ci: add OIDC permission for trusted publishing #557
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main, develop] | |
| pull_request: | |
| branches: [main, develop] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| test: | |
| name: Test & Build | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| node-version: [20, 22, 24] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v4 | |
| - name: Get pnpm store directory | |
| shell: bash | |
| run: | | |
| echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV | |
| - name: Setup pnpm cache | |
| uses: actions/cache@v4 | |
| with: | |
| path: ${{ env.STORE_PATH }} | |
| key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pnpm-store- | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Validate packages | |
| run: pnpm validate | |
| - name: Test CLI functionality | |
| run: | | |
| cd packages/swarm | |
| node ./bin/cli --help | |
| node ./bin/cli generate --help | |
| - name: Test MCP server functionality | |
| run: | | |
| cd packages/swarm | |
| # Test that MCP server can start and respond to basic commands | |
| timeout 5s node ./bin/mcp start || [ $? -eq 124 ] | |
| generate-changesets: | |
| name: Generate Changesets | |
| needs: test | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| permissions: | |
| contents: write | |
| env: | |
| RELEASE_COMMIT_MESSAGE: "chore: version packages" | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| token: ${{ secrets.PAT_TOKEN }} | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v4 | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Set Git user name and email | |
| run: | | |
| git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com" | |
| git config --global user.name "github-actions[bot]" | |
| - name: Check if latest commit is a pre-release commit | |
| id: check_release_commit | |
| env: | |
| RELEASE_COMMIT_MESSAGE: ${{ env.RELEASE_COMMIT_MESSAGE }} | |
| run: | | |
| LATEST_COMMIT=$(git log -1 --pretty=%B) | |
| # Check if latest commit is a merge commit (has 2 parents) | |
| PARENT_COUNT=$(git log -1 --format=%P | wc -w | tr -d ' ') | |
| if [[ "$PARENT_COUNT" -eq "2" ]]; then | |
| # It's a merge commit, check if it merged from changeset-release/main | |
| # GitHub merge commits contain the branch name in the message | |
| if [[ "$LATEST_COMMIT" == *"changeset-release/main"* ]]; then | |
| echo "is_release_commit=true" >> $GITHUB_OUTPUT | |
| echo "Latest commit is a release PR merge, skipping changeset generation" | |
| exit 0 | |
| fi | |
| fi | |
| # Also check if the commit message itself is a release commit | |
| if [[ "$LATEST_COMMIT" == "$RELEASE_COMMIT_MESSAGE"* ]]; then | |
| echo "is_release_commit=true" >> $GITHUB_OUTPUT | |
| echo "Latest commit is a release commit, skipping changeset generation" | |
| else | |
| echo "is_release_commit=false" >> $GITHUB_OUTPUT | |
| echo "Latest commit is not a release commit, will generate changesets" | |
| fi | |
| - name: Generate Changesets from commit messages | |
| if: steps.check_release_commit.outputs.is_release_commit != 'true' | |
| run: pnpm changeset:auto | |
| - name: Commit generated changesets | |
| if: steps.check_release_commit.outputs.is_release_commit != 'true' | |
| run: | | |
| git add .changeset | |
| if ! git diff --cached --quiet; then | |
| git commit -m "chore: add changesets for release [skip ci]" | |
| git push | |
| else | |
| echo "No changesets to commit" | |
| fi |