Skip to content

Commit 5f4722a

Browse files
NathanWalkerNathanWalker
committed
ci: publish workflow
1 parent 5256b65 commit 5f4722a

File tree

1 file changed

+9
-10
lines changed

1 file changed

+9
-10
lines changed

.github/workflows/secure_nx_release.yml

Lines changed: 9 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ jobs:
3434
name: Version and Publish (gated by environment)
3535
runs-on: ubuntu-latest
3636
environment:
37-
name: ${{ inputs['dry-run'] == 'true' && 'npm-publish-dry-run' || 'npm-publish' }}
37+
name: ${{ inputs.dry-run && 'npm-publish-dry-run' || 'npm-publish' }}
3838

3939
env:
4040
# Default dist-tag if not provided via workflow_dispatch input
@@ -69,15 +69,15 @@ jobs:
6969
# Collect a one-time password (OTP) from a reviewer via the environment approval gate.
7070
- id: wait_for_otp
7171
name: Wait for npm OTP (2FA)
72-
if: ${{ inputs['dry-run'] != 'true' }}
73-
uses: step-security/wait-for-secrets@v2
72+
if: ${{ !inputs.dry-run }}
73+
uses: step-security/wait-for-secrets@v1
7474
with:
7575
secrets: |
7676
NPM_OTP
7777
timeout-minutes: 30
7878

7979
- name: Configure npm auth
80-
if: ${{ inputs['dry-run'] != 'true' }}
80+
if: ${{ !inputs.dry-run }}
8181
env:
8282
NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
8383
run: |
@@ -91,15 +91,15 @@ jobs:
9191
9292
# VERSION: updates versions, changelogs, creates git tags following nx.json releaseTag pattern.
9393
- name: nx release version
94-
if: ${{ inputs['dry-run'] != 'true' }}
94+
if: ${{ !inputs.dry-run }}
9595
env:
9696
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
9797
NX_GROUP_ARG: ${{ inputs['release-group'] != '' && format('--group {0}', inputs['release-group']) || '' }}
9898
run: |
9999
npx nx release version ${NX_GROUP_ARG} --yes --verbose
100100
101101
- name: nx release version (dry-run)
102-
if: ${{ inputs['dry-run'] == 'true' }}
102+
if: ${{ inputs.dry-run }}
103103
env:
104104
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
105105
NX_GROUP_ARG: ${{ inputs['release-group'] != '' && format('--group {0}', inputs['release-group']) || '' }}
@@ -108,27 +108,26 @@ jobs:
108108
109109
# Ensure version commits and tags are pushed if version step created them.
110110
- name: Push version commits and tags
111-
if: ${{ inputs['dry-run'] != 'true' }}
111+
if: ${{ !inputs.dry-run }}
112112
run: |
113113
# Push commits (if any) and tags created by Nx Release
114114
git push --follow-tags || true
115115
116116
# PUBLISH: perform npm publish using Nx Release, with 2FA OTP and provenance.
117117
- name: nx release publish
118-
if: ${{ inputs['dry-run'] != 'true' }}
118+
if: ${{ !inputs.dry-run }}
119119
env:
120120
NPM_CONFIG_OTP: ${{ steps.wait_for_otp.outputs.NPM_OTP }}
121121
# For npm provenance via OIDC
122122
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
123-
env:
124123
NX_GROUP_ARG: ${{ inputs['release-group'] != '' && format('--group {0}', inputs['release-group']) || '' }}
125124
run: |
126125
test -n "$NPM_CONFIG_OTP" || { echo "Missing NPM OTP from environment approval"; exit 1; }
127126
# Use Nx Release to publish all changed packages; tag controls npm dist-tag; provenance enables supply chain attestations
128127
npx nx release publish ${NX_GROUP_ARG} --tag "$NPM_DIST_TAG" --provenance --yes --verbose
129128
130129
- name: nx release publish (dry-run)
131-
if: ${{ inputs['dry-run'] == 'true' }}
130+
if: ${{ inputs.dry-run }}
132131
env:
133132
NX_GROUP_ARG: ${{ inputs['release-group'] != '' && format('--group {0}', inputs['release-group']) || '' }}
134133
run: |

0 commit comments

Comments
 (0)