Skip to content

ci: migrate to npm trusted publishing (OIDC) and update publishing workflow #16630

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ndoschek merged 5 commits into from
Nov 25, 2025
Merged

ci: migrate to npm trusted publishing (OIDC) and update publishing workflow #16630

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
d811de9
chore: update to lerna 9
ndoschek Nov 17, 2025
98a8a78
remove publish:next call after GH pages were published
ndoschek Nov 17, 2025
50fa593
chore: merge publish workflows to one trusted workflow
ndoschek Nov 17, 2025
47a1e6b
doc: update publishing guide about trusted publishing and new packages
ndoschek Nov 17, 2025
8583f5b
ci: add new workflow that comments a checklist for new packages
ndoschek Nov 21, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
93 changes: 93 additions & 0 deletions .github/workflows/check-new-package.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,93 @@
name: Check New Theia Package

on:
pull_request:
branches: [master]
types: [opened, synchronized, reopened]
paths:
- 'packages/*/package.json'

permissions:
pull-requests: write
contents: read

jobs:
detect-new-packages:
runs-on: ubuntu-22.04
steps:
- name: Checkout
uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0

- name: Detect if a new package was added
id: detect
run: |
git fetch origin ${{ github.base_ref }}
NEW_PACKAGES=$(git diff --name-only --diff-filter=A origin/${{ github.base_ref }}...HEAD | grep -E '^packages/[^/]+/package\.json$' || true)
if [ -z "$NEW_PACKAGES" ]; then
echo "new_package_found=false" >> $GITHUB_OUTPUT
echo "No new packages detected"
else
echo "new_package_found=true" >> $GITHUB_OUTPUT
PACKAGE_NAMES=$(echo "$NEW_PACKAGES" | sed 's|packages/\([^/]*\)/package\.json|\1|' | tr '\n' ',' | sed 's/,$//')
echo "package_names=$PACKAGE_NAMES" >> $GITHUB_OUTPUT
echo "New packages detected: $PACKAGE_NAMES"
fi
- name: Post or update checklist comment
if: steps.detect.outputs.new_package_found == 'true'
uses: actions/github-script@ffc2c79a5b2490bd33e0a41c1de74b877714d736 # v3.2.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const packageNames = '${{ steps.detect.outputs.package_names }}';
const packageList = packageNames.split(',').map(name => `\`${name}\``).join(', ');
const commentBody = "### New `@theia` Package(s) Detected
This PR adds the following new package(s): ${packageList}
Please ensure the following checklist items are completed before merging:
- [ ] `package.json` contains all required fields (name, version, description, license, etc.) and scripts
- [ ] `README.md` was added (please align with the existing README structure, e.g. [README.md](https://github.com/eclipse-theia/theia/blob/master/packages/editor/README.md))
- [ ] Config files (`tsconfig.json`, `.eslintrc.js`) were added and align with the existing packages
- [ ] Folder structure follows Theia conventions (see [Code Organization](https://github.com/eclipse-theia/theia/blob/master/doc/code-organization.md))
- [ ] Package is added to the example applications (i.e. `browser`, `browser-only`, `electron`)
- [ ] New packages must be published manually by a Theia committer initially (see also [Release Process - Newly added Theia packages](https://github.com/eclipse-theia/theia/blob/master/doc/Publishing.md#212-newly-added-theia-packages---publish-initially-to-npm)).
If you are not a committer or do not have enough time, please open a follow-up ticket with the label `toDoWithRelease` to inform the release team about the new package.
Copy link
Contributor

@sgraband sgraband Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we need to clarify that this is in the Theia IDE repo, right?

Copy link
Member Author

@ndoschek ndoschek Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No I think theia is correct, as this is about the actual publishing of a new @theia package on NPM. This is part of the Theia release.
Adding this newly published package to the Theia IDE is then a separate step, and right below.
(I just introduced the todoWithRelease concept also for the theia repo as well, hope that's not too confusing?)

Copy link
Contributor

@sgraband sgraband Nov 25, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes sorry, i was confused for a second 😄 Thanks for clarifying.

