From b6a932922c16ce9af587f12e988be97afb4c06e1 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 13 May 2026 15:39:34 +0000 Subject: [PATCH 1/8] ci: move npm publish to GHA for trusted publishing - Add release.yml workflow using release-please-action for stable releases - Update pre-release.yml with OIDC permissions and --provenance flag - Remove release-please job from CircleCI (update-lockfile stays) https://claude.ai/code/session_011HCWQbTc6LTeMxgdwTH2R6 --- .circleci/config.yml | 30 ---------------------- .github/workflows/pre-release.yml | 7 +++++- .github/workflows/release.yml | 42 +++++++++++++++++++++++++++++++ 3 files changed, 48 insertions(+), 31 deletions(-) create mode 100644 .github/workflows/release.yml diff --git a/.circleci/config.yml b/.circleci/config.yml index 1269a1df58..9867169232 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -4,14 +4,6 @@ orbs: e2e: netlify/e2e@1 workflows: - release-please: - jobs: - - release-please: - context: [shared-secrets] - filters: - branches: - only: [main] - # Workflow responsible for correctly updating the root lockfile for the release-please PR # See: https://github.com/googleapis/release-please/issues/1101 release-pull-request: @@ -76,28 +68,6 @@ commands: - node_modules jobs: - release-please: - description: The release action that runs on the main branch - executor: node - steps: - - checkout - - npm-install-deps - - run: npm run build - - run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc - - run: npx lerna publish from-package --yes --no-private - - run: - name: Create Github Release - command: | - npx release-please github-release \ - --token "${GITHUB_RELEASES_TOKEN}" \ - --repo-url "${CIRCLE_REPOSITORY_URL}" \ - - run: - name: Run release-please - command: | - npx release-please release-pr \ - --token "${GITHUB_RELEASES_TOKEN}" \ - --repo-url "${CIRCLE_REPOSITORY_URL}" \ - update-lockfile: description: Update lockfile in a release please PR executor: node diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml index 42fe4af928..ec779e3bcc 100644 --- a/.github/workflows/pre-release.yml +++ b/.github/workflows/pre-release.yml @@ -4,6 +4,11 @@ on: branches: # releases/// - releases/*/*/* + +permissions: + contents: write + id-token: write + jobs: prerelease: runs-on: ubuntu-24.04 @@ -58,6 +63,6 @@ jobs: run: npm install - name: Build workspaces run: npx lerna run build - - run: npm publish packages/${{ steps.extract.outputs.package }}/ --tag=${{ steps.extract.outputs.tag }} + - run: npm publish packages/${{ steps.extract.outputs.package }}/ --tag=${{ steps.extract.outputs.tag }} --provenance env: NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 0000000000..e27594457a --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,42 @@ +name: release +on: + push: + branches: + - main + +permissions: + contents: write + pull-requests: write + id-token: write + +jobs: + release-please: + runs-on: ubuntu-24.04 + outputs: + releases_created: ${{ steps.release.outputs.releases_created }} + steps: + - uses: googleapis/release-please-action@v4 + id: release + with: + token: ${{ secrets.GITHUB_TOKEN }} + + publish: + needs: release-please + if: ${{ needs.release-please.outputs.releases_created == 'true' }} + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v6 + - uses: actions/setup-node@v6 + with: + node-version: '22' + check-latest: true + registry-url: 'https://registry.npmjs.org' + - name: Install dependencies + run: npm ci + - name: Build workspaces + run: npm run build + - name: Publish packages + run: npx lerna publish from-package --yes --no-private + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_CONFIG_PROVENANCE: true From ba7ee19dfebfaa0e5b13b79c71d88fb0b753f708 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 13 May 2026 15:45:27 +0000 Subject: [PATCH 2/8] fix: apply prettier formatting to CI config files https://claude.ai/code/session_01ABzhd7XYQi7KMqNYZKfUTr --- .circleci/config.yml | 2 +- .github/workflows/pre-release.yml | 7 +++---- .github/workflows/release.yml | 4 ++-- 3 files changed, 6 insertions(+), 7 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 9867169232..60d371a23b 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -14,7 +14,7 @@ workflows: branches: only: [release-please--branches--main] - 'Test & Check 🕵️‍♀️': + "Test & Check 🕵️‍♀️": jobs: - formatting - e2e/test: diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml index ec779e3bcc..ae66df107b 100644 --- a/.github/workflows/pre-release.yml +++ b/.github/workflows/pre-release.yml @@ -18,9 +18,9 @@ jobs: fetch-depth: 0 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node-version: '24' + node-version: "24" check-latest: true - registry-url: 'https://registry.npmjs.org' + registry-url: "https://registry.npmjs.org" - name: Extract tag, version and package id: extract run: |- @@ -47,8 +47,7 @@ jobs: # See https://github.com/npm/cli/issues/2010,https://github.com/npm/npm/issues/9111 run: mkdir packages/${{ steps.extract.outputs.package }}/.git - name: Run npm version - run: - 'npm version --workspace packages/${{ steps.extract.outputs.package }} ${{ steps.extract.outputs.version + run: 'npm version --workspace packages/${{ steps.extract.outputs.package }} ${{ steps.extract.outputs.version }}-${{ steps.extract.outputs.tag }} -m "chore: release @netlify/${{ steps.extract.outputs.package }} ${{ steps.extract.outputs.version }}-${{ steps.extract.outputs.tag }}"' - name: Prefix package to git tag diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e27594457a..0e31bfff81 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,9 +28,9 @@ jobs: - uses: actions/checkout@v6 - uses: actions/setup-node@v6 with: - node-version: '22' + node-version: "22" check-latest: true - registry-url: 'https://registry.npmjs.org' + registry-url: "https://registry.npmjs.org" - name: Install dependencies run: npm ci - name: Build workspaces From 24a31306662852367d23ea25ea8403534164bab5 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 13 May 2026 16:02:17 +0000 Subject: [PATCH 3/8] chore: pin GHA actions to SHAs in release workflows Pin actions to their full commit SHAs with version comments for security (immutable references) and readability. https://claude.ai/code/session_01HtVRxL8TMLfQTbTvvaLYWz --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0e31bfff81..2f4097a565 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -15,7 +15,7 @@ jobs: outputs: releases_created: ${{ steps.release.outputs.releases_created }} steps: - - uses: googleapis/release-please-action@v4 + - uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4.4.1 id: release with: token: ${{ secrets.GITHUB_TOKEN }} @@ -25,8 +25,8 @@ jobs: if: ${{ needs.release-please.outputs.releases_created == 'true' }} runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v6 - - uses: actions/setup-node@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: "22" check-latest: true From 8fb3f2fbfbd7e81f71e99bd7b6ca4870b7d5df66 Mon Sep 17 00:00:00 2001 From: Philippe Serhal Date: Wed, 13 May 2026 12:06:43 -0400 Subject: [PATCH 4/8] Apply suggestion from @serhalp --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 2f4097a565..3dd070bfd4 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,7 +28,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node-version: "22" + node-version: "24" check-latest: true registry-url: "https://registry.npmjs.org" - name: Install dependencies From a0535b552a1effa28bb81a39d75db1bb75463a83 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 13 May 2026 16:15:43 +0000 Subject: [PATCH 5/8] fix: remove NPM_TOKEN to use OIDC for trusted publishing With id-token: write permission and trusted publishing configured on npmjs.com, npm uses the short-lived OIDC token automatically. NODE_AUTH_TOKEN was bypassing OIDC and using