Skip to content

npm Release

npm Release #3

Workflow file for this run

# Publishes @nativescript/font-manager to npm from an existing SPM release tag,
# so the packaged nativescript.config.ts always points at a resolvable
# FontManager.xcframework release.
#
# Triggered automatically at the end of the SPM Release workflow, or manually
# via workflow_dispatch.
#
# Authentication uses npm Trusted Publishing (OIDC) — no NPM_TOKEN required.
# The `id-token: write` permission below lets the npm CLI (>= 11.5.1) exchange a
# short-lived GitHub OIDC token for publish rights. The Trusted Publisher must be
# configured on npmjs.com for this repo + workflow file (npm_release.yml).
name: npm Release
on:
workflow_dispatch:
inputs:
version:
description: 'Version to publish (e.g. 1.0.12). Must match an existing SPM release tag. Defaults to packages/font-manager/package.json.'
required: false
type: string
permissions:
contents: read
id-token: write # required for npm Trusted Publishing (OIDC) + provenance
concurrency:
group: npm-release
cancel-in-progress: false
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Resolve version
id: version
run: |
VERSION="${{ github.event.inputs.version }}"
if [ -z "$VERSION" ]; then
VERSION="$(node -p "require('./packages/font-manager/package.json').version")"
fi
if ! git rev-parse -q --verify "refs/tags/$VERSION^{commit}" > /dev/null; then
echo "error: tag $VERSION not found — run the SPM Release workflow first" >&2
exit 1
fi
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
- name: Checkout release tag
run: git checkout "refs/tags/${{ steps.version.outputs.version }}"
# Node 24 (LTS) bundles npm >= 11.5.1, which Trusted Publishing requires.
# We deliberately do NOT `npm install -g npm@latest` on an older Node: that
# self-upgrade corrupts the global npm on hosted runners and drops bundled
# deps like `sigstore`, breaking `npm publish --provenance`
# (npm/cli#9722). Using Node 24's stock npm avoids that entirely.
- uses: actions/setup-node@v4
with:
node-version: 24
registry-url: 'https://registry.npmjs.org'
- name: Install dependencies
run: npm ci
- name: Verify package.json matches release version
run: |
VERSION="${{ steps.version.outputs.version }}"
PKG_VERSION="$(node -p "require('./packages/font-manager/package.json').version")"
if [ "$PKG_VERSION" != "$VERSION" ]; then
echo "error: packages/font-manager/package.json is $PKG_VERSION but expected $VERSION" >&2
exit 1
fi
# build.all runs tools/scripts/build-finish.ts, which produces a
# ready-to-publish dist/packages/font-manager (cleaned package.json,
# publishing assets copied in).
- name: Build @nativescript/font-manager
run: npx nx run font-manager:build.all
# Publish the exact version from the release tag. No token env is set —
# the npm CLI authenticates via OIDC (Trusted Publishing) and generates
# provenance automatically.
- name: Publish @nativescript/font-manager
working-directory: dist/packages/font-manager
run: npm publish --access public --provenance
- name: Verify npm publish
run: |
VERSION="${{ steps.version.outputs.version }}"
for i in $(seq 1 10); do
if [ "$(npm view "@nativescript/font-manager@$VERSION" version 2>/dev/null)" = "$VERSION" ]; then
echo "@nativescript/font-manager@$VERSION is live"
exit 0
fi
echo "not visible yet, retrying ($i/10)..."
sleep 15
done
echo "error: @nativescript/font-manager@$VERSION not visible on the registry" >&2
exit 1