|
| 1 | +name: Release Workflow |
| 2 | + |
| 3 | +on: |
| 4 | + workflow_dispatch: |
| 5 | + inputs: |
| 6 | + dist-tag: |
| 7 | + description: "npm dist-tag to use (e.g. latest | next | canary)" |
| 8 | + required: false |
| 9 | + type: string |
| 10 | + default: next |
| 11 | + dry-run: |
| 12 | + description: "Run release steps without making changes (no git push, no publish)" |
| 13 | + required: false |
| 14 | + type: boolean |
| 15 | + default: false |
| 16 | + release-group: |
| 17 | + description: "Optional Nx release group or project to scope the release (empty = default behavior)" |
| 18 | + required: false |
| 19 | + type: string |
| 20 | + default: "" |
| 21 | + |
| 22 | +concurrency: |
| 23 | + # Avoid overlapping publishes on the same ref/branch |
| 24 | + group: nx-release-${{ github.ref }} |
| 25 | + cancel-in-progress: false |
| 26 | + |
| 27 | +permissions: |
| 28 | + contents: write # needed to push version commits and tags |
| 29 | + pull-requests: write # for changelog PRs/comments if Nx uses them |
| 30 | + id-token: write # required for npm provenance (OIDC) |
| 31 | + |
| 32 | +jobs: |
| 33 | + release: |
| 34 | + name: Version and Publish (gated by environment) |
| 35 | + runs-on: ubuntu-latest |
| 36 | + environment: |
| 37 | + name: ${{ inputs['dry-run'] == 'true' && 'npm-publish-dry-run' || 'npm-publish' }} |
| 38 | + |
| 39 | + env: |
| 40 | + # Default dist-tag if not provided via workflow_dispatch input |
| 41 | + NPM_DIST_TAG: ${{ inputs['dist-tag'] || 'next' }} |
| 42 | + # Optional: provide Nx Cloud token if used in this repo |
| 43 | + NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} |
| 44 | + |
| 45 | + steps: |
| 46 | + - name: Harden the runner (Audit all outbound calls) |
| 47 | + uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1 |
| 48 | + with: |
| 49 | + egress-policy: audit |
| 50 | + |
| 51 | + - name: Checkout repository (full history for tagging) |
| 52 | + uses: actions/checkout@v4 |
| 53 | + with: |
| 54 | + fetch-depth: 0 |
| 55 | + |
| 56 | + - name: Setup Node.js |
| 57 | + uses: actions/setup-node@v4 |
| 58 | + with: |
| 59 | + node-version: '24' |
| 60 | + registry-url: 'https://registry.npmjs.org' |
| 61 | + cache: 'npm' |
| 62 | + |
| 63 | + - name: Install dependencies |
| 64 | + run: npm ci |
| 65 | + |
| 66 | + - name: Repo setup |
| 67 | + run: npm run setup |
| 68 | + |
| 69 | + # Collect a one-time password (OTP) from a reviewer via the environment approval gate. |
| 70 | + - id: wait_for_otp |
| 71 | + name: Wait for npm OTP (2FA) |
| 72 | + if: ${{ inputs['dry-run'] != 'true' }} |
| 73 | + uses: step-security/wait-for-secrets@v2 |
| 74 | + with: |
| 75 | + secrets: | |
| 76 | + NPM_OTP |
| 77 | + timeout-minutes: 30 |
| 78 | + |
| 79 | + - name: Configure npm auth |
| 80 | + if: ${{ inputs['dry-run'] != 'true' }} |
| 81 | + env: |
| 82 | + NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }} |
| 83 | + run: | |
| 84 | + test -n "$NPM_TOKEN" || { echo "NPM_PUBLISH_TOKEN secret is required"; exit 1; } |
| 85 | + echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc |
| 86 | +
|
| 87 | + - name: Configure git user for automated commits |
| 88 | + run: | |
| 89 | + git config user.name "github-actions[bot]" |
| 90 | + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" |
| 91 | +
|
| 92 | + # VERSION: updates versions, changelogs, creates git tags following nx.json releaseTag pattern. |
| 93 | + - name: nx release version |
| 94 | + if: ${{ inputs['dry-run'] != 'true' }} |
| 95 | + env: |
| 96 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 97 | + NX_GROUP_ARG: ${{ inputs['release-group'] != '' && format('--group {0}', inputs['release-group']) || '' }} |
| 98 | + run: | |
| 99 | + npx nx release version ${NX_GROUP_ARG} --yes --verbose |
| 100 | +
|
| 101 | + - name: nx release version (dry-run) |
| 102 | + if: ${{ inputs['dry-run'] == 'true' }} |
| 103 | + env: |
| 104 | + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
| 105 | + NX_GROUP_ARG: ${{ inputs['release-group'] != '' && format('--group {0}', inputs['release-group']) || '' }} |
| 106 | + run: | |
| 107 | + npx nx release version ${NX_GROUP_ARG} --yes --verbose --dry-run |
| 108 | +
|
| 109 | + # Ensure version commits and tags are pushed if version step created them. |
| 110 | + - name: Push version commits and tags |
| 111 | + if: ${{ inputs['dry-run'] != 'true' }} |
| 112 | + run: | |
| 113 | + # Push commits (if any) and tags created by Nx Release |
| 114 | + git push --follow-tags || true |
| 115 | +
|
| 116 | + # PUBLISH: perform npm publish using Nx Release, with 2FA OTP and provenance. |
| 117 | + - name: nx release publish |
| 118 | + if: ${{ inputs['dry-run'] != 'true' }} |
| 119 | + env: |
| 120 | + NPM_CONFIG_OTP: ${{ steps.wait_for_otp.outputs.NPM_OTP }} |
| 121 | + # For npm provenance via OIDC |
| 122 | + NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }} |
| 123 | + env: |
| 124 | + NX_GROUP_ARG: ${{ inputs['release-group'] != '' && format('--group {0}', inputs['release-group']) || '' }} |
| 125 | + run: | |
| 126 | + test -n "$NPM_CONFIG_OTP" || { echo "Missing NPM OTP from environment approval"; exit 1; } |
| 127 | + # Use Nx Release to publish all changed packages; tag controls npm dist-tag; provenance enables supply chain attestations |
| 128 | + npx nx release publish ${NX_GROUP_ARG} --tag "$NPM_DIST_TAG" --provenance --yes --verbose |
| 129 | +
|
| 130 | + - name: nx release publish (dry-run) |
| 131 | + if: ${{ inputs['dry-run'] == 'true' }} |
| 132 | + env: |
| 133 | + NX_GROUP_ARG: ${{ inputs['release-group'] != '' && format('--group {0}', inputs['release-group']) || '' }} |
| 134 | + run: | |
| 135 | + npx nx release publish ${NX_GROUP_ARG} --tag "$NPM_DIST_TAG" --provenance --yes --verbose --dry-run |
| 136 | +
|
| 137 | + - name: Summary |
| 138 | + if: always() |
| 139 | + run: | |
| 140 | + echo "Nx Release completed." |
| 141 | + echo "- dist-tag: $NPM_DIST_TAG" |
| 142 | + echo "- release-group: '${{ inputs['release-group'] }}'" |
| 143 | + echo "- dry-run: ${{ inputs['dry-run'] }}" |
0 commit comments