the long-lived token. https://claude.ai/code/session_01NmU7gnap9unNWgcsUyN3J7 --- .github/workflows/pre-release.yml | 2 -- .github/workflows/release.yml | 1 - 2 files changed, 3 deletions(-) diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml index ae66df107b..2ef57a0c9a 100644 --- a/.github/workflows/pre-release.yml +++ b/.github/workflows/pre-release.yml @@ -63,5 +63,3 @@ jobs: - name: Build workspaces run: npx lerna run build - run: npm publish packages/${{ steps.extract.outputs.package }}/ --tag=${{ steps.extract.outputs.tag }} --provenance - env: - NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3dd070bfd4..08fd2b5c3e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,5 +38,4 @@ jobs: - name: Publish packages run: npx lerna publish from-package --yes --no-private env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} NPM_CONFIG_PROVENANCE: true From 76fd373a3f9154a5ecc720e4a3a755893ec61514 Mon Sep 17 00:00:00 2001 From: Philippe Serhal Date: Wed, 24 Jun 2026 11:31:16 -0400 Subject: [PATCH 6/8] ci: replace custom pre-release workflow with pkg.pr.new --- .github/workflows/pre-release.yml | 55 ++++--------------------------- CONTRIBUTING.md | 11 ++++--- package-lock.json | 11 +++++++ package.json | 1 + 4 files changed, 24 insertions(+), 54 deletions(-) diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml index 2ef57a0c9a..e6e5ccdbf7 100644 --- a/.github/workflows/pre-release.yml +++ b/.github/workflows/pre-release.yml @@ -1,17 +1,12 @@ name: prerelease on: push: - branches: - # releases/// - - releases/*/*/* - -permissions: - contents: write - id-token: write - + branches: [main] + pull_request: + types: [opened, synchronize, reopened] jobs: prerelease: - runs-on: ubuntu-24.04 + runs-on: ubuntu-slim steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: @@ -20,46 +15,8 @@ jobs: with: node-version: "24" check-latest: true - registry-url: "https://registry.npmjs.org" - - name: Extract tag, version and package - id: extract - run: |- - ref=${{ github.ref }} - branch=${ref:11} - info=${branch:9} - package_tag=${info%/*} - package=${package_tag%/*} - tag=${package_tag#*/} - version=${info##*/} - echo "package=${package}" >> $GITHUB_OUTPUT - echo "tag=${tag}" >> $GITHUB_OUTPUT - echo "version=${version}" >> $GITHUB_OUTPUT - - name: Log extracted information - run: |- - echo package=${{ steps.extract.outputs.package }} - echo tag=${{ steps.extract.outputs.tag }} - echo version=${{ steps.extract.outputs.version }} - - name: Setup git user - run: git config --global user.name github-actions - - name: Setup git email - run: git config --global user.email github-actions@github.com - - name: Create fake .git in package subdirectory - # See https://github.com/npm/cli/issues/2010,https://github.com/npm/npm/issues/9111 - run: mkdir packages/${{ steps.extract.outputs.package }}/.git - - name: Run npm version - run: 'npm version --workspace packages/${{ steps.extract.outputs.package }} ${{ steps.extract.outputs.version - }}-${{ steps.extract.outputs.tag }} -m "chore: release @netlify/${{ steps.extract.outputs.package }} ${{ - steps.extract.outputs.version }}-${{ steps.extract.outputs.tag }}"' - - name: Prefix package to git tag - run: |- - old_git_tag=v${{ steps.extract.outputs.version}}-${{ steps.extract.outputs.tag }} - new_git_tag=${{ steps.extract.outputs.package }}-${old_git_tag} - git tag ${new_git_tag} ${old_git_tag} - git tag -d ${old_git_tag} - - name: Push changes - run: git push --follow-tags - name: Install dependencies - run: npm install + run: npm ci - name: Build workspaces run: npx lerna run build - - run: npm publish packages/${{ steps.extract.outputs.package }}/ --tag=${{ steps.extract.outputs.tag }} --provenance + - run: npx pkg-pr-new publish diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index ad3c6c828b..0738b33936 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -127,12 +127,13 @@ To test