release.yml•4.21 kB
name: Release
on:
workflow_dispatch: # Allows manual triggering
jobs:
release:
name: Release to npm and GitHub
runs-on: ubuntu-latest
# Permissions needed for semantic-release to commit/tag/release
permissions:
contents: write
issues: write
pull-requests: write
# id-token: write # Needed for OIDC trusted publishing (if not using NPM_TOKEN)
outputs:
# Output whether a new release was published
new_release_published: ${{ steps.semantic.outputs.new_release_published }}
new_release_version: ${{ steps.semantic.outputs.new_release_version }}
steps:
- name: Checkout code
# Need fetch-depth: 0 for semantic-release to analyze all relevant commits
# and commit package.json/CHANGELOG.md changes
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: ">=20.0.0" # Match engines requirement in package.json
registry-url: "https://registry.npmjs.org" # Specify npm registry
cache: "npm"
- name: Install dependencies
run: npm ci
- name: Run build
run: npm run build
env:
POSTHOG_API_KEY: ${{ secrets.POSTHOG_API_KEY }}
- name: Run semantic-release
id: semantic # Give step an ID to reference its outputs
uses: cycjimmy/semantic-release-action@v4
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
docker_publish:
name: Build and Push Docker Image to GHCR
# Run only after the release job completes successfully
needs: release
# Run only if semantic-release actually published a new version
if: needs.release.outputs.new_release_published == 'true'
runs-on: ubuntu-latest
permissions:
contents: read # Needed to check out the code
packages: write # Needed to push Docker image to GHCR
attestations: write # Needed for build attestations
id-token: write # Needed for OIDC (good practice)
steps:
- name: Checkout code
# Checkout the specific commit tagged by semantic-release
uses: actions/checkout@v4
with:
# Use the tag name determined by the release job
ref: v${{ needs.release.outputs.new_release_version }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: ghcr.io/${{ github.repository }}
# Use the version from the semantic-release output
tags: |
type=raw,value=${{ needs.release.outputs.new_release_version }} # e.g., v1.4.1
type=semver,pattern={{version}},value=${{ needs.release.outputs.new_release_version }} # e.g., 1.4.1
type=semver,pattern=v{{major}}.{{minor}},value=${{ needs.release.outputs.new_release_version }} # e.g., v1.4
type=semver,pattern=v{{major}},value=${{ needs.release.outputs.new_release_version }} # e.g., v1
type=raw,value=latest,enable=true # Always tag latest on main branch release
- name: Build and push Docker image
id: push
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
platforms: linux/amd64,linux/arm64 # Build for both x86_64 and arm64 (Mac Silicon)
build-args: |
POSTHOG_API_KEY=${{ secrets.POSTHOG_API_KEY }}
- name: Generate artifact attestation
uses: actions/attest-build-provenance@v1
with:
subject-name: ghcr.io/${{ github.repository }}
subject-digest: ${{ steps.push.outputs.digest }}
push-to-registry: true