v0.3.1 — nested refs + TeamRef metadata #10
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish to npm | |
| on: | |
| release: | |
| types: [published] | |
| # workflow_dispatch lets operators dry-run the test matrix + gate | |
| # wiring without cutting a real release. The npm publish step is | |
| # guarded against non-release triggers below. | |
| workflow_dispatch: | |
| jobs: | |
| # Mirror test.yml's Node matrix on the tagged commit: lint + typecheck | |
| # before publish. npm versions are immutable, so any gate we can apply | |
| # pre-upload is cheaper than publishing a broken release. | |
| gate: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| node-version: ["18", "20", "22"] | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - run: npm ci | |
| - run: npm run lint | |
| - run: npx tsc --noEmit | |
| publish: | |
| needs: gate | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - uses: actions/setup-node@v6 | |
| with: | |
| node-version: "20" | |
| registry-url: "https://registry.npmjs.org" | |
| - run: npm ci | |
| - run: npx tsup | |
| - name: Publish to npm | |
| # Only publish on an actual release event. workflow_dispatch | |
| # runs through test+build as a dry run but must not upload. | |
| # | |
| # Auth: NPM_TOKEN secret. Trusted Publisher (OIDC) is registered | |
| # at https://www.npmjs.com/package/@sharp-api/client/access but | |
| # tested twice (v0.2.5, v0.2.7) — both attempts returned the | |
| # 404/permission-denied mask. Likely the package access mode | |
| # ("Require 2FA OR token") needs to flip to "disallow tokens" on | |
| # npm.js to fully activate OIDC. Until then NPM_TOKEN is the | |
| # only auth path that works. Drop NODE_AUTH_TOKEN env once OIDC | |
| # is confirmed publishing on a follow-up test release. | |
| # --provenance still emits the SLSA attestation. | |
| if: github.event_name == 'release' | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| run: npm publish --provenance --access public |