ci: fix release workflow - git push, split oidc from custom github app

matejchalk · matejchalk · commit 4f6fd7250506 · 2025-09-26T09:27:17.000+02:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,45 @@
+name: Publish
+
+on:
+  push:
+    tags:
+      - v*.*.*
+
+concurrency:
+  group: publish
+  cancel-in-progress: false
+
+# configured as trusted publisher (OIDC)
+# https://docs.npmjs.com/trusted-publishers
+permissions:
+  contents: read
+  id-token: write
+
+env:
+  NX_NON_NATIVE_HASHER: true
+  NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }}
+
+jobs:
+  publish:
+    name: Publish packages
+    runs-on: ubuntu-latest
+    environment: release
+    steps:
+      - name: Clone the repository
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Configure Git user
+        # https://github.com/actions/checkout/blob/main/README.md#push-a-commit-using-the-built-in-token
+        run: |
+          git config user.name github-actions[bot]
+          git config user.email 41898282+github-actions[bot]@users.noreply.github.com
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version-file: .node-version
+          cache: npm
+      - name: Install dependencies
+        run: npm ci
+      - name: Publish packages to npm
+        run: npx nx release publish
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,7 +11,7 @@ concurrency:
 
 jobs:
   release:
-    name: Publish packages
+    name: Version and release
     runs-on: ubuntu-latest
     environment: release
     env:
@@ -38,15 +38,14 @@ jobs:
         with:
           fetch-depth: 0
           token: ${{ steps.app-token.outputs.token }}
-          persist-credentials: false
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
           node-version-file: .node-version
           cache: npm
       - name: Install dependencies
         run: npm ci
-      - name: Version, release and publish packages
-        run: npx nx release --yes
+      - name: Version, release and generate changelog
+        run: npx nx release --skip-publish
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/nx.json b/nx.json
@@ -332,7 +332,7 @@
       "push": true,
       "pushRemote": "origin",
       "tag": true,
-      "commitMessage": "release: {version} [skip ci]"
+      "commitMessage": "release: {version}"
     },
     "version": {
       "conventionalCommits": true,
