Skip to content

Implement GitHub release step in CI workflow #350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bourgeoa merged 1 commit into from
Mar 29, 2026
+34 −0
Merged

Implement GitHub release step in CI workflow #350

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,3 +94,37 @@ jobs:
- name: Publish to npm
if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]'
run: npm publish --tag latest

github-release:
needs: [npm-publish-latest]
runs-on: ubuntu-latest
if: github.ref == 'refs/heads/main' && github.event_name == 'push'
permissions:
contents: write
steps:
- uses: actions/checkout@v6
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actions/checkout is referenced by a mutable major tag (@v6). For stronger supply-chain security and reproducibility, pin this action to a specific commit SHA (or at least a well-known stable major used elsewhere in the org) rather than a floating major tag.

Suggested change
- uses: actions/checkout@v6
- uses: actions/checkout@d632683dd7b4114ad314bca15554477dd762a938 # v4.2.2

Copilot uses AI. Check for mistakes.
with:
fetch-depth: 0

- name: Compute release tag from package version
id: release_tag
run: echo "tag=v$(node -p \"require('./package.json').version\")" >> "$GITHUB_OUTPUT"

Comment on lines +109 to +112
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The release_tag step writes an output (tag=...) but that output is never consumed; the tag is recomputed again in the next step. Either reference steps.release_tag.outputs.tag in the release creation step, or remove this step to avoid duplication/confusion.

Copilot uses AI. Check for mistakes.
- name: Create GitHub release with generated notes
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
TAG="v$(node -p "require('./package.json').version")"
Copy link

Copilot AI Mar 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

TAG is derived from package.json again here instead of using the previously computed output. This duplication increases the chance of the tag computation drifting over time (e.g., if the version source changes). Prefer using the earlier computed value consistently.

Suggested change
TAG="v$(node -p "require('./package.json').version")"
TAG="${{ steps.release_tag.outputs.tag }}"

Copilot uses AI. Check for mistakes.

if gh release view "$TAG" >/dev/null 2>&1; then
echo "Release $TAG already exists. Skipping."
exit 0
fi

if git ls-remote --exit-code --tags origin "refs/tags/$TAG" >/dev/null 2>&1; then
echo "Tag $TAG already exists on origin. Creating release from existing tag."
gh release create "$TAG" --verify-tag --generate-notes
else
echo "Creating tag and release $TAG from commit $GITHUB_SHA."
gh release create "$TAG" --target "$GITHUB_SHA" --generate-notes
fi
Loading