Skip to content

fix(release): remove useless registry-token input and add proper default for tag input #469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
neilime merged 1 commit into from
May 18, 2026
Merged

fix(release): remove useless registry-token input and add proper default for tag input #469

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 15 additions & 15 deletions .github/workflows/release.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,12 +52,9 @@ jobs:
id-token: write
packages: write
secrets:
# GitHub token to use for authentication.
# GitHub token to use when downloading the package tarball artifact.
# Defaults to `GITHUB_TOKEN` if not provided.
github-token: ""

# Authentication token for the package registry.
registry-token: ""
with:
# JSON array of runner(s) to use.
# See https://docs.github.com/en/actions/using-jobs/choosing-the-runner-for-a-job.
Expand All @@ -77,16 +74,19 @@ jobs:
# Default: `public`
access: public

# npm distribution tag for the published package.
# npm distribution tag for the published package. Leave empty to use npm defaults.
# Common values:
# - `latest` - Default tag for stable releases
# - `next` - Prerelease or beta versions
# - `canary` - Canary/nightly builds
#
# If omitted for a pushed Git tag, the workflow tries to reuse the Git tag
# as the npm dist-tag unless it looks like a version tag such as `v1.2.3`.
#
# See https://docs.npmjs.com/adding-dist-tags-to-packages.
#
# Default: `latest`
tag: latest
# Default: `""`
tag: ""

# Whether to generate npm provenance for npmjs.org publishes.
# Default: `true`
Expand All @@ -113,12 +113,15 @@ jobs:
| **`package-tarball-artifact-id`** | Artifact ID of the package tarball produced by CI. | **true** | **string** | - |
| **`registry-url`** | Registry URL used by npm publish. | **false** | **string** | `https://registry.npmjs.org` |
| **`access`** | Package access level passed to npm publish. Leave empty to use npm defaults. | **false** | **string** | `public` |
| **`tag`** | npm distribution tag for the published package. | **false** | **string** | `latest` |
| **`tag`** | npm distribution tag for the published package. Leave empty to use npm defaults. | **false** | **string** | `""` |
| | Common values: | | | |
| | - `latest` - Default tag for stable releases | | | |
| | - `next` - Prerelease or beta versions | | | |
| | - `canary` - Canary/nightly builds | | | |
| | | | | |
| | If omitted for a pushed Git tag, the workflow tries to reuse the Git tag as the | | | |
| | npm dist-tag unless it looks like a version tag such as `v1.2.3`. | | | |
| | | | | |
| | See <https://docs.npmjs.com/adding-dist-tags-to-packages>. | | | |
| **`provenance`** | Whether to generate npm provenance for npmjs.org publishes. | **false** | **boolean** | `true` |
| **`dry-run`** | Whether to run npm publish without publishing the package. | **false** | **boolean** | `false` |
Expand All @@ -131,11 +134,10 @@ jobs:

## Secrets

| **Secret** | **Description** | **Required** |
| -------------------- | ---------------------------------------------- | ------------ |
| **`github-token`** | GitHub token to use for authentication. | **false** |
| | Defaults to `GITHUB_TOKEN` if not provided. | |
| **`registry-token`** | Authentication token for the package registry. | **false** |
| **Secret** | **Description** | **Required** |
| ------------------ | ------------------------------------------------------------------ | ------------ |
| **`github-token`** | GitHub token to use when downloading the package tarball artifact. | **false** |
| | Defaults to `GITHUB_TOKEN` if not provided. | |

<!-- secrets:end -->

Expand Down Expand Up @@ -173,8 +175,6 @@ jobs:
contents: read
packages: write
id-token: write
secrets:
registry-token: ${{ secrets.NPM_TOKEN }}
with:
package-tarball-artifact-id: ${{ needs.ci.outputs.package-tarball-artifact-id }}
```
Expand Down
40 changes: 32 additions & 8 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,16 +28,19 @@ on:
default: "public"
tag:
description: |
npm distribution tag for the published package.
npm distribution tag for the published package. Leave empty to use npm defaults.
Common values:
- `latest` - Default tag for stable releases
- `next` - Prerelease or beta versions
- `canary` - Canary/nightly builds

If omitted for a pushed Git tag, the workflow tries to reuse the Git tag
as the npm dist-tag unless it looks like a version tag such as `v1.2.3`.

See https://docs.npmjs.com/adding-dist-tags-to-packages.
type: string
required: false
default: "latest"
default: ""
provenance:
description: "Whether to generate npm provenance for npmjs.org publishes."
type: boolean
Expand All @@ -51,12 +54,9 @@ on:
secrets:
github-token:
description: |
GitHub token to use for authentication.
GitHub token to use when downloading the package tarball artifact.
Defaults to `GITHUB_TOKEN` if not provided.
required: false
registry-token:
description: "Authentication token for the package registry."
required: false

permissions: {}

Expand Down Expand Up @@ -131,10 +131,14 @@ jobs:
- name: Publish package
uses: actions/github-script@3a2844b7e9c422d3c10d287c895573f7108da1b3 # v9.0.0
env:
NODE_AUTH_TOKEN: ${{ secrets.registry-token }}
PACKAGE_TARBALL_PATH: ${{ steps.package-tarball.outputs.path }}
ACCESS: ${{ inputs.access }}
TAG: ${{ inputs.tag }}
GITHUB_EVENT_NAME: ${{ github.event_name }}
GITHUB_EVENT_REF: ${{ github.event.ref }}
GITHUB_REF: ${{ github.ref }}
GITHUB_REF_NAME: ${{ github.ref_name }}
GITHUB_REF_TYPE: ${{ github.ref_type }}
PROVENANCE: ${{ inputs.provenance }}
DRY_RUN: ${{ inputs.dry-run }}
REGISTRY_URL: ${{ inputs.registry-url }}
Expand All @@ -144,11 +148,31 @@ jobs:

const packageTarballPath = process.env.PACKAGE_TARBALL_PATH;
const access = process.env.ACCESS.trim();
const tag = process.env.TAG.trim();
const inputTag = process.env.TAG.trim();
const eventName = process.env.GITHUB_EVENT_NAME ?? '';
const eventRef = process.env.GITHUB_EVENT_REF ?? '';
const gitRef = process.env.GITHUB_REF ?? '';
const gitRefName = process.env.GITHUB_REF_NAME ?? '';
const gitRefType = process.env.GITHUB_REF_TYPE ?? '';
const registryUrl = process.env.REGISTRY_URL;
const dryRun = process.env.DRY_RUN === 'true';
const provenance = process.env.PROVENANCE === 'true';

let tag = inputTag;

if (!tag) {
const isPushTagEvent = eventName === 'push' && gitRefType === 'tag' && gitRef.startsWith('refs/tags/');
const hasPushTagRef = eventRef.startsWith('refs/tags/');
const canReuseGitTag = gitRefName && !/^(?:v)?\d/.test(gitRefName);

if ((isPushTagEvent || hasPushTagRef) && canReuseGitTag) {
tag = gitRefName;
core.info(`No npm dist-tag input provided. Using Git tag "${tag}" as npm dist-tag.`);
} else if ((isPushTagEvent || hasPushTagRef) && gitRefName) {
core.info(`No npm dist-tag input provided. Git tag "${gitRefName}" looks like a version tag, so npm will use its default dist-tag.`);
}
}

const args = ['publish', packageTarballPath];

if (access) {
Expand Down
Loading