ci: move npm publish and GitHub release to CI workflow

NathanFlurry · NathanFlurry · commit db4d3b6d47d4 · 2026-03-18T05:28:03.000-07:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,97 @@
+name: Release
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: "Version to publish (e.g. 0.1.0-rc.2)"
+        required: true
+        type: string
+      npm-tag:
+        description: "npm dist-tag"
+        required: true
+        type: choice
+        options:
+          - latest
+          - rc
+
+concurrency:
+  group: release
+  cancel-in-progress: false
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout tag
+        uses: actions/checkout@v4
+        with:
+          ref: v${{ inputs.version }}
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          version: 8.15.6
+
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
+          registry-url: https://registry.npmjs.org
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Type check
+        run: pnpm turbo check-types
+
+      - name: Build
+        run: pnpm turbo build
+
+      - name: Publish to npm
+        run: |
+          FAILURES=""
+          for dir in $(pnpm -r ls --json --depth -1 | jq -r '.[] | select(.private != true) | .path'); do
+            # Skip the root package
+            if [ "$dir" = "$(pwd)" ]; then
+              continue
+            fi
+            NAME=$(jq -r .name "$dir/package.json")
+            VERSION="${{ inputs.version }}"
+            # Skip if already published
+            if npm view "${NAME}@${VERSION}" version >/dev/null 2>&1; then
+              echo "⏭ ${NAME}@${VERSION} already published, skipping."
+              continue
+            fi
+            echo "Publishing ${NAME}@${VERSION}..."
+            if ! (cd "$dir" && pnpm publish --access public --tag ${{ inputs.npm-tag }} --no-git-checks); then
+              FAILURES="${FAILURES} ${NAME}"
+            fi
+          done
+          if [ -n "$FAILURES" ]; then
+            echo "::error::Failed to publish:${FAILURES}"
+            exit 1
+          fi
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Create GitHub release
+        run: |
+          if gh release view "v${{ inputs.version }}" >/dev/null 2>&1; then
+            echo "GitHub release v${{ inputs.version }} already exists, skipping."
+          else
+            PRERELEASE=""
+            if [ "${{ inputs.npm-tag }}" = "rc" ]; then
+              PRERELEASE="--prerelease"
+            fi
+            gh release create "v${{ inputs.version }}" \
+              --title "v${{ inputs.version }}" \
+              --generate-notes \
+              $PRERELEASE
+          fi
+        env:
+          GH_TOKEN: ${{ github.token }}
diff --git a/scripts/release.ts b/scripts/release.ts
@@ -27,11 +27,6 @@ function tryRun(cmd: string, opts?: { cwd?: string; stdio?: "pipe" | "inherit" }
   }
 }
 
-function isPublished(name: string, version: string): boolean {
-  const { ok } = tryRun(`npm view ${name}@${version} version`);
-  return ok;
-}
-
 function fatal(msg: string): never {
   console.error(`\x1b[31mError:\x1b[0m ${msg}`);
   process.exit(1);
@@ -155,13 +150,6 @@ async function main() {
     process.exit(0);
   }
 
-  // Typecheck & build
-  console.log("\n\x1b[1mRunning typecheck...\x1b[0m");
-  run("pnpm turbo check-types", { stdio: "inherit" });
-
-  console.log("\n\x1b[1mRunning build...\x1b[0m");
-  run("pnpm turbo build", { stdio: "inherit" });
-
   // Bump versions
   console.log(`\n\x1b[1mBumping versions to ${version}...\x1b[0m`);
   setVersion(ROOT, version);
@@ -183,7 +171,7 @@ async function main() {
     console.log("  No version changes to commit, skipping.");
   }
 
-  // Git tag & GitHub release
+  // Git tag
   console.log(`\n\x1b[1mCreating git tag v${version}...\x1b[0m`);
   const tagExists = tryRun(`git rev-parse v${version}`).ok;
   if (tagExists) {
@@ -193,39 +181,12 @@ async function main() {
     run(`git push origin v${version}`);
   }
 
-  const prerelease = tag === "rc" ? "--prerelease" : "";
-  const releaseExists = tryRun(`gh release view v${version}`).ok;
-  if (releaseExists) {
-    console.log(`  GitHub release v${version} already exists, skipping.`);
-  } else {
-    console.log("\n\x1b[1mCreating GitHub release...\x1b[0m");
-    run(
-      `gh release create v${version} --title "v${version}" --generate-notes ${prerelease}`.trim(),
-      { stdio: "inherit" },
-    );
-  }
-
-  // Publish
-  console.log(`\n\x1b[1mPublishing to npm (tag: ${tag})...\x1b[0m`);
-  const failures: string[] = [];
-  for (const pkg of packages) {
-    const name = JSON.parse(readFileSync(join(pkg, "package.json"), "utf-8")).name;
-    if (isPublished(name, version)) {
-      console.log(`  \x1b[33m⏭ ${name}@${version} already published, skipping.\x1b[0m`);
-      continue;
-    }
-    console.log(`  Publishing ${name}...`);
-    const { ok } = tryRun(`pnpm publish --access public --tag ${tag} --no-git-checks`, { cwd: pkg, stdio: "inherit" });
-    if (!ok) {
-      failures.push(name);
-    }
-  }
-
-  if (failures.length > 0) {
-    fatal(`Failed to publish: ${failures.join(", ")}`);
-  }
+  // Trigger CI release workflow
+  console.log(`\n\x1b[1mTriggering CI release workflow...\x1b[0m`);
+  run(`gh workflow run release.yml -f version=${version} -f npm-tag=${tag}`, { stdio: "inherit" });
 
-  console.log(`\n\x1b[32m✓ Released v${version}\x1b[0m`);
+  console.log(`\n\x1b[32m✓ Tag v${version} pushed — CI will handle publish + GitHub release.\x1b[0m`);
+  console.log(`  Watch progress: \x1b[36mhttps://github.com/rivet-dev/secure-exec/actions/workflows/release.yml\x1b[0m`);
 }
 
 main().catch((err) => {
