appkit/.github/workflows/release.yml at 9e949163129e1d2168e4a7efab6c21f1302e9954 · databricks/appkit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: Release

on:
  push:
    branches:
      - main
    paths-ignore:
      - 'packages/lakebase/**'
  workflow_dispatch:
    inputs:
      dry-run:
        description: "Dry run (no actual release)"
        required: false
        type: boolean
        default: false

concurrency:
  group: release
  cancel-in-progress: false

jobs:
  release:
    runs-on:
      group: databricks-protected-runner-group
      labels: linux-ubuntu-latest

    environment: release

    outputs:
      version: ${{ steps.version.outputs.version }}

    permissions:
      contents: write
      id-token: write

    steps:
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
        with:
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Git
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

      - name: Setup Node.js
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: 24
          registry-url: "https://registry.npmjs.org"
          cache: "pnpm"

      - name: Update npm
        run: npm install -g [email protected]

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Determine release mode
        id: mode
        run: |
          if [ "${{ github.event_name }}" == "push" ]; then
            echo "dry_run=false" >> $GITHUB_OUTPUT
          else
            echo "dry_run=${{ inputs.dry-run }}" >> $GITHUB_OUTPUT
          fi

      - name: Determine version
        id: version
        if: steps.mode.outputs.dry_run != 'true'
        run: |
          VERSION=$(pnpm exec release-it --release-version --ci 2>/dev/null) || true
          if [[ "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
            echo "version=$VERSION" >> $GITHUB_OUTPUT
            echo "Next version: $VERSION"
          else
            echo "No releasable version detected"
          fi

      - name: Release (build + tag locally, no push)
        run: |
          if [ "${{ steps.mode.outputs.dry_run }}" == "true" ]; then
            pnpm release:dry
          else
            pnpm exec release-it --ci --no-git.push --no-github.release
          fi
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

      - name: Security scan (appkit)
        if: steps.mode.outputs.dry_run != 'true' && steps.version.outputs.version != ''
        uses: databricks-eng/gh-action-scan@1c260de6986f77d8c505975ce434830a7afdb95f
        with:
          artifact-path: packages/appkit/tmp
          artifact-name: appkit-${{ steps.version.outputs.version }}

      - name: Security scan (appkit-ui)
        if: steps.mode.outputs.dry_run != 'true' && steps.version.outputs.version != ''
        uses: databricks-eng/gh-action-scan@1c260de6986f77d8c505975ce434830a7afdb95f
        with:
          artifact-path: packages/appkit-ui/tmp
          artifact-name: appkit-ui-${{ steps.version.outputs.version }}

      - name: Push tag and create GitHub release
        if: steps.mode.outputs.dry_run != 'true' && steps.version.outputs.version != ''
        env:
          VERSION: ${{ steps.version.outputs.version }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          git push --follow-tags
          NOTES=$(awk '/^## \[/{if(p) exit; p=1} p' CHANGELOG.md)
          gh release create "v${VERSION}" \
            --title "AppKit v${VERSION}" \
            --notes "$NOTES"

      - name: Publish to npm
        if: steps.mode.outputs.dry_run != 'true' && steps.version.outputs.version != ''
        run: |
          npm publish packages/appkit/tmp --access public --provenance
          npm publish packages/appkit-ui/tmp --access public --provenance
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  sync-template:
    runs-on:
      group: databricks-protected-runner-group
      labels: linux-ubuntu-latest

    needs: release
    # in case a dry run is performed, the version is not set so we need to check for it.
    if: needs.release.outputs.version != ''

    permissions:
      contents: write

    steps:
      - name: Checkout
        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
        with:
          ref: main
          fetch-depth: 0
          token: ${{ secrets.GITHUB_TOKEN }}

      - name: Setup Git
        run: |
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"

      - name: Setup pnpm
        uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

      - name: Setup Node.js
        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: 24
          cache: "pnpm"

      - name: Install dependencies
        run: pnpm install --frozen-lockfile

      - name: Sync template and push tag
        run: pnpm exec tsx tools/publish-template-tag.ts ${{ needs.release.outputs.version }}