a prerelease of `@netlify/` in a site you have 2 options. Creat This is especially useful to test how an ongoing PR in `@netlify/` would behave in production. -### Create a Beta release +### Use a pkg.pr.new preview release -- Create a branch named `releases///` with the package and version you'd like to release. For - example, a branch named `releases/cache-utils/rc/2.0.0` will create the version `v2.0.0-rc` and publish it under the - `rc` tag. -- Push the branch to the repo +Every PR (and every push to `main`) automatically publishes preview releases of all packages via +[pkg.pr.new](https://github.com/stackblitz-labs/pkg.pr.new). The `prerelease` GitHub action posts a comment on the PR +with install URLs for each package. + +- Install a package preview directly, e.g. `npm i https://pkg.pr.new/@netlify/cache-utils@` - Make a PR in the buildbot to use this version - Update the `build_image` of a site to use this PR diff --git a/package-lock.json b/package-lock.json index 9facd1e11c..7232cafc09 100644 --- a/package-lock.json +++ b/package-lock.json @@ -25,6 +25,7 @@ "execa": "^8.0.1", "lerna": "^9.0.7", "oxfmt": "^0.46.0", + "pkg-pr-new": "^0.0.75", "typescript-eslint": "~8.49.0", "vite": "^7.1.0" }, @@ -18543,6 +18544,16 @@ "url": "https://github.com/sponsors/sindresorhus" } }, + "node_modules/pkg-pr-new": { + "version": "0.0.75", + "resolved": "https://registry.npmjs.org/pkg-pr-new/-/pkg-pr-new-0.0.75.tgz", + "integrity": "sha512-u9mdErTewKSMsr+ceCt8VcNuNP0ro5AXiPXhUVApuEyqr2Zlvt+DdCFBcm+yGWN8mhOdZJ27meIDbnoZgfzpOw==", + "dev": true, + "license": "MIT", + "bin": { + "pkg-pr-new": "bin/cli.js" + } + }, "node_modules/playwright": { "version": "1.61.0", "dev": true, diff --git a/package.json b/package.json index 46a55275f6..6fa1c3f6b1 100644 --- a/package.json +++ b/package.json @@ -59,6 +59,7 @@ "execa": "^8.0.1", "lerna": "^9.0.7", "oxfmt": "^0.46.0", + "pkg-pr-new": "^0.0.75", "typescript-eslint": "~8.49.0", "vite": "^7.1.0" }, From fbe45fbee61189d8e1fec4d41e5cbe5dd6aa41b3 Mon Sep 17 00:00:00 2001 From: Philippe Serhal Date: Wed, 24 Jun 2026 12:05:41 -0400 Subject: [PATCH 7/8] style: reformat --- .circleci/config.yml | 2 +- .github/workflows/pre-release.yml | 2 +- .github/workflows/release.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 60d371a23b..9867169232 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -14,7 +14,7 @@ workflows: branches: only: [release-please--branches--main] - "Test & Check 🕵️‍♀️": + 'Test & Check 🕵️‍♀️': jobs: - formatting - e2e/test: diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml index e6e5ccdbf7..1d6a78dbfb 100644 --- a/.github/workflows/pre-release.yml +++ b/.github/workflows/pre-release.yml @@ -13,7 +13,7 @@ jobs: fetch-depth: 0 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node-version: "24" + node-version: '24' check-latest: true - name: Install dependencies run: npm ci diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 08fd2b5c3e..357af9aa90 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,9 +28,9 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node-version: "24" + node-version: '24' check-latest: true - registry-url: "https://registry.npmjs.org" + registry-url: 'https://registry.npmjs.org' - name: Install dependencies run: npm ci - name: Build workspaces From ef8983027463dd08b9019e3824cc1ae1e1f7d5d3 Mon Sep 17 00:00:00 2001 From: Philippe Serhal Date: Wed, 24 Jun 2026 12:13:09 -0400 Subject: [PATCH 8/8] ci: specify which packages to publish? --- .github/workflows/pre-release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/pre-release.yml b/.github/workflows/pre-release.yml index 1d6a78dbfb..dd59b8a249 100644 --- a/.github/workflows/pre-release.yml +++ b/.github/workflows/pre-release.yml @@ -19,4 +19,4 @@ jobs: run: npm ci - name: Build workspaces run: npx lerna run build - - run: npx pkg-pr-new publish + - run: npx pkg-pr-new publish './packages/*'