diff --git a/.github/workflows/release-buckaroo-duckdb-node.yml b/.github/workflows/release-buckaroo-duckdb-node.yml deleted file mode 100644 index a23787c32..000000000 --- a/.github/workflows/release-buckaroo-duckdb-node.yml +++ /dev/null @@ -1,125 +0,0 @@ -name: Release npm (buckaroo-duckdb-node) - -# Standalone, manually-triggered publish for buckaroo-duckdb-node. -# -# While the package is new it is published on its own from here, NOT folded -# into the automatic release-npm job in release.yml. Version is coupled to the -# buckaroo release by convention: pass the same version the Python/PyPI release -# used (the same number buckaroo-js-core publishes at). Once the package and its -# Trusted Publisher are established, this can be merged into release.yml so it -# publishes automatically alongside buckaroo-js-core. -# -# BOOTSTRAP (one-time, before the first automated run can succeed): -# 1. The package does not yet exist on npm; Trusted Publishing cannot be -# configured on a package that does not exist. Do one manual publish to -# create it at the release version (the first will be 0.15.2): -# cd packages/buckaroo-duckdb-node && pnpm run build -# npm version 0.15.2 --no-git-tag-version --allow-same-version -# npm publish --access public -# 2. Register the npm Trusted Publisher for buckaroo-duckdb-node, matching -# this workflow exactly: -# https://www.npmjs.com/package/buckaroo-duckdb-node/access -# Owner: buckaroo-data Repository: buckaroo -# Workflow: release-buckaroo-duckdb-node.yml Environment: npm -# After that, dispatching this workflow publishes via OIDC with no token. -# -# Auth: npm Trusted Publishing via OIDC (no NPM_TOKEN secret). - -on: - workflow_dispatch: - inputs: - version: - description: "Version to publish as (must match the buckaroo release, e.g. 0.15.2)" - required: true - type: string - dry_run: - description: "Run npm publish with --dry-run (no actual publish)" - required: false - type: boolean - default: false - -permissions: - contents: read - id-token: write - -jobs: - release-npm-duckdb-node: - name: Publish buckaroo-duckdb-node to npm - # GitHub-hosted runner required: npm Trusted Publishing OIDC is only - # supported on github-hosted runners (Depot's depot-ubuntu-latest is - # treated as self-hosted and won't receive npm OIDC credentials). - runs-on: ubuntu-latest - timeout-minutes: 10 - environment: npm - steps: - - name: Checkout - uses: actions/checkout@v7 - - - name: Setup pnpm - uses: pnpm/action-setup@v6 - with: - version: 9.10.0 - - - name: Setup Node.js with npm registry - uses: actions/setup-node@v6 - with: - registry-url: 'https://registry.npmjs.org' - cache: 'pnpm' - cache-dependency-path: 'packages/pnpm-lock.yaml' - - - name: Install pnpm dependencies - working-directory: packages - run: pnpm install --frozen-lockfile - - - name: Upgrade npm to a Trusted-Publishing-capable version - # Trusted Publishing requires npm >= 11.5.1. The global npm dir - # on github-hosted runners is root-owned, so sudo is needed. - run: sudo npm install -g npm@11.5.1 - - - name: OIDC diagnostics (compare against npm Trusted Publisher config) - # Prints the values npm checks against the Trusted Publisher config on - # the package. Compare these to what's registered at - # https://www.npmjs.com/package/buckaroo-duckdb-node/access - run: | - echo "npm version: $(npm --version)" - echo "GITHUB_REPOSITORY: ${GITHUB_REPOSITORY}" - echo "GITHUB_WORKFLOW_REF: ${GITHUB_WORKFLOW_REF}" - echo "GITHUB_REF: ${GITHUB_REF}" - echo "GITHUB_REF_NAME: ${GITHUB_REF_NAME}" - echo "GITHUB_JOB: ${GITHUB_JOB}" - echo "Job environment (yaml): npm" - echo - echo "On npmjs.com the Trusted Publisher must match:" - echo " Owner: $(echo "${GITHUB_REPOSITORY}" | cut -d/ -f1)" - echo " Repository: $(echo "${GITHUB_REPOSITORY}" | cut -d/ -f2)" - echo " Workflow: $(basename "${GITHUB_WORKFLOW_REF%@*}")" - echo " Environment: npm (or leave blank if no environment configured)" - - - name: Set buckaroo-duckdb-node version to ${{ inputs.version }} - working-directory: packages/buckaroo-duckdb-node - run: npm version "${{ inputs.version }}" --no-git-tag-version --allow-same-version - - - name: Build buckaroo-duckdb-node - working-directory: packages/buckaroo-duckdb-node - run: pnpm run build - - - name: Check if version already published - id: check - run: | - VERSION="${{ inputs.version }}" - if npm view "buckaroo-duckdb-node@${VERSION}" version >/dev/null 2>&1; then - echo "buckaroo-duckdb-node@${VERSION} already on npm — skipping publish." - echo "skip=true" >> "$GITHUB_OUTPUT" - else - echo "skip=false" >> "$GITHUB_OUTPUT" - fi - - - name: Publish to npm (Trusted Publishing + provenance) - if: steps.check.outputs.skip != 'true' - working-directory: packages/buckaroo-duckdb-node - run: | - if [ "${{ inputs.dry_run }}" = "true" ]; then - npm publish --access public --provenance --dry-run --loglevel=verbose - else - npm publish --access public --provenance --loglevel=verbose - fi diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 217809586..a287f5e51 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -266,3 +266,84 @@ jobs: if: steps.check.outputs.skip != 'true' working-directory: packages/buckaroo-js-core run: npm publish --access public --provenance --loglevel=verbose + + release-npm-duckdb-node: + name: Publish buckaroo-duckdb-node to npm + needs: release + if: needs.release.result == 'success' + # GitHub-hosted runner required: npm Trusted Publishing OIDC is only + # supported on github-hosted runners (Depot's depot-ubuntu-latest is + # treated as self-hosted and won't receive npm OIDC credentials). + runs-on: ubuntu-latest + timeout-minutes: 10 + environment: npm + permissions: + contents: read + id-token: write + steps: + - name: Checkout + uses: actions/checkout@v7 + + - name: Setup pnpm + uses: pnpm/action-setup@v6 + with: + version: 9.10.0 + + - name: Setup Node.js with npm registry + uses: actions/setup-node@v6 + with: + registry-url: 'https://registry.npmjs.org' + cache: 'pnpm' + cache-dependency-path: 'packages/pnpm-lock.yaml' + + - name: Install pnpm dependencies + working-directory: packages + run: pnpm install --frozen-lockfile + + - name: Upgrade npm to a Trusted-Publishing-capable version + # Trusted Publishing requires npm >= 11.5.1. The global npm dir + # on github-hosted runners is root-owned, so sudo is needed. + run: sudo npm install -g npm@11.5.1 + + - name: OIDC diagnostics (compare against npm Trusted Publisher config) + # NOTE: the npm Trusted Publisher on npmjs.com must be configured to + # point to "release.yml" (not "release-buckaroo-duckdb-node.yml"). + # See https://www.npmjs.com/package/buckaroo-duckdb-node/access + run: | + echo "npm version: $(npm --version)" + echo "GITHUB_REPOSITORY: ${GITHUB_REPOSITORY}" + echo "GITHUB_WORKFLOW_REF: ${GITHUB_WORKFLOW_REF}" + echo "GITHUB_REF: ${GITHUB_REF}" + echo "GITHUB_REF_NAME: ${GITHUB_REF_NAME}" + echo "GITHUB_JOB: ${GITHUB_JOB}" + echo "Job environment (yaml): npm" + echo + echo "On npmjs.com the Trusted Publisher must match:" + echo " Owner: $(echo "${GITHUB_REPOSITORY}" | cut -d/ -f1)" + echo " Repository: $(echo "${GITHUB_REPOSITORY}" | cut -d/ -f2)" + echo " Workflow: $(basename "${GITHUB_WORKFLOW_REF%@*}")" + echo " Environment: npm (or leave blank if no environment configured)" + + - name: Set buckaroo-duckdb-node version to ${{ needs.release.outputs.version }} + working-directory: packages/buckaroo-duckdb-node + run: npm version "${{ needs.release.outputs.version }}" --no-git-tag-version --allow-same-version + + - name: Build buckaroo-duckdb-node + working-directory: packages/buckaroo-duckdb-node + run: pnpm run build + + - name: Check if version already published + id: check + run: | + VERSION="${{ needs.release.outputs.version }}" + if npm view "buckaroo-duckdb-node@${VERSION}" version >/dev/null 2>&1; then + echo "buckaroo-duckdb-node@${VERSION} already on npm — skipping publish." + echo "skip=true" >> "$GITHUB_OUTPUT" + else + echo "skip=false" >> "$GITHUB_OUTPUT" + fi + + - name: Publish to npm (Trusted Publishing + provenance) + if: steps.check.outputs.skip != 'true' + working-directory: packages/buckaroo-duckdb-node + run: npm publish --access public --provenance --loglevel=verbose