: ${{ env.dist_tag }}

- name: Set existing release to draft
run: gh release edit --draft "$TAG"
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
GH_TOKEN: ${{ github.token }}
TAG: ${{ env.dist_tag }}

- name: Update the tag
run: |
git config user.name "github-actions[bot]"
git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
Copy link
Copy Markdown
Contributor

@captainbrosset captainbrosset May 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For my own knowledge, where does this bot user email address come from? The magic number part, I mean.

git remote set-url origin "https://x-access-token:$GH_TOKEN@github.com/$GH_REPO"
git tag --force "$TAG"
git push --force origin "$TAG"
env:
GH_TOKEN: ${{ github.token }}
GH_REPO: ${{ github.repository }}
TAG: ${{ env.dist_tag }}

- name: Publish pre-release on GitHub
run: |
gh release edit \
--verify-tag \
--title "$PACKAGE@$TAG" \
--notes "$NOTES" \
--prerelease \
--draft=false \
"$TAG"
gh release upload --clobber "$TAG" $ARTIFACTS
env:
GH_TOKEN: ${{ github.token }}
PACKAGE: ${{ env.package }}
TAG: ${{ env.dist_tag }}
NOTES: This is a continuously-updated prerelease generated from `main` (currently at ${{ steps.timestamp_and_hash.outputs.SHORT_HASH }}).
ARTIFACTS: ${{ env.artifacts }}