mirror of
https://github.com/pnpm/pnpm.git
synced 2026-07-14 09:42:37 -04:00
Bumps the github-actions group with 11 updates in the / directory: | Package | From | To | | --- | --- | --- | | [actions/checkout](https://github.com/actions/checkout) | `6.0.3` | `7.0.0` | | [bencherdev/bencher](https://github.com/bencherdev/bencher) | `0.6.7` | `0.6.8` | | [actions/cache/restore](https://github.com/actions/cache) | `5.0.5` | `6.1.0` | | [actions/cache/save](https://github.com/actions/cache) | `5.0.5` | `6.1.0` | | [taiki-e/install-action](https://github.com/taiki-e/install-action) | `2.82.0` | `2.82.5` | | [actions/cache](https://github.com/actions/cache) | `5.0.5` | `6.1.0` | | [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) | `4.1.0` | `4.1.1` | | [softprops/action-gh-release](https://github.com/softprops/action-gh-release) | `3.0.0` | `3.0.1` | | [warpdotdev/oz-agent-action](https://github.com/warpdotdev/oz-agent-action) | `1.0.19` | `1.0.21` | | [cbrgm/mastodon-github-action](https://github.com/cbrgm/mastodon-github-action) | `2.2.1` | `2.2.2` | | [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) | `0.5.6` | `0.5.7` | Updates `actions/checkout` from 6.0.3 to 7.0.0 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v6.0.3...9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0) Updates `bencherdev/bencher` from 0.6.7 to 0.6.8 - [Release notes](https://github.com/bencherdev/bencher/releases) - [Commits](ec56bb69a7...5f9d4cf890) Updates `actions/cache/restore` from 5.0.5 to 6.1.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](27d5ce7f10...55cc834586) Updates `actions/cache/save` from 5.0.5 to 6.1.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](27d5ce7f10...55cc834586) Updates `taiki-e/install-action` from 2.82.0 to 2.82.5 - [Release notes](https://github.com/taiki-e/install-action/releases) - [Changelog](https://github.com/taiki-e/install-action/blob/main/CHANGELOG.md) - [Commits](b8cecb8356...bffeee26d4) Updates `actions/cache` from 5.0.5 to 6.1.0 - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](27d5ce7f10...55cc834586) Updates `actions/attest-build-provenance` from 4.1.0 to 4.1.1 - [Release notes](https://github.com/actions/attest-build-provenance/releases) - [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md) - [Commits](a2bbfa2537...0f67c3f485) Updates `softprops/action-gh-release` from 3.0.0 to 3.0.1 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](b430933298...718ea10b13) Updates `warpdotdev/oz-agent-action` from 1.0.19 to 1.0.21 - [Release notes](https://github.com/warpdotdev/oz-agent-action/releases) - [Commits](501d24fbf4...1922f22c00) Updates `cbrgm/mastodon-github-action` from 2.2.1 to 2.2.2 - [Release notes](https://github.com/cbrgm/mastodon-github-action/releases) - [Commits](244bbe72e6...ac2d8e8c99) Updates `zizmorcore/zizmor-action` from 0.5.6 to 0.5.7 - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](5f14fd08f7...192e21d79a) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: bencherdev/bencher dependency-version: 0.6.8 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/cache/restore dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/cache/save dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: taiki-e/install-action dependency-version: 2.82.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: actions/cache dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: github-actions - dependency-name: actions/attest-build-provenance dependency-version: 4.1.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: softprops/action-gh-release dependency-version: 3.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: warpdotdev/oz-agent-action dependency-version: 1.0.21 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: cbrgm/mastodon-github-action dependency-version: 2.2.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: github-actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
99 lines
4.7 KiB
YAML
99 lines
4.7 KiB
YAML
name: Release
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- "v*.*.*"
