graphql-js/.github/workflows/release.yml at db2987cb63fffc372f413e780437ea022a649274 · graphql/graphql-js · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
name: Release
on:
  push:
    branches:
      - 16.x.x
permissions: {}
jobs:
  check-publish:
    name: Check for publish need and prepare artifacts
    # Keep this guard on every job for defense-in-depth in case job dependencies are refactored.
    if: ${{ !github.event.repository.fork && github.repository == 'graphql/graphql-js' && github.ref_name == '16.x.x' }}
    runs-on: ubuntu-latest
    outputs:
      should_publish: ${{ steps.release_metadata.outputs.should_publish }}
      tag: ${{ steps.release_metadata.outputs.tag }}
      dist_tag: ${{ steps.release_metadata.outputs.dist_tag }}
      prerelease: ${{ steps.release_metadata.outputs.prerelease }}
      tarball_name: ${{ steps.release_metadata.outputs.tarball_name }}
    concurrency:
      group: ${{ github.workflow }}-${{ github.ref_name }}
      cancel-in-progress: true
    permissions:
      contents: read # for actions/checkout
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4
        with:
          # Keep checkout fast: we should only need to scroll back a few
          # commits for release notes. If the release commit is older than
          # this depth, release:metadata will emit empty release notes.
          fetch-depth: 10
          persist-credentials: false

      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          cache: npm
          node-version-file: '.node-version'

      - name: Install Dependencies
        run: npm ci --ignore-scripts

      - name: Read release metadata
        id: release_metadata
        run: |
          release_metadata_json="$(npm run --silent release:metadata)"
          jq -r '
            "version=\(.version)",
            "tag=\(.tag)",
            "dist_tag=\(.distTag)",
            "prerelease=\(.prerelease)",
            "package_spec=\(.packageSpec)",
            "tarball_name=\(.tarballName)",
            "should_publish=\(.shouldPublish)"
          ' <<< "${release_metadata_json}" >> "${GITHUB_OUTPUT}"
          jq -r '.releaseNotes' <<< "${release_metadata_json}" > ./release-notes.md

      - name: Log publish decision
        run: |
          if [ "${{ steps.release_metadata.outputs.should_publish }}" = "true" ]; then
            echo "${{ steps.release_metadata.outputs.package_spec }} is not published yet."
          else
            echo "${{ steps.release_metadata.outputs.package_spec }} is already published."
          fi

      - name: Build NPM package
        if: steps.release_metadata.outputs.should_publish == 'true'
        run: npm run build:npm

      - name: Pack npmDist package
        if: steps.release_metadata.outputs.should_publish == 'true'
        run: npm pack ./npmDist --pack-destination . > /dev/null

      - name: Upload npm package tarball
        if: steps.release_metadata.outputs.should_publish == 'true'
        uses: actions/upload-artifact@v4
        with:
          name: npmDist-tarball
          path: ./${{ steps.release_metadata.outputs.tarball_name }}

      - name: Upload release notes
        if: steps.release_metadata.outputs.should_publish == 'true'
        uses: actions/upload-artifact@v4
        with:
          name: release-notes
          path: ./release-notes.md

  publish-npm:
    name: Publish npm package
    needs: check-publish
    # Keep this guard on every job for defense-in-depth in case job dependencies are refactored.
    if: ${{ !github.event.repository.fork && github.repository == 'graphql/graphql-js' && github.ref_name == '16.x.x' && needs.check-publish.outputs.should_publish == 'true' && needs.check-publish.result == 'success' }}
    runs-on: ubuntu-latest
    environment: release
    permissions:
      contents: read # keep token scopes minimal
      id-token: write # for npm trusted publishing via OIDC
    steps:
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          # npm trusted publishing requires a newer Node/npm line than 16.x.x
          # branch runtime constraints, so pin only this job to Node 24.
          node-version: 24

      - name: Download npmDist package
        uses: actions/download-artifact@v4
        with:
          name: npmDist-tarball
          path: ./artifacts

      - name: Publish npm package
        run: |
          if [ -n "${{ needs.check-publish.outputs.dist_tag }}" ]; then
            npm publish --provenance --tag "${{ needs.check-publish.outputs.dist_tag }}" "./artifacts/${{ needs.check-publish.outputs.tarball_name }}"
          else
            npm publish --provenance "./artifacts/${{ needs.check-publish.outputs.tarball_name }}"
          fi

  create-release:
    name: Create release
    needs: check-publish
    # Keep this guard on every job for defense-in-depth in case job dependencies are refactored.
    if: ${{ !github.event.repository.fork && github.repository == 'graphql/graphql-js' && github.ref_name == '16.x.x' && needs.check-publish.outputs.should_publish == 'true' && needs.check-publish.result == 'success' }}
    runs-on: ubuntu-latest
    environment: release
    permissions:
      contents: write # for creating GitHub release
    steps:
      - name: Checkout repo
        uses: actions/checkout@v4
        with:
          persist-credentials: false

      - name: Download release notes
        uses: actions/download-artifact@v4
        with:
          name: release-notes
          path: ./artifacts

      - name: Create release
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          tag="${{ needs.check-publish.outputs.tag }}"

          if gh release view "${tag}" > /dev/null 2>&1; then
            echo "GitHub release ${tag} already exists. Skipping release creation."
            exit 0
          fi

          if git ls-remote --exit-code --tags origin "refs/tags/${tag}" > /dev/null; then
            echo "Tag ${tag} already exists on origin."
          else
            git config user.name "github-actions[bot]"
            git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
            git tag -a "${tag}" "${GITHUB_SHA}" -m "${tag}"
            gh auth setup-git
            git push origin "refs/tags/${tag}"
            echo "Created annotated tag ${tag} at ${GITHUB_SHA}."
          fi

          release_notes_file="./artifacts/release-notes.md"

          if [ "${{ needs.check-publish.outputs.prerelease }}" = "true" ]; then
            gh release create "${tag}" \
              --verify-tag \
              --title "${tag}" \
              --notes-file "${release_notes_file}" \
              --prerelease
          else
            gh release create "${tag}" \
              --verify-tag \
              --title "${tag}" \
              --notes-file "${release_notes_file}"
          fi