chore(ci): fix ci (#6205) #853

Workflow file for this run

.github/workflows/create-release.yml at f46272d

	name: Create Release

	on:
	workflow_dispatch:
	push:
	branches:
	- main
	- tmp_hotfix_branch

	permissions:
	contents: write
	id-token: write
	env:
	IS_HOTFIX: ${{ github.ref == 'refs/heads/tmp_hotfix_branch' }}
	IS_PRERELEASE: ${{ github.event_name == 'push' && github.ref != 'refs/heads/tmp_hotfix_branch' }}
	IS_MANUAL: ${{ contains(github.event.head_commit.message, 'chore(release)') }}
	NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_AUTH_TOKEN }}
	NX_CLOUD_AUTH_TOKEN: ${{ secrets.NX_CLOUD_AUTH_TOKEN }}

	jobs:
	create_release:
	name: Run release
	runs-on: ubuntu-latest
	outputs:
	npmTag: ${{ steps.releaseTags.outputs.npm }}
	ghTag: ${{ steps.releaseTags.outputs.gh }}
	steps:
	- name: Fetch from origin repo
	uses: actions/checkout@v4.2.2
	with:
	ref: ${{ fromJSON('["tmp_hotfix_branch", "main"]')[env.IS_HOTFIX] }}
	fetch-depth: 0
	token: ${{ secrets.GHACTIONS }}

	- uses: ./.github/actions/set-up-git
	name: Set up git user
	with:
	name: ${{ secrets.GH_NAME }}
	email: ${{ secrets.GH_EMAIL }}

	- name: Setup Node.js for trusted publishing
	uses: actions/setup-node@v4
	with:
	node-version: '22.x'
	# Don't set registry-url to avoid automatic NODE_AUTH_TOKEN setup

	- name: Update npm for trusted publishing
	run: npm install -g npm@latest

	- name: Configure npm for trusted publishing
	run: \|
	# Configure npm registry without authentication token
	npm config set registry https://registry.npmjs.org/
	# Ensure no auth token is configured
	npm config delete //registry.npmjs.org/:_authToken \|\| true

	- name: Install Corepack and Enable Yarn
	run: \|
	echo "Installing Corepack..."
	npm install -g corepack \|\| { echo 'Corepack installation failed'; exit 1; }
	echo "Corepack installed successfully."
	corepack --version
	corepack enable yarn

	- name: Get yarn cache directory path
	id: yarn-cache-dir-path
	run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT

	- name: Use the global Yarn cache if available
	uses: actions/cache@v4
	with:
	path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
	key: ${{ runner.os }}-node-22.x-yarn-${{ hashFiles('**/yarn.lock') }}
	restore-keys: \|
	${{ runner.os }}-node-22.x-yarn-

	- uses: actions/cache@v4
	id: node-modules-cache
	name: Use project node_modules cache if available
	with:
	path: '**/node_modules/'
	key: ${{ runner.os }}-22.x-node-modules-${{ hashFiles('**/yarn.lock') }}
	restore-keys: \|
	${{ runner.os }}-22.x-node-modules-

	- name: Install dependencies
	if: steps.node-modules-cache.outputs.cache-hit != 'true'
	run: yarn install --immutable

	- name: Bump Version
	id: bumpVersion
	uses: ./.github/actions/bump-version
	with:
	isManual: ${{ env.IS_MANUAL }}
	isPrerelease: ${{ env.IS_PRERELEASE }}
	isHotfix: ${{ env.IS_HOTFIX }}

	- name: Get Release Tags
	uses: ./.github/actions/release-tags
	id: releaseTags
	with:
	bumpTag: ${{ steps.bumpVersion.outputs.releaseTag }}
	bumpedVersion: ${{ steps.bumpVersion.outputs.newVersion }}

	- name: Update using lerna # Skipping push, in case something goes wrong later during build/prepare
	if: env.IS_MANUAL == 'false'
	run: \|
	npx lerna version ${{ steps.bumpVersion.outputs.newVersion }} --yes --force-publish --message="chore(release): publish %v [ci skip]" --no-push

