feat: add tag-and-release workflow

.github/workflows/main.yml

@@ -1,3 +1,17 @@
+########################################################################################
+# The following secrets are required:
+#
+# 1. GH_ACCESS_TOKEN - A "fine-grained personal access token" generated through the
+# Github UI. It seems like these tokens are scoped to a user, rather than an
+# organisation.
+#
+# The following minimum permissions are required:
+# Read - access to metadata
+# Read & write - access to actions and code
+# 2. GH_USER_NAME - The name (not username) associated with the Git user. e.g. John Smith
+# 3. GH_USER_EMAIL - The email associated with the Git user
+# 4. NPM_TOKEN - A token for publishing to npm
+########################################################################################
 name: Continuous Build
 
 on:
@@ -29,3 +43,59 @@ jobs:
  run: pnpm install
  - name: Lint
  run: pnpm run prettier:check && pnpm run eslint:check
+
+ required-checks-passed:
+ name: All required checks passed
+ runs-on: ubuntu-latest
+ needs: [lint]
+ steps:
+ - run: exit 0
+
+ tag-and-release:
+ name: Tag and release
+ runs-on: ubuntu-latest
+ needs: required-checks-passed
+ # Only tag and release on pushes to main
+ if: github.event_name == 'push' && github.ref == 'refs/heads/main'
+ strategy:
+ matrix:
+ node-version: [20]
+ permissions:
+ id-token: write
+ steps:
+ - name: Clone repo
+ uses: actions/checkout@v4
+ with:
+ fetch-depth: 0
+ token: ${{ secrets.GH_ACCESS_TOKEN }}
+ - name: Install pnpm
+ uses: pnpm/action-setup@v3
+ - name: Setup Node
+ uses: actions/setup-node@v4
+ with:
+ node-version: ${{ matrix.node-version }}
+ cache: 'pnpm'
+ - name: Configure Git credentials
+ run: |
+ git config --global user.name '${{ secrets.GH_USER_NAME }}'
+ git config --global user.email '${{ secrets.GH_USER_EMAIL }}'
+ - name: Install Dependencies
+ run: pnpm install
+ - name: Get package.json version
+ id: get-version
+ run: echo "version=$(cat package.json | jq -r '.version' | sed 's/^/v/')" >> $GITHUB_OUTPUT
+ - name: Validate tag
+ id: validate-tag
+ run: test "$(git tag -l '${{ steps.get-version.outputs.version }}' | awk '{print $NF}')" = "${{ steps.get-version.outputs.version }}" || echo "new-tag=true" >> $GITHUB_OUTPUT
+ - name: Tag and release on Github
+ if: ${{ steps.validate-tag.outputs.new-tag }}
+ run: pnpm run release:tag
+ env:
+ GH_ACCESS_TOKEN: ${{ secrets.GH_ACCESS_TOKEN }}
+ - name: Publish to npm
+ if: ${{ steps.validate-tag.outputs.new-tag }}
+ run: |
+ npm config set "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}"
+ pnpm publish --access public
+ env:
+ NPM_CONFIG_PROVENANCE: true

package.json

@@ -25,7 +25,8 @@
  "eslint:fix": "pnpm run eslint:check --fix",
  "prepare": "husky",
  "prettier:check": "prettier --check \"./**/*.{js,ts,md,json}\"",
- "prettier:fix": "prettier --write \"./**/*.{js,ts,md,json}\""
+ "prettier:fix": "prettier --write \"./**/*.{js,ts,md,json}\"",
+ "release:tag": "node scripts/tag-and-release.js"
  },
  "dependencies": {
  "@shopify/eslint-plugin": "^45.0.0",
@@ -48,6 +49,7 @@
  "lodash": "^4.17.21"
  },
  "devDependencies": {
+ "@api3/commons": "0.13.2",
  "@types/lodash": "^4.17.7",
  "eslint": "^8.57.1",
  "husky": "^9.1.6",