From 7f5d8732bb3cf3f1f8d66d53d3117e8de5815b5a Mon Sep 17 00:00:00 2001 From: seavor Date: Sun, 24 May 2026 16:49:20 -0500 Subject: [PATCH] [Protocol] Simplify publish workflow - Coerce Cockatrice release tags (YYYY-MM-DD-Release-X.Y.Z) to semver so npm version accepts them; hard-fail on tag-format drift. - Replace hand-rolled npm publish with JS-DevTools/npm-publish@v4 for native skip-when-unchanged and OIDC provenance. - Drop redundant publish flag and workflow_dispatch version input. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/protocol-publish.yml | 60 +++++++++++--------------- 1 file changed, 24 insertions(+), 36 deletions(-) diff --git a/.github/workflows/protocol-publish.yml b/.github/workflows/protocol-publish.yml index df84c0fc4..4c690ab0f 100644 --- a/.github/workflows/protocol-publish.yml +++ b/.github/workflows/protocol-publish.yml @@ -11,11 +11,6 @@ on: - '.github/workflows/protocol-publish.yml' - 'libcockatrice_protocol/**' workflow_dispatch: - inputs: - version: - description: 'Semver to publish (e.g. 15.0.0). Leave blank to dry-run only.' - required: false - default: '' concurrency: group: "${{ github.workflow }} @ ${{ github.ref_name }}" @@ -31,6 +26,7 @@ jobs: permissions: contents: read packages: write + id-token: write steps: - name: Checkout @@ -40,36 +36,24 @@ jobs: uses: actions/setup-node@v4 with: node-version: '20' - registry-url: 'https://npm.pkg.github.com' - scope: '@cockatrice' - name: Determine package version id: pkgver shell: bash run: | - case "$GITHUB_EVENT_NAME" in - release) - version="${{ github.event.release.tag_name }}" - version="${version#v}" - publish=true - ;; - workflow_dispatch) - version="${{ inputs.version }}" - if [[ -n "$version" ]]; then - version="${version#v}" - publish=true - else - version="0.0.0-manual" - publish=false - fi - ;; - *) # pull_request - version="0.0.0-pr${{ github.event.pull_request.number }}" - publish=false - ;; - esac - echo "version=$version" >>"$GITHUB_OUTPUT" - echo "publish=$publish" >>"$GITHUB_OUTPUT" + # Cockatrice stable tags: YYYY-MM-DD-Release-X.Y.Z. Non-release events get a + # placeholder version and the publish step is skipped. + tag="${{ github.event.release.tag_name }}" + if [[ "$GITHUB_EVENT_NAME" == "release" ]]; then + if [[ "$tag" =~ Release-([0-9]+\.[0-9]+\.[0-9]+)$ ]]; then + echo "version=${BASH_REMATCH[1]}" >>"$GITHUB_OUTPUT" + else + echo "::error::Release tag '$tag' does not end in Release-X.Y.Z; refusing to publish." + exit 1 + fi + else + echo "version=0.0.0-dryrun" >>"$GITHUB_OUTPUT" + fi - name: Assemble package shell: bash @@ -86,7 +70,7 @@ jobs: npm --prefix "$pkg" version --no-git-tag-version --allow-same-version "$PKG_VERSION" - name: Pack and inspect (dry-run) - if: ${{ steps.pkgver.outputs.publish != 'true' }} + if: ${{ github.event_name != 'release' }} working-directory: build/protocol-package run: | npm pack @@ -94,8 +78,12 @@ jobs: tar -tzf ./*.tgz | sort - name: Publish to GitHub Packages - if: ${{ steps.pkgver.outputs.publish == 'true' }} - working-directory: build/protocol-package - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: npm publish + if: ${{ github.event_name == 'release' }} + uses: JS-DevTools/npm-publish@v4 + with: + package: build/protocol-package + registry: https://npm.pkg.github.com + token: ${{ secrets.GITHUB_TOKEN }} + access: restricted + provenance: true + strategy: upgrade