main
1name: Dev Publish
2
3on:
4 workflow_dispatch:
5
6permissions: {}
7
8env:
9 npm_config_audit: false
10 npm_config_fund: false
11
12jobs:
13 build:
14 runs-on: ubuntu-latest
15 steps:
16 - uses: actions/checkout@v5
17 with:
18 persist-credentials: false
19 - uses: actions/setup-node@v5
20 with:
21 node-version: 24
22 cache: 'npm'
23 - run: npm ci
24 - run: npm test
25 env:
26 FORCE_COLOR: 3
27 - uses: actions/upload-artifact@v4
28 with:
29 name: build-${{ github.run_id }}
30 path: |
31 build
32 jsr.json
33 package.json
34 package-lite.json
35 package-main.json
36 retention-days: 1
37
38 version:
39 runs-on: ubuntu-latest
40 outputs:
41 v: ${{ steps.ref.outputs.ZX_VERSION }}
42 lite: ${{ steps.ref.outputs.ZX_VERSION }}-lite
43 dev: ${{ steps.ref.outputs.ZX_VERSION }}-dev.${{ steps.ref.outputs.SHA_SHORT }}
44 lite-dev: ${{ steps.ref.outputs.ZX_VERSION }}-lite-dev.${{ steps.ref.outputs.SHA_SHORT }}
45 steps:
46 - uses: actions/checkout@v5
47 with:
48 persist-credentials: false
49 - id: ref
50 run: |
51 echo SHA_SHORT=$(git rev-parse --short HEAD) >> $GITHUB_OUTPUT
52 echo ZX_VERSION=$(jq -r '.version' package.json) >> $GITHUB_OUTPUT
53
54 npm-publish:
55 needs: [build, version]
56 runs-on: ubuntu-latest
57 permissions:
58 checks: read
59 statuses: write
60 contents: write
61 packages: write
62 id-token: write
63 env:
64 GOOGLE_NPM_REGISTRY: wombat-dressing-room.appspot.com
65 GOOGLE_NPM_TOKEN: ${{ secrets.AUTH_TOKEN }}
66 GH_NPM_REGISTRY: npm.pkg.github.com
67 GH_NPM_TOKEN: ${{ secrets.GITHUB_TOKEN }}
68 ZX_VERSION: ${{ needs.version.outputs.v }}
69 ZX_DEV_VERSION: ${{ needs.version.outputs.dev }}
70 ZX_LITE_DEV_VERSION: ${{ needs.version.outputs.lite-dev }}
71 steps:
72 - uses: actions/checkout@v5
73 with:
74 persist-credentials: false
75 - uses: actions/setup-node@v5
76 with:
77 node-version: 24
78 cache: 'npm'
79 - name: Configure npmrc
80 run: |
81 echo "//${{ env.GOOGLE_NPM_REGISTRY }}/:_authToken=$GOOGLE_NPM_TOKEN" >> .npmrc
82 echo "//${{ env.GH_NPM_REGISTRY }}/:_authToken=$GH_NPM_TOKEN" >> .npmrc
83
84 - uses: actions/download-artifact@v5
85 with:
86 name: build-${{ github.run_id }}
87
88 - name: pushing lite snapshot to ${{ env.GOOGLE_NPM_REGISTRY }}
89 run: |
90 mv -f package-lite.json package.json
91 cat <<< $(jq '.version="${{ env.ZX_LITE_DEV_VERSION }}"' package.json) > package.json
92 npm publish --provenance --access=public --no-git-tag-version --tag dev --registry https://${{ env.GOOGLE_NPM_REGISTRY }}
93
94 - name: pushing to ${{ env.GOOGLE_NPM_REGISTRY }}
95 run: |
96 mv -f package-main.json package.json
97 cat <<< $(jq '.version="${{ env.ZX_DEV_VERSION }}"' package.json) > package.json
98 npm publish --provenance --access=public --no-git-tag-version --tag dev --registry https://${{ env.GOOGLE_NPM_REGISTRY }}
99
100 - name: pushing to ${{ env.GH_NPM_REGISTRY }}
101 run: |
102 cat <<< $(jq '.name="@${{ github.repository }}"' package.json) > package.json
103 npm publish --no-git-tag-version --access=public --tag dev --registry https://${{ env.GH_NPM_REGISTRY }}
104
105 jsr-publish:
106 needs: [build, version]
107 runs-on: ubuntu-latest
108 permissions:
109 contents: read
110 id-token: write
111 env:
112 ZX_DEV_VERSION: ${{ needs.version.outputs.dev }}
113 steps:
114 - uses: actions/checkout@v5
115 with:
116 persist-credentials: false
117 - uses: actions/setup-node@v5
118 with:
119 node-version: 24
120 cache: 'npm'
121 - uses: actions/download-artifact@v5
122 with:
123 name: build-${{ github.run_id }}
124 - name: pushing to jsr.io
125 run: |
126 cat <<< $(jq '.version="${{ env.ZX_DEV_VERSION }}"' jsr.json) > jsr.json
127 npx jsr publish --allow-dirty
128
129 # https://docs.github.com/en/actions/use-cases-and-examples/publishing-packages/publishing-docker-images
130 docker-publish:
131 needs: [build, version]
132 runs-on: ubuntu-latest
133 # Sets the permissions granted to the `GITHUB_TOKEN` for the actions in this job.
134 permissions:
135 contents: read
136 packages: write
137 attestations: write
138 id-token: write
139
140 # Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
141 env:
142 REGISTRY: ghcr.io
143 IMAGE_NAME: ${{ github.repository }}
144 ZX_DEV_VERSION: ${{ needs.version.outputs.dev }}
145 steps:
146 - name: Checkout repository
147 uses: actions/checkout@v5
148 with:
149 persist-credentials: false
150
151 - uses: actions/download-artifact@v5
152 with:
153 name: build-${{ github.run_id }}
154
155 # Uses the `docker/login-action` action to log in to the Container registry using the account and password that will publish the packages. Once published, the packages are scoped to the account defined here.
156 - name: Log in to the Container registry
157 uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 #v3.4.0
158 with:
159 registry: ${{ env.REGISTRY }}
160 username: ${{ github.actor }}
161 password: ${{ secrets.GITHUB_TOKEN }}
162 # This step uses [docker/metadata-action](https://github.com/docker/metadata-action#about) to extract tags and labels that will be applied to the specified image. The `id` "meta" allows the output of this step to be referenced in a subsequent step. The `images` value provides the base name for the tags and labels.
163 - name: Extract metadata (tags, labels) for Docker
164 id: meta
165 uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 #v5.7.0
166 with:
167 images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
168 tags: |
169 type=sha
170 type=semver,pattern={{version}},value=v${{ env.ZX_DEV_VERSION }}
171 # This step uses the `docker/build-push-action` action to build the image, based on your repository's `Dockerfile`. If the build succeeds, it pushes the image to GitHub Packages.
172 # It uses the `context` parameter to define the build's context as the set of files located in the specified path. For more information, see [Usage](https://github.com/docker/build-push-action#usage) in the README of the `docker/build-push-action` repository.
173 # It uses the `tags` and `labels` parameters to tag and label the image with the output from the "meta" step.
174 - name: Build and push Docker image
175 id: push
176 uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
177 with:
178 context: ./
179 file: ./dcr/Dockerfile
180 push: true
181 tags: ${{ steps.meta.outputs.tags }}
182 labels: ${{ steps.meta.outputs.labels }}
183
184 # This step generates an artifact attestation for the image, which is an unforgeable statement about where and how it was built. It increases supply chain security for people who consume the image. For more information, see [Using artifact attestations to establish provenance for builds](/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds).
185 - name: Generate artifact attestation
186 uses: actions/attest-build-provenance@v2
187 with:
188 subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}}
189 subject-digest: ${{ steps.push.outputs.digest }}
190 push-to-registry: true