|
|
# Manual trigger for rerunning a tag release. Dispatching this workflow from a
|
|
# branch fails before publishing because release artifacts are only built on
|
|
# version tags.
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
validate-release-ref:
|
|
runs-on: ubuntu-latest
|
|
permissions: {}
|
|
steps:
|
|
- name: Validate release ref
|
|
run: |
|
|
case "${GITHUB_REF}" in
|
|
refs/tags/v*.*.*) ;;
|
|
*)
|
|
echo "::error::The release workflow must run from a version tag like v11.9.0. Current ref: ${GITHUB_REF}"
|
|
exit 1
|
|
;;
|
|
esac
|
|
|
|
release:
|
|
needs: validate-release-ref
|
|
permissions:
|
|
id-token: write # Required for OIDC
|
|
contents: write # for softprops/action-gh-release to create GitHub release
|
|
attestations: write # for actions/attest-build-provenance
|
|
# Runs on macOS so the darwin artifacts can be ad-hoc signed with native
|
|
# `codesign` (no need to build/install `ldid` on the runner) and so
|
|
# `verify-binary.mjs` can smoke-test the darwin-arm64 SEA in place — a
|
|
# macos-latest runner is Apple Silicon and can execute the arm64 binary.
|
|
# Note: this does NOT fix the darwin-x64 crash (nodejs/node#62893) — that's
|
|
# an upstream Node.js SEA bug independent of signing; see pack-app docs.
|
|
runs-on: macos-latest
|
|
environment: release
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
persist-credentials: false
|
|
- uses: garnet-org/action@2b7fc9d79b54f551b43358c27424a36064b3e078 # v2.0.2
|
|
with:
|
|
api_token: ${{ secrets.GARNET_API_TOKEN }}
|
|
- name: Install pnpm and Node
|
|
uses: pnpm/setup@77cf06832101b3ac8c65caaf76a21643936d07a4
|
|
with:
|
|
runtime: node@26.4.0
|
|
# The publish phase is split into three sequential steps to control which packages
|
|
# use trusted publishing (OIDC) vs. a static token. `pnpm publish` currently bails
|
|
# out of OIDC as soon as a static `_authToken` is configured, so the only way to
|
|
# force trusted publishing for a given package today is to run its publish in a
|
|
# step that doesn't have NPM_TOKEN set. See https://github.com/pnpm/pnpm/pull/11495
|
|
# for the longer-term fix that lets OIDC override a configured token.
|
|
- name: Publish @pnpm/exe (trusted publishing)
|
|
# No NPM_TOKEN: pnpm has no static token to short-circuit on, so it will perform
|
|
# the OIDC token exchange against npm's trusted-publishing config for `@pnpm/exe`.
|
|
# The exe artifacts must be built before the publish, so they're built here too.
|
|
run: |
|
|
pn --filter=@pnpm/exe run build-artifacts
|
|
pn --filter=@pnpm/exe publish --tag=next-11 --access=public --provenance
|
|
- name: Publish internal workspace packages (static token)
|
|
# The other workspace packages don't have trusted publishing configured on npm,
|
|
# so we still need a static token here. The token is removed from pnpm's config
|
|
# at the end of the step so it can't leak into the trusted-publishing step that
|
|
# follows (where its presence would silently downgrade `pnpm` to token publishing).
|
|
env:
|
|
# Setting the "npm_config_//registry.npmjs.org/:_authToken" env variable directly
|
|
# doesn't work — pnpm doesn't appear to pass auth tokens to child processes.
|
|
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
|
|
run: |
|
|
trap 'pn config delete "//registry.npmjs.org/:_authToken" || true' EXIT
|
|
pn config set "//registry.npmjs.org/:_authToken" "${NPM_TOKEN}"
|
|
pn publish --filter=!pnpm --filter=!@pnpm/exe --access=public --provenance
|
|
- name: Publish pnpm CLI (trusted publishing)
|
|
# No NPM_TOKEN — same rationale as the @pnpm/exe step above. This must come after
|
|
# the previous step has cleared its NPM_TOKEN from pnpm's config.
|
|
run: pn publish --filter=pnpm --tag=next-11 --access=public --provenance
|
|
- name: Copy Artifacts
|
|
run: pn copy-artifacts
|
|
- name: Attest build provenance
|
|
uses: actions/attest-build-provenance@0f67c3f4856b2e3261c31976d6725780e5e4c373 # v4.1.1
|
|
with:
|
|
subject-path: 'dist/*'
|
|
- name: Generate release description
|
|
run: pn make-release-description
|
|
- name: Release
|
|
# `gh release create` could replace this, but the release pipeline is
|
|
# sensitive and softprops/action-gh-release is widely battle-tested.
|
|
uses: softprops/action-gh-release@718ea10b132b3b2eba29c1007bb80653f286566b # v3.0.0 # zizmor: ignore[superfluous-actions]
|
|
with:
|
|
draft: true
|
|
files: dist/*
|
|
body_path: RELEASE.md
|