napi-ios/.github/workflows/npm_release.yml at main · NativeScript/napi-ios · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
name: NPM Release iOS
on:
  push:
    tags:
      - "v*"
  workflow_dispatch:
    inputs:
      engine:
        description: "Runtime engine to build and publish"
        required: true
        type: choice
        default: v8
        options:
          - v8
          - quickjs
          - hermes
          - jsc
      dry_run:
        description: "Run npm publish with --dry-run"
        required: true
        type: boolean
        default: true

env:
  XCODE_VERSION: "26.2.0"

jobs:
  build:
    name: Build
    runs-on: macos-26
    outputs:
      npm_version: ${{ steps.npm_version_output.outputs.NPM_VERSION }}
      npm_tag: ${{ steps.npm_version_output.outputs.NPM_TAG }}
      build_engine: ${{ steps.npm_version_output.outputs.BUILD_ENGINE }}
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
        with:
          egress-policy: audit
      - uses: maxim-lobanov/setup-xcode@60606e260d2fc5762a71e64e74b2174e8ea3c8bd # v1.6.0
        with:
          xcode-version: ${{env.XCODE_VERSION}}
      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          fetch-depth: 0
          submodules: recursive
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
        with:
          node-version: 24
          registry-url: "https://registry.npmjs.org"
      - name: Install Python
        uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: "3"
      - name: Install Dependencies
        run: |
          npm install
          python3 -m pip install --upgrade pip six
          # Ensure LLVM linker used by -fuse-ld=lld is available
          if ! command -v ld64.lld >/dev/null; then
            brew list lld || brew install lld
          fi
          # Ensure CMake is available without conflicting with pinned Homebrew formula
          if ! command -v cmake >/dev/null; then
            brew list cmake || brew install cmake
          fi
          # Some scripts expect cmake at /usr/local/bin; create a shim if needed
          if [ ! -x /usr/local/bin/cmake ]; then
            sudo mkdir -p /usr/local/bin
            sudo ln -sf "$(command -v cmake)" /usr/local/bin/cmake
          fi
      - name: Get Current Version
        run: |
          if [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ]; then
            ENGINE="${{ inputs.engine }}"
            NPM_VERSION=$(node -e "
              const semver = require('semver');
              const engine = process.argv[1];
              const pkg = require('./packages/ios/package.json');
              const parsed = semver.parse(pkg.version);
              if (!parsed) {
                throw new Error('Invalid package version: ' + pkg.version);
              }
              const number = Number.isInteger(parsed.prerelease[1]) ? parsed.prerelease[1] : 1;
              console.log(parsed.format().replace(/-.*/, '') + '-napi-' + engine + '.' + number);
            " "$ENGINE")
            PACKAGE_VERSION="$NPM_VERSION" ./scripts/update_version.sh ios
          else
            NPM_VERSION=$(node -e "console.log(require('./packages/ios/package.json').version);")
          fi
          echo NPM_VERSION=$NPM_VERSION >> $GITHUB_ENV
      - name: Output NPM Version and tag
        id: npm_version_output
        run: |
          NPM_TAG=$(NPM_VERSION="$NPM_VERSION" node ./scripts/get-npm-tag.js ios)
          case "$NPM_TAG" in
            napi-v8) BUILD_ENGINE=v8 ;;
            napi-quickjs) BUILD_ENGINE=quickjs ;;
            napi-hermes) BUILD_ENGINE=hermes ;;
            napi-jsc) BUILD_ENGINE=jsc ;;
            latest) BUILD_ENGINE=v8 ;;
            *)
              echo "Unsupported npm tag '$NPM_TAG'. Expected latest or napi-{v8,quickjs,hermes,jsc}." >&2
              exit 1
              ;;
          esac
          if [ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ] && [ "$BUILD_ENGINE" != "${{ inputs.engine }}" ]; then
            echo "Selected engine '${{ inputs.engine }}' does not match package tag '$NPM_TAG'." >&2
            exit 1
          fi
          echo NPM_VERSION=$NPM_VERSION >> $GITHUB_OUTPUT
          echo NPM_TAG=$NPM_TAG >> $GITHUB_OUTPUT
          echo BUILD_ENGINE=$BUILD_ENGINE >> $GITHUB_OUTPUT
      - name: Build
        run: ./scripts/build_all_ios.sh --${{ steps.npm_version_output.outputs.BUILD_ENGINE }}
      - name: Upload npm package artifact
        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: npm-package
          path: packages/ios/dist/nativescript-ios-${{steps.npm_version_output.outputs.NPM_VERSION}}.tgz
      - name: Upload dSYMs artifact
        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: NativeScript-dSYMs
          path: dist/dSYMs
  publish:
    if: ${{ startsWith(github.ref, 'refs/tags/v') || github.event_name == 'workflow_dispatch' }}
    runs-on: ubuntu-latest
    environment: npm-publish
    needs:
      - build
    permissions:
      contents: read
      id-token: write
    env:
      NPM_VERSION: ${{needs.build.outputs.npm_version}}
      NPM_TAG: ${{needs.build.outputs.npm_tag}}
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
        with:
          egress-policy: audit
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
        with:
          node-version: 24
          registry-url: "https://registry.npmjs.org"
      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
          name: npm-package
          path: packages/ios/dist
      - name: Update npm (required for OIDC trusted publishing)
        run: |
          corepack enable npm
          corepack install -g npm@11.6.2
          test "$(npm --version)" = "11.6.2"
          test "$(npx --version)" = "11.6.2"
      - name: Publish package (OIDC trusted publishing)
        if: ${{ vars.USE_NPM_TOKEN != 'true' }}
        run: |
          PUBLISH_ARGS=(./packages/ios/dist/nativescript-ios-${NPM_VERSION}.tgz --tag "$NPM_TAG" --access public --provenance)
          if [ "$DRY_RUN" = "true" ]; then
            PUBLISH_ARGS+=(--dry-run)
          fi
          echo "Publishing @nativescript/ios@$NPM_VERSION to NPM with tag $NPM_TAG via OIDC trusted publishing..."
          unset NODE_AUTH_TOKEN
          if [ -n "${NPM_CONFIG_USERCONFIG:-}" ]; then
            rm -f "$NPM_CONFIG_USERCONFIG"
          fi
          npm publish "${PUBLISH_ARGS[@]}"
        env:
          DRY_RUN: ${{ github.event_name == 'workflow_dispatch' && inputs.dry_run }}
          NODE_AUTH_TOKEN: ""

