fix(release): repair next npm release workflow (#122)

* fix(ci): run rc releases from next branch * fix(context): allow release git askpass env * fix(release): make npm publish noninteractive * fix(release): use npm trusted publishing * fix(release): tolerate npm propagation in smoke * docs(release): document trusted publishing auth
2026-06-10 08:05:14 +02:00 · 2026-05-17 01:41:07 +02:00 · 2026-05-17 01:41:07 +02:00 · d3d58a279b
commit d3d58a279b
parent de72a10ffb
12 changed files with 232 additions and 40 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -24,6 +24,7 @@ on:

 permissions:
  contents: write
+  id-token: write

 concurrency:
  group: ktx-release-${{ github.ref }}
@ -68,19 +69,59 @@ jobs:
      - name: Install Python dependencies
        run: uv sync --all-packages

+      - name: Prepare next prerelease branch
+        if: ${{ inputs.release_kind == 'rc' }}
+        run: |
+          set -euo pipefail
+
+          source_sha="$(git rev-parse HEAD)"
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          if git ls-remote --exit-code --heads origin "${KTX_PRERELEASE_BRANCH}" >/dev/null 2>&1; then
+            git fetch origin "${KTX_PRERELEASE_BRANCH}"
+            git checkout -B "${KTX_PRERELEASE_BRANCH}" "origin/${KTX_PRERELEASE_BRANCH}"
+            git merge --no-edit "${source_sha}"
+          else
+            git checkout -B "${KTX_PRERELEASE_BRANCH}" "${source_sha}"
+          fi
+
+          git push --set-upstream origin "HEAD:${KTX_PRERELEASE_BRANCH}"
+        env:
+          KTX_PRERELEASE_BRANCH: next
+
      - name: Dry-run semantic release
        if: ${{ !inputs.publish_live }}
-        run: pnpm run semantic-release:dry-run
+        run: |
+          set -euo pipefail
+
+          if [ "${KTX_RELEASE_KIND}" = "rc" ]; then
+            export GITHUB_REF="refs/heads/${KTX_PRERELEASE_BRANCH}"
+            export GITHUB_REF_NAME="${KTX_PRERELEASE_BRANCH}"
+            export GITHUB_SHA="$(git rev-parse HEAD)"
+          fi
+
+          pnpm run semantic-release:dry-run
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          KTX_RELEASE_KIND: ${{ inputs.release_kind }}
+          KTX_PRERELEASE_BRANCH: next
          FORCE_RELEASE: ${{ inputs.force_release }}

      - name: Create semantic release
        if: ${{ inputs.publish_live }}
-        run: pnpm run semantic-release
+        run: |
+          set -euo pipefail
+
+          if [ "${KTX_RELEASE_KIND}" = "rc" ]; then
+            export GITHUB_REF="refs/heads/${KTX_PRERELEASE_BRANCH}"
+            export GITHUB_REF_NAME="${KTX_PRERELEASE_BRANCH}"
+            export GITHUB_SHA="$(git rev-parse HEAD)"
+          fi
+
+          pnpm run semantic-release
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          KTX_RELEASE_KIND: ${{ inputs.release_kind }}
+          KTX_PRERELEASE_BRANCH: next
          FORCE_RELEASE: ${{ inputs.force_release }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}