- [ ] If the package should also be part of the Theia IDE, please [open a ticket for the Theia IDE](https://github.com/eclipse-theia/theia-ide/issues/new?template=feature_request.md)
and assign the `toDoWithRelease` (see for example: <https://github.com/eclipse-theia/theia-ide/issues/615>)"
const issue_number = context.issue.number;
const owner = context.repo.owner;
const repo = context.repo.repo;
const comments = await github.issues.listComments({
owner,
repo,
issue_number
});
const botComment = comments.data.find(comment =>
comment.user.type === 'Bot' &&
comment.body.includes('New `@theia` Package(s) Detected')
);
if (botComment) {
await github.issues.updateComment({
owner,
repo,
comment_id: botComment.id,
body: commentBody
});
console.log('Updated existing comment');
} else {
await github.issues.createComment({
owner,
repo,
issue_number,
body: commentBody
});
console.log('Created new comment');
}
13 changes: 0 additions & 13 deletions .github/workflows/publish-api-doc-gh-pages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,16 +53,3 @@ jobs:
github_token: ${{ secrets.GITHUB_TOKEN }}
publish_dir: ./gh-pages
force_orphan: true # will only keep latest commit on branch gh-pages

- name: Publish NPM
uses: nick-fields/retry@14672906e672a08bd6eeb15720e9ed3ce869cdd4 # v2.9.0
with:
timeout_minutes: 5
retry_wait_seconds: 30
max_attempts: 3
retry_on: error
command: npm run publish:next
on_retry_command: git reset --hard
env:
NPM_CONFIG_PROVENANCE: "true"
NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }} # The variable name comes from here: https://github.com/actions/setup-node/blob/70b9252472eee7495c93bb1588261539c3c2b98d/src/authutil.ts#L48
27 changes: 19 additions & 8 deletions .github/workflows/publish-release.yml → .github/workflows/publish-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: Publish Release
name: Publish packages to NPM

permissions:
id-token: write
Expand All @@ -9,17 +9,21 @@ on:
workflow_dispatch:
inputs:
release_type:
description: 'Release type: "minor" increments the minor version (e.g., 1.53.0 → 1.54.0), "patch" increments the patch version (e.g., 1.54.0 → 1.54.1)'
description: 'Release type: "minor" increments the minor version (e.g., 1.53.0 → 1.54.0), "patch" increments the patch version (e.g., 1.54.0 → 1.54.1), "next" publishes a pre-release version (e.g., 1.55.0-next.17).'
required: true
type: choice
options:
- 'minor'
- 'patch'
- 'next'
default: 'next'
is_patch_to_previous:
description: 'Patch a previous release branch: Enable this to publish a patch to an older version branch (e.g., patching 1.53.x when 1.54.x is the latest). Must be used with release_type="patch". Leave disabled for publishing to the current latest version.'
description: 'Patch a previous release branch: Enable this to publish a patch to an older version branch (e.g., patching 1.53.x when 1.54.x is the latest). Must be used with release_type="patch". Leave disabled for publishing to the current latest or next version.'
required: true
type: boolean
default: false
schedule:
- cron: "0 0 * * 1" # Publish next version (default) every monday at midnight

jobs:
publish:
Expand Down Expand Up @@ -64,26 +68,34 @@ jobs:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # https://github.com/microsoft/vscode-ripgrep/issues/9

- name: Publish to NPM (Latest)
if: ${{ !inputs.is_patch_to_previous }}
# We only publish minor or patch releases for the current version as latest, never for older patches or next versions.
if: ${{ (inputs.release_type == 'patch' || inputs.release_type == 'minor') && !inputs.is_patch_to_previous }}
shell: bash
run: |
npm run publish:latest ${{ inputs.release_type }}
npm run publish:check
env:
NPM_CONFIG_PROVENANCE: "true"
NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}

- name: Publish to NPM (Patch - To Previous Version)
if: ${{ inputs.is_patch_to_previous }}
if: ${{ inputs.release_type == 'patch' && inputs.is_patch_to_previous }}
shell: bash
run: |
npm run publish:patch ${{ inputs.release_type }}
npm run publish:check
env:
NPM_CONFIG_PROVENANCE: "true"
NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}

- name: Publish to NPM (Next)
if: ${{ inputs.release_type == 'next' }}
shell: bash
run: |
npm run publish:next
env:
NPM_CONFIG_PROVENANCE: "true"

- name: Submit PR for package updates
if: ${{ inputs.release_type != 'next' }}
shell: bash
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down Expand Up @@ -142,4 +154,3 @@ jobs:
else
echo "No commits to push"
fi

50 changes: 0 additions & 50 deletions .github/workflows/publish-next.yml
View file
Open in desktop

This file was deleted.

Loading
Loading