Set up trusted publishing

pimterry · pimterry · commit d5cfcb086f88 · 2025-11-06T15:03:48.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,18 +7,79 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [10.x, 12.x, 14.x, 16.x, '*']
+        node-version: [10.x, 12.x, 14.x, 16.x, 22.x, '*']
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
 
-      - uses: actions/setup-node@v2
+      - uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
+          cache: 'npm'
+          cache-dependency-path: 'package.json'
 
       - uses: shivammathur/setup-php@v2
         with:
           php-version: '7.0'
 
       - run: npm ci
       - run: npm test
+
+  publish:
+    name: Publish to npm
+    needs: build
+    if: startsWith(github.ref, 'refs/tags/v')
+    runs-on: ubuntu-latest
+    environment:
+      name: npm
+      url: https://www.npmjs.com/package/@httptoolkit/httpsnippet
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22.x'
+          registry-url: 'https://registry.npmjs.org'
+          cache: 'npm'
+          cache-dependency-path: 'package.json'
+
+      - run: npm ci
+
+      - name: Verify tag matches package.json version
+        id: version-check
+        run: |
+          TAG_VERSION=${GITHUB_REF#refs/tags/v}
+          PACKAGE_VERSION=$(node -p "require('./package.json').version")
+          if [ "$TAG_VERSION" != "$PACKAGE_VERSION" ]; then
+            echo "Error: Tag version (v$TAG_VERSION) does not match package.json version ($PACKAGE_VERSION)"
+            exit 1
+          fi
+          echo "✓ Tag version matches package.json version: $PACKAGE_VERSION"
+
+          # Check if version matches strict X.Y.Z format (stable release)
+          if echo "$PACKAGE_VERSION" | grep -Eq '^[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "Stable release version detected: $PACKAGE_VERSION"
+            echo "is_prerelease=false" >> $GITHUB_OUTPUT
+          else
+            echo "Prerelease version detected: $PACKAGE_VERSION"
+            echo "is_prerelease=true" >> $GITHUB_OUTPUT
+          fi
+
+      # Make sure we have the latest npm for publishing:
+      - run: npm install -g npm@latest
+
+      - name: Publish to npm
+        run: |
+          if [ "${{ steps.version-check.outputs.is_prerelease }}" == "true" ]; then
+            echo "Publishing untagged prerelease"
+            npm publish --provenance --tag test
+            # We have to publish with a tag (so we use 'test') but we can clean it up:
+            npm dist-tag rm @httptoolkit/httpsnippet test --silent
+          else
+            echo "Publishing stable release with 'latest' tag"
+            npm publish --provenance
+          fi
