ci: harden npm trusted publishing workflow (#577) #718
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| - 'beta' | |
| pull_request: {} | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build_test: | |
| permissions: | |
| contents: read | |
| strategy: | |
| matrix: | |
| node-version: ${{ fromJSON((github.ref == 'refs/heads/main' || github.ref == 'refs/heads/beta') && '[24]' || '[24]') }} | |
| os: ${{ fromJSON((github.ref == 'refs/heads/main' || github.ref == 'refs/heads/beta') && '["ubuntu-latest"]' || '["ubuntu-latest", "windows-latest"]') }} | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - uses: actions/checkout@v6 | |
| - name: use Node.js ${{ matrix.node-version }} on ${{ matrix.os }} | |
| uses: actions/setup-node@v5 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: Update npm | |
| run: npm install -g npm@latest | |
| - name: install | |
| run: npm install --force | |
| - name: build | |
| run: npm run build | |
| timeout-minutes: 5 | |
| - name: test-library | |
| run: npm run test:testing-library | |
| timeout-minutes: 5 | |
| - name: test-examples | |
| run: npm run test:example-app | |
| timeout-minutes: 5 | |
| - name: test-examples-jest | |
| run: npm run test:jest-app | |
| timeout-minutes: 5 | |
| - name: test-karma-examples | |
| run: npm run test:karma-app -- --watch=false --no-progress | |
| timeout-minutes: 5 | |
| - name: lint | |
| run: npm run lint | |
| timeout-minutes: 5 | |
| build-release-artifact: | |
| needs: build_test | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| if: ${{ github.repository == 'testing-library/angular-testing-library' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/beta') && github.event_name == 'push' }} | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v6 | |
| - name: Setup node | |
| uses: actions/setup-node@v5 | |
| with: | |
| node-version: 24 | |
| - name: Update npm | |
| run: npm install -g npm@latest | |
| - name: Install dependencies | |
| run: npm install --force --ignore-scripts | |
| - name: 📦 Prepare package | |
| run: npm run build | |
| timeout-minutes: 5 | |
| - name: 📦 Upload package artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: npm-package-dist | |
| path: dist/@testing-library/angular | |
| if-no-files-found: error | |
| retention-days: 7 | |
| release: | |
| needs: build-release-artifact | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write # to enable use of OIDC (npm trusted publishing and provenance) | |
| contents: write # to create release tags (cycjimmy/semantic-release-action) | |
| issues: write # to post release that resolves an issue (cycjimmy/semantic-release-action) | |
| pull-requests: write # to be able to comment on released pull requests | |
| if: ${{ github.repository == 'testing-library/angular-testing-library' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/beta') && github.event_name == 'push' }} | |
| steps: | |
| - name: Checkout repo | |
| uses: actions/checkout@v6 | |
| - name: Setup node | |
| uses: actions/setup-node@v5 | |
| with: | |
| node-version: 24 | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: 📦 Download package artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: npm-package-dist | |
| path: dist/@testing-library/angular | |
| - name: 🚀 Release | |
| uses: cycjimmy/semantic-release-action@v6 | |
| with: | |
| semantic_version: 25 | |
| working_directory: './dist/@testing-library/angular' | |
| branches: | | |
| [ | |
| 'main', | |
| {name: 'beta', prerelease: true}, | |
| ] | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |