Publish NPM Package #7
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish NPM Package | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| workflow_dispatch: # temporary: for testing | |
| jobs: | |
| # Build job - no id-token permission (security: isolate build from publish) | |
| build: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '22' | |
| cache: 'yarn' | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| - name: Run lint | |
| run: yarn lint | |
| - name: TypeScript check | |
| run: yarn tsc | |
| - name: Run tests | |
| run: yarn test --ci | |
| - name: Build package | |
| run: yarn build | |
| - name: Upload build artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: dist | |
| path: dist/ | |
| # Publish job - has id-token permission (isolated from build scripts) | |
| publish: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| permissions: | |
| id-token: write | |
| contents: read | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Download build artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: dist | |
| path: dist/ | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: '24' | |
| registry-url: 'https://registry.npmjs.org' | |
| cache: 'yarn' | |
| - name: Install dependencies | |
| run: yarn install --frozen-lockfile | |
| - name: Publish to NPM | |
| run: npm publish --access public --provenance |