DEV - Refactor release CI workflow (#425)

Co-authored-by: gabalafou <[email protected]>
conda-incubator · Sep 23, 2024 · e611866 · e611866
1 parent 8b902ec
commit e611866
Show file tree

Hide file tree

Showing 6 changed files with 116 additions and 74 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
diff --git a/.github/workflows/javascript-tests.yml b/.github/workflows/javascript-tests.yml
@@ -12,7 +12,7 @@ on:
   pull_request:
 
 jobs:
-  build:
+  js-tests:
     runs-on: ubuntu-latest
 
     strategy:
@@ -23,7 +23,7 @@ jobs:
     steps:
       - name: "Checkout repository 🛎"
         uses: actions/checkout@v4
-      - name: Setup Node.js ${{ matrix.node-version }}
+      - name: "Setup Node.js ${{ matrix.node-version }}"
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,58 +1,141 @@
-name: Release conda-store-ui
+name: "Build and maybe release conda-store-ui"
 
 on:
-  # we want to make a release whenever a new tag is created
+  release:
+    types: [published]
   push:
-    tags:
-      - "*"
+    branches: [main]
+    tags: ["*"]
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
 
-jobs:
-  call-build:
-    uses: conda-incubator/conda-store-ui/.github/workflows/build.yml@main
+env:
+  FORCE_COLOR: "1"
+  PACKAGE_FILE: "conda-store-ui.tgz"
 
-  make-release:
+jobs:
+  # always build and verify
+  build-application:
+    name: "Build conda-store-ui"
     runs-on: ubuntu-latest
-    # ensure that the artifacts are available from the build job
-    needs: call-build
 
     steps:
       - name: "Checkout repository 🛎"
         uses: actions/checkout@v4
 
-      # Setup .npmrc file to publish to npm
       - name: "Set up Node.js 🧶"
         uses: actions/setup-node@v4
         with:
-          node-version: 18
-          registry-url: "https://registry.npmjs.org"
-          scope: "@conda-store-ui"
+          node-version: "20.x"
+          cache: "yarn"
 
       - name: "Install dependencies 📦"
         run: yarn
 
-      - name: "Lint code 🔎"
+      - name: "Lint code 🔍"
         run: yarn eslint:check
 
-      - name: "Download webpack bundle 📦"
+      - name: "Build source code (library) 🏗"
+        run: yarn run build
+
+      - name: "Build source code (web app) 🏗"
+        # ensure we use the prod target to minimise assets
+        run: yarn run webpack:prod bundle
+
+      - name: "Generate package tarball 📦"
+        run: yarn pack --filename ${{ env.PACKAGE_FILE }}
+
+      - name: "Upload package tarball 📤"
+        uses: actions/upload-artifact@v4
+        with:
+          name: conda-store-ui-package
+          path: ${{ env.PACKAGE_FILE }}
+
+  verify-build:
+    name: "Verify conda-store-ui build"
+    runs-on: ubuntu-latest
+    needs: build-application
+
+    steps:
+      - name: "Checkout repository 🛎"
+        uses: actions/checkout@v4
+
+      - name: "Download build artefacts 📦"
         uses: actions/download-artifact@v4
         with:
-          name: webpack-bundle
-          path: dist/
+          name: conda-store-ui-package
 
-      - name: "Generate package tarball 📦"
-        run: yarn pack --filename conda-store-ui.tgz
+      # (setup-node workaround https://github.com/actions/setup-node/issues/763) otherwise the authentication fails for npmjs
+      - name: "Set npmjs scope"
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          npm config delete @conda-store-ui:registry --location project
+          npm config set @conda-store-ui:registry 'https://registry.npmjs.org' --location project
+          npm config set //registry.npmjs.org/:_authToken '${NODE_AUTH_TOKEN}' --location project
 
-      - name: "Set NPM scope" #(setup-node workaround https://github.com/actions/setup-node/issues/763)
+      - name: "Check publish (dry run) 📤"
+        run: |
+          echo "Publishing dry run..."
+          npm publish --verbose --access public ${{ env.PACKAGE_FILE }} --dry-run
         env:
-          NPM_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+  release-to-npmjs:
+    name: "Release conda-store-ui to npmjs 📦"
+    runs-on: ubuntu-latest
+    needs:
+      - build-application
+      - verify-build
+    if: github.repository_owner == 'conda-incubator' && github.event_name == 'release' && startsWith(github.ref, 'refs/tags/')
+    # needed for attestations
+    permissions:
+      id-token: write
+      attestations: write
+      contents: read
+
+    steps:
+      - name: "Checkout repository 🛎"
+        uses: actions/checkout@v4
+
+      # Set registry in .npmrc and set up auth to read in from
+      # env.NODE_AUTH_TOKEN.
+      - name: "Set up Node.js 🧶"
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20.x"
+          registry-url: "https://registry.npmjs.org"
+          scope: "@conda-store-ui"
+
+      - name: "Download build artefacts 📦"
+        uses: actions/download-artifact@v4
+        with:
+          name: conda-store-ui-package
+
+      # Create an attestation with GitHub to track build provenance
+      # More info: https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds
+      - name: "Attest Build Provenance ✨"
+        uses: actions/attest-build-provenance@v1
+        if: github.repository_owner == 'conda-incubator' && github.event_name == 'release' && startsWith(github.ref, 'refs/tags/')
+        with:
+          subject-path: ${{ env.PACKAGE_FILE }}
+
+      # (setup-node workaround https://github.com/actions/setup-node/issues/763) otherwise the authentication fails for npmjs
+      - name: "Set npmjs scope"
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           npm config delete @conda-store-ui:registry --location project
           npm config set @conda-store-ui:registry 'https://registry.npmjs.org' --location project
-          npm config set //registry.npmjs.org/:_authToken '${NPM_AUTH_TOKEN}' --location project
+          npm config set //registry.npmjs.org/:_authToken '${NODE_AUTH_TOKEN}' --location project
+
+      - name: "Check npmjs/conda-store-ui scope"
+        run: npm show
 
       - name: "Publish to npm 📤"
         run: |
-          echo "Publishing with tag ${{ env.GITHUB_REF_NAME }}"
-          npm publish --verbose --access public conda-store-ui.tgz
+          npm publish --verbose --access public ${{ env.PACKAGE_FILE }}
         env:
-          NPM_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.gitignore b/.gitignore
@@ -164,3 +164,5 @@ static
 !.yarn/sdks
 !.yarn/versions
 .pnp.*#
+
+.bun.lockb
diff --git a/RELEASE.md b/RELEASE.md
@@ -23,8 +23,8 @@
    ```
 
 > [!IMPORTANT]  
-> You need to be logged in to the npmjs registry to publish the package.
-> And have access to the conda-store npm namespace.
+> You need to be logged in to the `npmjs` registry to publish the package.
+> And have access to the `conda-store` npm namespace.
 
 1. Perform a local dry run publish:
 

diff --git a/package.json b/package.json
@@ -146,4 +146,4 @@
     "node": ">=18.0.0"
   },
   "packageManager": "[email protected]"
-}
+}