Add npm trusted publishing workflow

Add GitHub Actions workflow for npm trusted publishing via OIDC. The workflow validates package version bumps on PRs with npm publish dry-runs, publishes changed workspace packages from main-xahau, and creates matching GitHub releases. Shared npm publish logic is implemented as a local composite action used by both dry-run and publish jobs.
2026-06-03 08:46:40 +00:00 · 2026-05-13 12:01:45 +09:00
parent e838caaffc
commit b2046efe85
5 changed files with 218 additions and 0 deletions
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -0,0 +1,87 @@
+name: Publish npm packages
+
+on:
+  pull_request:
+    branches: [main-xahau]
+    paths:
+      - packages/xahau/package.json
+      - packages/xahau-address-codec/package.json
+      - packages/xahau-binary-codec/package.json
+      - packages/xahau-keypairs/package.json
+  push:
+    branches: [main-xahau]
+    paths:
+      - packages/xahau/package.json
+      - packages/xahau-address-codec/package.json
+      - packages/xahau-binary-codec/package.json
+      - packages/xahau-keypairs/package.json
+
+concurrency:
+  group: npm-publish-${{ github.ref }}
+  cancel-in-progress: false
+
+jobs:
+  dry-run:
+    name: Dry-run ${{ matrix.package.name }}
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    strategy:
+      fail-fast: false
+      matrix:
+        package:
+          - name: xahau-address-codec
+            path: packages/xahau-address-codec
+          - name: xahau-binary-codec
+            path: packages/xahau-binary-codec
+          - name: xahau-keypairs
+            path: packages/xahau-keypairs
+          - name: xahau
+            path: packages/xahau
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - name: Fetch pull request base
+        env:
+          BASE_REF: ${{ github.base_ref }}
+        run: git fetch --no-tags --depth=1 origin "$BASE_REF"
+
+      - uses: ./.github/actions/npm-publish-package
+        with:
+          package-path: ${{ matrix.package.path }}
+          base-ref: origin/${{ github.base_ref }}
+          dry-run: "true"
+
+  publish:
+    name: Publish ${{ matrix.package.name }}
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main-xahau'
+    runs-on: ubuntu-latest
+    environment: npm
+    permissions:
+      contents: write
+      id-token: write
+    strategy:
+      fail-fast: false
+      matrix:
+        package:
+          - name: xahau-address-codec
+            path: packages/xahau-address-codec
+          - name: xahau-binary-codec
+            path: packages/xahau-binary-codec
+          - name: xahau-keypairs
+            path: packages/xahau-keypairs
+          - name: xahau
+            path: packages/xahau
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - uses: ./.github/actions/npm-publish-package
+        with:
+          package-path: ${{ matrix.package.path }}
+          base-ref: ${{ github.event.before }}
+          target-commitish: ${{ github.sha }}
--- a/.github/workflows/scripts/check-npm-version-unpublished.sh
+++ b/.github/workflows/scripts/check-npm-version-unpublished.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+package_spec="$1"
+stderr_file="$(mktemp)"
+
+if npm view "$package_spec" version --registry "https://registry.npmjs.org" 2>"$stderr_file"; then
+  echo "$package_spec is already published." >&2
+  exit 1
+fi
+
+if grep -Eq "E404|404 Not Found|is not in this registry" "$stderr_file"; then
+  echo "$package_spec is not published yet."
+  exit 0
+fi
+
+cat "$stderr_file" >&2
+exit 1
--- a/.github/workflows/scripts/check-package-version-changed.sh
+++ b/.github/workflows/scripts/check-package-version-changed.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+package_path="$1"
+package_file="$package_path/package.json"
+current_version="$(jq -r .version "$package_file")"
+changed="false"
+
+if [[ -z "${BASE_REF:-}" || "${BASE_REF:-}" =~ ^0+$ ]]; then
+  BASE_REF="HEAD^"
+fi
+
+if previous_package="$(git show "$BASE_REF:$package_file" 2>/dev/null)"; then
+  previous_version="$(jq -r .version <<<"$previous_package")"
+  if [[ "$current_version" != "$previous_version" ]]; then
+    changed="true"
+  fi
+else
+  changed="true"
+fi
+
+echo "changed=$changed" >> "$GITHUB_OUTPUT"
+echo "$package_path version changed: $changed"
--- a/.github/workflows/scripts/read-package-metadata.sh
+++ b/.github/workflows/scripts/read-package-metadata.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+package_path="$1"
+package_file="$package_path/package.json"
+name="$(jq -r .name "$package_file")"
+version="$(jq -r .version "$package_file")"
+
+echo "name=$name" >> "$GITHUB_OUTPUT"
+echo "version=$version" >> "$GITHUB_OUTPUT"
+echo "tag=$name@$version" >> "$GITHUB_OUTPUT"