Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 36 additions & 6 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ on:
version:
description: "Version to release (vX.Y.Z format)"
required: true
default: "v0.1.0"
default: "v1.0.0"
prerelease:
description: "Is this a pre-release?"
type: boolean
Expand Down Expand Up @@ -55,9 +55,19 @@ jobs:
# and don't need it.
run: git config --global --add safe.directory "$GITHUB_WORKSPACE"


- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ vars.GH_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ steps.app-token.outputs.token }}
persist-credentials: true
fetch-depth: 0

- name: Get version
Expand Down Expand Up @@ -242,9 +252,19 @@ jobs:
with:
egress-policy: audit


- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ vars.GH_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ steps.app-token.outputs.token }}
persist-credentials: true
fetch-depth: 0
# Use GITHUB_REF directly for tag events
ref: ${{ github.event_name == 'push' && github.ref || github.event_name == 'workflow_dispatch' && github.event.inputs.version || '' }}
Expand Down Expand Up @@ -361,10 +381,18 @@ jobs:
with:
egress-policy: audit

# Checkout main branch to get latest documentation
- name: Generate GitHub App token
id: app-token
uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
with:
app-id: ${{ vars.GH_APP_ID }}
private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}

- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ steps.app-token.outputs.token }}
persist-credentials: true
fetch-depth: 0
ref: main # Always use main branch for deployment

Expand All @@ -390,7 +418,7 @@ jobs:
publish: false
prerelease: ${{ needs.prepare.outputs.is_prerelease }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

# Create GitHub Release with all artifacts
- name: Create GitHub Release
Expand Down Expand Up @@ -439,12 +467,15 @@ jobs:
artifacts/security/euparliamentmonitor-${{ needs.prepare.outputs.version }}.spdx.json
artifacts/security/euparliamentmonitor-${{ needs.prepare.outputs.version }}.zip.intoto.jsonl
artifacts/security/euparliamentmonitor-${{ needs.prepare.outputs.version }}.spdx.json.intoto.jsonl
token: ${{ secrets.GITHUB_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

# ─── npm Publish ────────────────────────────────────────────────────
- name: Checkout release tag for npm publish

- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
token: ${{ steps.app-token.outputs.token }}
persist-credentials: true
ref: ${{ needs.prepare.outputs.version }}

- name: Setup Node.js for npm publish
Expand Down Expand Up @@ -490,7 +521,6 @@ jobs:
- name: Publish to npm with provenance
run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_CONFIG_PROVENANCE: true

- name: Verify npm package
Expand Down
Loading