ci: use OIDC trusted publishing with auto version bump #13
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| inputs: | |
| version_bump: | |
| description: 'Version bump type' | |
| required: true | |
| default: 'patch' | |
| type: choice | |
| options: | |
| - patch | |
| - minor | |
| - major | |
| jobs: | |
| publish: | |
| name: Build & Publish | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.GITHUB_TOKEN }} | |
| - uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: latest | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: '20' | |
| registry-url: 'https://registry.npmjs.org' | |
| # npm 11.5.1+ required for Trusted Publishing | |
| - name: Update npm to latest | |
| run: npm install -g npm@latest | |
| - name: Install dependencies | |
| run: bun install | |
| - name: Run tests | |
| run: bun test | |
| - name: Typecheck | |
| run: bun run typecheck | |
| - name: Build | |
| run: bun run build | |
| - name: Bump version | |
| id: version | |
| run: | | |
| git config --global user.name "github-actions[bot]" | |
| git config --global user.email "github-actions[bot]@users.noreply.github.com" | |
| git pull --rebase origin main | |
| BUMP_TYPE="${{ github.event.inputs.version_bump || 'patch' }}" | |
| npm version $BUMP_TYPE --no-git-tag-version | |
| NEW_VERSION=$(node -p "require('./package.json').version") | |
| echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT | |
| git add package.json | |
| git commit -m "chore: bump to $NEW_VERSION [skip ci]" | |
| git tag -f "v$NEW_VERSION" | |
| git push origin main --tags --force | |
| # Trusted Publishing: No NODE_AUTH_TOKEN needed! | |
| # npm CLI auto-detects OIDC and handles auth via id-token permission | |
| - name: Publish to npm | |
| run: npm publish --access public | |
| - name: Create GitHub Release | |
| run: | | |
| VERSION="v${{ steps.version.outputs.new_version }}" | |
| if gh release view "$VERSION" >/dev/null 2>&1; then | |
| gh release edit "$VERSION" --title "$VERSION" --notes "Published @morphllm/opencode-morph-plugin@${{ steps.version.outputs.new_version }}" | |
| else | |
| gh release create "$VERSION" --title "$VERSION" --notes "Published @morphllm/opencode-morph-plugin@${{ steps.version.outputs.new_version }}" | |
| fi | |
| env: | |
| GH_TOKEN: ${{ github.token }} |