	- run: yarn run lint
	- run: yarn run build:prod

	- name: Debug trusted publishing setup
	run: \|
	echo "=== CRITICAL: Trusted Publishing Debug Info ==="
	echo "Repository: ${{ github.repository }}"
	echo "Workflow file: ${{ github.workflow_ref }}"
	echo "Workflow name: ${{ github.workflow }}"
	echo "Job: ${{ github.job }}"
	echo "Actor: ${{ github.actor }}"
	echo "Ref: ${{ github.ref }}"
	echo "Event: ${{ github.event_name }}"
	echo ""
	echo "=== Environment Check ==="
	echo "NODE_AUTH_TOKEN: ${NODE_AUTH_TOKEN:-'(not set - good for trusted publishing)'}"
	echo "NPM_TOKEN: ${NPM_TOKEN:-'(not set - good for trusted publishing)'}"
	echo ""
	echo "=== NPM Config ==="
	npm config list
	echo ""
	echo "=== OIDC Token Test ==="
	curl -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
	"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=npm" 2>/dev/null \| jq -r '.value' \| \
	python3 -c "import sys, jwt, json; token=sys.stdin.read().strip(); print(json.dumps(jwt.decode(token, options={'verify_signature': False}), indent=2))" 2>/dev/null \|\| echo "Failed to decode OIDC token"
	echo ""

	- name: Publish packages to NPM
	run: \|
	if [ "${{ env.IS_PRERELEASE }}" = "true" ]; then
	tag="prerelease"
	elif [ "${{ env.IS_HOTFIX }}" = "true" ]; then
	tag="archive"
	else
	tag="latest"
	fi
	echo "Using npm tag: $tag"

	for package_path in dist/packages/styles dist/packages/common-css dist/packages/theming-preview dist/packages/cx; do
	if [ -f "$package_path/package.json" ]; then
	package_name=$(node -p "require('./$package_path/package.json').name")
	echo "Publishing $package_name from $package_path with tag $tag"
	cd "$package_path"

	# Try a more verbose npm publish to get better error info
	echo "Attempting to publish with full debug info..."
	npm publish --tag "$tag" --provenance --verbose \|\| {
	echo "Publish failed. Checking npm whoami and config..."
	npm whoami 2>&1 \|\| echo "npm whoami failed (expected for trusted publishing)"
	npm config list
	exit 1
	}
	cd - > /dev/null
	fi
	done

	# This step is for pushing into the main repo if version has been updated by the CI.
	# Commit is created by the lerna version command
	# This Will NOT trigger this workflow again, so it is okay
	- name: Push changes
	if: env.IS_MANUAL == 'false'
	run: git push --follow-tags

	- name: Generate Release Body
	id: generate_body
	uses: ./.github/actions/generate-conventional-release-notes

	- name: Create Release
	uses: ncipollo/release-action@v1.16.0
	with:
	prerelease: ${{ steps.bumpVersion.outputs.isPrerelease }}
	tag: v${{ steps.bumpVersion.outputs.newVersion }}
	body: ${{ steps.generate_body.outputs.generatedReleaseNotes }}
	token: ${{ secrets.GHACTIONS }}
	# This step is for pushing into the main only the version change, without anything else.
	# This is useful when user created a Hotfix, and we need to sync the version on main
	# if hotfix version is higher than latest stable and RC versions.
	- name: Update version on main
	if: env.IS_HOTFIX == 'true' && steps.releaseTags.outputs.mainNeedsSync == 'true'
	run: \|
	git checkout -f main
	npx lerna version ${{ steps.bumpVersion.outputs.newVersion }} --yes --force-publish --no-push --no-changelog --no-git-tag-version --no-changelog
	git add .
	git commit -m "chore(release): sync version after hotfix v${{ steps.bumpVersion.outputs.newVersion }} [ci skip]"
	git push origin main

	# This step is responsible for cleaning up the temporary hotfix branch
	- name: Delete Temporary hotfix branch
	if: env.IS_HOTFIX == 'true'
	run: git push origin --delete tmp_hotfix_branch
	gh_pages:
	name: Github Pages deploy
	runs-on: ubuntu-latest
	needs: create_release
	if: ${{ needs.create_release.outputs.npmTag == 'latest' }}
	steps:
	- name: Checkout
	uses: actions/checkout@v4.2.2
	with:
	ref: main # always fetch from main branch
	token: ${{ secrets.GHACTIONS }}

	- name: Setup Node.js and Cache
	uses: ./.github/actions/nodejs

	- name: Run storybook:static build
	run: npx cross-env STORYBOOK_BASE_HREF=fundamental-styles yarn run storybook:static

	- name: Publish to gh-pages
	uses: JamesIves/github-pages-deploy-action@v4.7.3
	with:
	folder: storybook-static
	token: ${{ secrets.GITHUB_TOKEN }}
	repository-name: ${{ github.repository }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(ci): fix ci (#6205) #853

Workflow file

chore(ci): fix ci (#6205) #853

Uh oh!

Workflow file for this run