chore: version packages (#528) #172

Workflow file for this run

.github/workflows/auto-publish.yml at b44827b

	name: Publish packages

	# npm-package publishing flows through changesets:
	#
	# 1. Contributor PR adds a `.changeset/*.md` declaring which packages
	# changed and at what bump level (patch / minor / major). The
	# `changeset-check.yml` workflow blocks PRs that touch publishable
	# package source without a corresponding changeset.
	# 2. When the PR merges to `main`, this workflow runs. If any unconsumed
	# changesets exist, `changesets/action` opens (or updates) a
	# "Version Packages" PR that runs `pnpm changeset version` —
	# bumping versions + writing changelogs.
	# 3. When the "Version Packages" PR itself merges, this workflow runs
	# again — this time `changesets/action` finds no pending changesets
	# and runs the `publish` script, which builds + `pnpm publish`es
	# every package whose version isn't already on npm.
	#
	# Desktop-app publishing is OUT of changesets — it ships binaries via
	# electron-builder, not npm. Its publish jobs stay path-triggered on
	# `packages/desktop-app/package.json` version changes (see bottom).

	on:
	push:
	branches: [main]
	paths:
	# changesets-managed npm packages — any source change reaches here
	# via the Version Packages PR merge bumping their package.json.
	- "packages/core/**"
	- "packages/scheduling/**"
	- "packages/pinpoint/**"
	- "packages/dispatch/**"
	- ".changeset/**"
	# desktop-app stays version-triggered (not changesets-managed).
	- "packages/desktop-app/package.json"
	workflow_dispatch:

	permissions: {}

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: false

	jobs:
	release:
	name: Release npm packages
	runs-on: ubuntu-latest
	environment: npm-publish
	permissions:
	contents: write
	pull-requests: write
	id-token: write
	steps:
	- name: Generate app token
	id: app-token
	uses: actions/create-github-app-token@v1
	with:
	app-id: ${{ secrets.BUILDER_BOT_FOR_LINT_APP_ID }}
	private-key: ${{ secrets.BUILDER_BOT_FOR_LINT_PRIVATE_KEY }}

	- uses: actions/checkout@v4
	with:
	token: ${{ steps.app-token.outputs.token }}
	fetch-depth: 0

	- uses: pnpm/action-setup@v4

	# Node 24 ships with npm 11.6+ — required for Trusted Publishing OIDC
	# (>= 11.5.1). Node 22 ships npm 10.x; the in-place self-upgrade
	# (`npm install -g npm@latest`) is broken on the current runner image
	# (actions/runner-images#13883), so we just use a Node version that
	# already has the right npm baked in.
	- uses: actions/setup-node@v4
	with:
	node-version: "24"
	cache: "pnpm"
	registry-url: "https://registry.npmjs.org"

	- run: pnpm install --frozen-lockfile

	# Build everything once so changesets/action's `publish` step doesn't
	# re-build per package. The `publish` script also re-runs build to be
	# safe when a single package is published in isolation.
	- name: Build all packages
	run: pnpm -r build

	- name: Create Release PR or publish to npm
	id: changesets
	uses: changesets/action@v1
	with:
	# When changesets/action finds no pending changesets, it runs
	# `publish` — which shells out to `npm publish` per package.
	# We invoke `changeset publish` directly via npx (NOT
	# `pnpm changeset publish`); pnpm's publish path bypasses npm's
	# OIDC trusted-publishing handshake and fails ENEEDAUTH.
	# See pnpm#9812, changesets/changesets#1914.
	publish: npx changeset publish
	# When pending changesets exist, opens this PR with the version
	# bumps + changelog updates. Merging it triggers the publish run.
	title: "chore: version packages"
	commit: "chore: version packages"
	env:
	GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
	# `npm publish` (called by `changeset publish`) requests an OIDC
	# token when --provenance is set. publishConfig.provenance in
	# package.json isn't honored everywhere, so set the env var —
	# both npm and pnpm read NPM_CONFIG_PROVENANCE.
	NPM_CONFIG_PROVENANCE: "true"

	- name: Trigger Builder workspace package update
	if: \|
	steps.changesets.outputs.published == 'true' &&
	(
	contains(steps.changesets.outputs.publishedPackages, '@agent-native/core') \|\|
	contains(steps.changesets.outputs.publishedPackages, '@agent-native/dispatch')
	)
	continue-on-error: true
	env:
	GH_TOKEN: ${{ steps.app-token.outputs.token }}
	PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
	run: \|
	gh api repos/BuilderIO/builder-agent-native-workspace/dispatches \
	--method POST \
	-f event_type=agent-native-packages-published \
	-f "client_payload[publishedPackages]=$PUBLISHED_PACKAGES" \
	-f "client_payload[sourceRepository]=${{ github.repository }}" \
	-f "client_payload[sourceRunUrl]=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"

	publish-desktop:
	name: Publish desktop app
	needs: []
	if: \|
	github.event_name == 'workflow_dispatch' \|\|
	contains(github.event.head_commit.modified, 'packages/desktop-app/package.json') \|\|
	contains(github.event.head_commit.added, 'packages/desktop-app/package.json')
	# electron-builder --publish always creates/updates a GitHub release.
	permissions:
	contents: write
	strategy:
	matrix:
	include:
	- os: macos-latest
	platform: mac
	- os: windows-latest
	platform: win
	- os: ubuntu-latest
	platform: linux
	runs-on: ${{ matrix.os }}
	steps:
	- uses: actions/checkout@v4

	- uses: pnpm/action-setup@v4

	- uses: actions/setup-node@v4
	with:
	node-version: 22
	cache: pnpm

	- name: Install dependencies
	run: pnpm install --frozen-lockfile

	- name: Import signing certificate
	if: matrix.platform == 'mac'
	env:
	APPLE_CERTIFICATE: ${{ secrets.APPLE_CERTIFICATE }}
	APPLE_CERTIFICATE_PASSWORD: ${{ secrets.APPLE_CERTIFICATE_PASSWORD }}
	run: \|
	echo "$APPLE_CERTIFICATE" \| base64 --decode > certificate.p12
	security create-keychain -p "" build.keychain
	security default-keychain -s build.keychain
	security unlock-keychain -p "" build.keychain
	security import certificate.p12 -k build.keychain -P "$APPLE_CERTIFICATE_PASSWORD" -T /usr/bin/codesign
	security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "" build.keychain
	rm certificate.p12

	- name: Build and publish
	working-directory: packages/desktop-app
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	APPLE_ID: ${{ secrets.APPLE_ID }}
	APPLE_APP_SPECIFIC_PASSWORD: ${{ secrets.APPLE_APP_SPECIFIC_PASSWORD }}
	APPLE_TEAM_ID: W3PMF2T3MW
	run: pnpm build && npx electron-builder --${{ matrix.platform }} --config --publish always

	publish-desktop-release:
	name: Publish desktop release
	needs: [publish-desktop]
	if: \|
	github.event_name == 'workflow_dispatch' \|\|
	contains(github.event.head_commit.modified, 'packages/desktop-app/package.json') \|\|
	contains(github.event.head_commit.added, 'packages/desktop-app/package.json')
	# gh release edit requires contents:write; workflow default is {}.
	permissions:
	contents: write
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Get version
	id: version
	run: echo "version=$(node -p "require('./packages/desktop-app/package.json').version")" >> $GITHUB_OUTPUT

	- name: Publish draft release
	env:
	GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: gh release edit "v${{ steps.version.outputs.version }}" --draft=false --latest

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: version packages (#528) #172

Workflow file

chore: version packages (#528) #172

Uh oh!

Workflow file for this run