Automated releases

[matejchalk]

Motivation

Our current release process is for a core maintainer to run npx nx release --yes in main branch (requires npm login and GITHUB_TOKEN in .env).

We've previously spent quite a lot of effort in releasing via GitHub Actions, but never quite got it working reliably. A partially broken release is complex to recover from, so running a command locally proved to be more practical.

But our current release process relies too much on one person, and doesn't allow us to secure npm publishing via provenance or trusted publishing.

Acceptance criteria

• run nx release on push to main branch
  • release is skipped if no user-facing commits (feat, fix, perf) were pushed
• GitHub Actions is configured as a trusted publisher
  • no long-lived npm token is used
  • Node needs to be updated to 24.5 or higher (npm CLI version 11.5.1 or higher)
• nx release runs all steps as when we run it manually, i.e.:
  • skip if there's nothing to release
  • generate next version tag from commit history
  • update changelog
  • push tagged release commit
  • build all publishable packages
  • publish packages to npm
  • create GitHub release with description from changelog

[BioPhoton]

🔥🔥🔥🔥

[matejchalk]

Re-opening as it turns out the github action bot can't push to main (see CI error):

NX Pushing to git remote "origin"

NX Unexpected git push error: remote: error: GH006: Protected branch update failed for refs/heads/main.

remote:
remote: - Changes must be made through a pull request.
To https://github.com/code-pushup/cli
! [remote rejected] main -> main (protected branch hook declined)
! [remote rejected] v0.80.0 -> v0.80.0 (atomic transaction failed)
error: failed to push some refs to 'https://github.com/code-pushup/cli'

I temporarily disabled branch protection to make the 0.80.0 release go through on re-run. But it looks like we'll need to authenticate with a GitHub App instead.

[matejchalk]

Finally got it working 🎉

The fixes are documented in the following PRs:

• ci: fix protected branch error in release workflow #1120
• ci: fix release workflow - git push, split oidc from custom github app #1121

The publish.yml failed initially because of release environment restrictions to main branch. I fixed this by adding v*.*.* tag patterns, and then adding a ruleset which restricts who can push these version tags.

I did a final test with our 0.80.2 release, both Release and Publish worked as expected.