      - name: Publish package (granular token)
        if: ${{ vars.USE_NPM_TOKEN == 'true' }}
        run: |
          PUBLISH_ARGS=(./packages/ios/dist/nativescript-ios-${NPM_VERSION}.tgz --tag "$NPM_TAG" --access public --provenance)
          if [ "$DRY_RUN" = "true" ]; then
            PUBLISH_ARGS+=(--dry-run)
          fi
          echo "Publishing @nativescript/ios@$NPM_VERSION to NPM with tag $NPM_TAG via granular token..."
          npm publish "${PUBLISH_ARGS[@]}"
        env:
          DRY_RUN: ${{ github.event_name == 'workflow_dispatch' && inputs.dry_run }}
          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
  github-release:
    runs-on: ubuntu-latest
    # only runs on tagged commits
    if: ${{ contains(github.ref, 'refs/tags/') }}
    permissions:
      contents: write
    needs:
      - build
    env:
      NPM_VERSION: ${{needs.build.outputs.npm_version}}
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
        with:
          egress-policy: audit
      - uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          fetch-depth: 0
      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
        with:
          node-version: 24
      - name: Setup
        run: npm install
      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
          name: npm-package
          path: dist
      - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
        with:
          name: NativeScript-dSYMs
          path: dist/dSYMs
      - name: Zip dSYMs
        working-directory: dist/dSYMs
        run: find . -maxdepth 1 -name '*.dSYM' -print | xargs -I@ zip -r @.zip @
      - name: Partial Changelog
        run: npx conventional-changelog -p angular -r2 > body.md
      - uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
        with:
          artifacts: "dist/nativescript-ios-*.tgz,dist/dSYMs/*.zip"
          bodyFile: "body.md"
          prerelease: ${{needs.build.outputs.npm_tag != 'latest'}}
          allowUpdates: true