Skip to content
Publish

Publish #3

Sign in to view logs

Publish

Publish #3

Workflow file for this run

.github/workflows/publish.yml at e9ebb5f
name: Publish
on:
push:
tags:
- 'v*'
workflow_dispatch:
inputs:
dry-run:
description: 'Dry run (no actual publish)'
type: boolean
default: true
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # required for npm trusted publishing + provenance
env:
NPM_PUBLISHABLE_PROJECTS: chat,langgraph,ag-ui,render,a2ui,partial-json,licensing
steps:
- uses: actions/checkout@v6.0.2
# Node 24 ships npm 11+ which fully implements npm trusted publishing
# over OIDC. Node 22 is LTS but locked at npm 10.x, which has only
# partial trusted-publishing support and fails OIDC on this registry.
# The rest of CI (lint/test/build) runs on Node 22; this workflow
# uses Node 24 specifically for the publish step.
- uses: actions/setup-node@v6.3.0
with:
node-version: 24
cache: npm
registry-url: https://registry.npmjs.org
- run: npm ci
- name: Lint, test, build publishable projects
run: npx nx run-many -t lint,test,build --projects=$NPM_PUBLISHABLE_PROJECTS --skip-nx-cache
# Trusted publishing is configured per-package on npm; no NPM_TOKEN needed.
# The OIDC token from id-token: write authenticates this workflow as a
# trusted publisher for each @ngaf/* package. Provenance attestations are
# generated automatically.
- name: Publish to npm
if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.dry-run == false)
run: npx nx release publish --groups=publishable
env:
NPM_CONFIG_PROVENANCE: 'true'
- name: Publish to npm (dry run)
if: github.event_name == 'workflow_dispatch' && inputs.dry-run == true
run: npx nx release publish --groups=publishable --dry-run