meta: bump the storybook group with 4 updates (#8150) #111
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Packages | |
| # This workflow publishes packages to npm when changes are merged to main branch or when manually triggered. | |
| on: | |
| push: | |
| paths: | |
| - 'packages/**' | |
| # For security reasons, this should never be set to anything but `main` | |
| branches: [main] | |
| workflow_dispatch: | |
| inputs: | |
| package: | |
| description: 'Specific package to publish (leave empty for all packages)' | |
| required: false | |
| type: string | |
| permissions: | |
| contents: read | |
| # For npm OIDC (https://docs.npmjs.com/trusted-publishers) | |
| id-token: write | |
| env: | |
| COMMIT_SHA: ${{ github.sha }} | |
| jobs: | |
| prepare-packages: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| # Output the matrix of packages to publish for use in the publish job | |
| matrix: ${{ steps.generate-matrix.outputs.matrix }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - name: Verify commit authenticity | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Get commit data from GitHub API to verify its authenticity | |
| COMMIT_DATA=$(gh api repos/${{ github.repository }}/commits/$COMMIT_SHA) | |
| # Check if commit signature is verified (GPG signed) | |
| VERIFIED=$(echo "$COMMIT_DATA" | jq -r '.commit.verification.verified') | |
| # Check if commit was made through GitHub's web interface (merge queue) | |
| COMMITTER=$(echo "$COMMIT_DATA" | jq -r '.commit.committer.email') | |
| # Security checks to ensure we only publish from verified and trusted sources | |
| if [[ "$VERIFIED" != "true" ]]; then | |
| echo "❌ Unverified commit! Aborting." | |
| exit 1 | |
| fi | |
| if [[ "$COMMITTER" != "[email protected]" ]]; then | |
| echo "❌ Not merged with the merge queue! Aborting." | |
| exit 1 | |
| fi | |
| echo "✅ Commit is verified and trusted." | |
| - name: Checkout repository | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| with: | |
| fetch-depth: 2 # Need at least 2 commits to detect changes between commits | |
| - name: Generate package matrix | |
| id: generate-matrix | |
| env: | |
| PACKAGE: ${{ github.event.inputs.package }} | |
| EVENT_NAME: ${{ github.event_name }} | |
| run: | | |
| if [ -n "$PACKAGE" ]; then | |
| # If a specific package is requested via workflow_dispatch, just publish that one | |
| echo "matrix={\"package\":[\"$PACKAGE\"]}" >> $GITHUB_OUTPUT | |
| else | |
| CHANGED_PACKAGES=() | |
| for pkg in $(ls -d packages/*); do | |
| PKG_NAME=$(basename "$pkg") | |
| PKG_JSON="$pkg/package.json" | |
| # Determine if the package has changed (or include all on manual trigger) | |
| if [ "$EVENT_NAME" == "workflow_dispatch" ] || ! git diff --quiet $COMMIT_SHA~1 $COMMIT_SHA -- "$pkg/"; then | |
| OLD_VERSION=$(git show $COMMIT_SHA~1:$PKG_JSON | jq -r '.version') | |
| NEW_VERSION=$(jq -r '.version' "$PKG_JSON") | |
| if [ "$OLD_VERSION" != "$NEW_VERSION" ]; then | |
| CHANGED_PACKAGES+=("$PKG_NAME") | |
| fi | |
| fi | |
| done | |
| # Format the output for GitHub Actions matrix using jq | |
| PACKAGES_JSON=$(jq -n '$ARGS.positional' --args "${CHANGED_PACKAGES[@]}" -c) | |
| echo "matrix={\"package\":$PACKAGES_JSON}" >> $GITHUB_OUTPUT | |
| fi | |
| publish: | |
| needs: prepare-packages | |
| runs-on: ubuntu-latest | |
| # Use the dynamic matrix from prepare-packages job to create parallel jobs for each package | |
| strategy: | |
| matrix: ${{ fromJson(needs.prepare-packages.outputs.matrix) }} | |
| fail-fast: false # Continue publishing other packages even if one fails | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout repository | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: Set up pnpm | |
| uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| # Don't use caching here as we never install dependencies in this workflow | |
| node-version-file: '.nvmrc' | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: Re-install npm | |
| # TODO: OIDC requires npm >=11.5.1. | |
| # Until Node.js v24 is LTS (with npm 11 as the default), we need to bump. | |
| run: npm install -g npm@11 | |
| - name: Publish | |
| working-directory: packages/${{ matrix.package }} | |
| run: | | |
| # Install deps | |
| pnpm install --frozen-lockfile | |
| # Check if a custom publish script exists in package.json | |
| if jq -e '.scripts.publish' package.json > /dev/null; then | |
| pnpm run publish | |
| else | |
| pnpm publish --access public --no-git-checks | |
| fi | |
| - name: Notify on Manual Release | |
| if: ${{ github.event_name == 'workflow_dispatch' }} | |
| uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # 2.3.3 | |
| env: | |
| SLACK_COLOR: '#43853D' | |
| SLACK_ICON: https://github.com/nodejs.png?size=48 | |
| SLACK_TITLE: ':rocket: Package Published: ${{ matrix.package }}' | |
| SLACK_MESSAGE: | | |
| :package: *Package*: `${{ matrix.package }}` (<https://www.npmjs.com/package/@node-core/${{ matrix.package }}|View on npm>) | |
| :bust_in_silhouette: *Published by*: ${{ github.triggering_actor }} | |
| :octocat: *Commit*: <https://github.com/${{ github.repository }}/commit/${{ env.COMMIT_SHA }}|${{ env.COMMIT_SHA }}> | |
| SLACK_USERNAME: nodejs-bot | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }} |