ci: configure npm auth for release publish

ci: run Gitea release steps with bash
ci: make Gitea release workflow self-contained
2026-05-11 13:59:29 +09:00 · 2026-05-11 13:57:45 +09:00 · 2026-05-11 13:56:39 +09:00 · 2026-05-11 13:53:04 +09:00
1 changed files with 63 additions and 33 deletions
--- a/.gitea/workflows/npm-release.yml
+++ b/.gitea/workflows/npm-release.yml
@@ -6,37 +6,47 @@ on:
      - 'v*'
      - '[0-9]*'

+permissions:
+  contents: read
+
+defaults:
+  run:
+    shell: bash
+
 jobs:
  verify:
    name: verify
    runs-on: ubuntu-latest
+    container:
+      image: node:20-bookworm
    timeout-minutes: 20

    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
+      - name: Install release tools
+        run: |
+          set -euo pipefail
+          apt-get update
+          apt-get install -y git curl ca-certificates
+          curl -fsSL https://bun.sh/install | bash -s -- bun-v1.3.13
+          install -m 0755 /root/.bun/bin/bun /usr/local/bin/bun
+          node --version
+          npm --version
+          bun --version

-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-          registry-url: 'https://registry.npmjs.org'
-
-      - name: Set up Bun
-        uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: '1.3.13'
-
-      - name: Install dependencies
-        run: bun install --frozen-lockfile
+      - name: Clone tagged source
+        run: |
+          set -euo pipefail
+          REPO_URL="${{ gitea.server_url }}/${{ gitea.repository }}.git"
+          AUTH_HEADER="$(printf '%s' '${{ gitea.actor }}:${{ secrets.GITEA_TOKEN }}' | base64 -w0)"
+          git -c http.extraHeader="Authorization: Basic $AUTH_HEADER" clone --depth 1 --branch "${{ gitea.ref_name }}" "$REPO_URL" repo
+          git -C repo rev-parse HEAD

      - name: Verify release tag matches package version
+        working-directory: repo
        shell: bash
        run: |
          set -euo pipefail
-          TAG_NAME="${GITHUB_REF##refs/tags/}"
+          TAG_NAME="${{ gitea.ref_name }}"
          PACKAGE_VERSION="$(node -p "require('./package.json').version")"

          if [ "$TAG_NAME" = "v$PACKAGE_VERSION" ] || [ "$TAG_NAME" = "$PACKAGE_VERSION" ]; then
@@ -48,7 +58,10 @@ jobs:
          exit 1

      - name: Run verify pipeline
+        working-directory: repo
        run: |
+          set -euo pipefail
+          bun install --frozen-lockfile
          bun run test
          bun run check
          bun run build
@@ -56,32 +69,49 @@ jobs:
  release:
    name: publish to npm
    runs-on: ubuntu-latest
+    container:
+      image: node:20-bookworm
    timeout-minutes: 20
    needs:
      - verify

    steps:
-      - name: Check out repository
-        uses: actions/checkout@v4
+      - name: Install release tools
+        run: |
+          set -euo pipefail
+          apt-get update
+          apt-get install -y git curl ca-certificates
+          curl -fsSL https://bun.sh/install | bash -s -- bun-v1.3.13
+          install -m 0755 /root/.bun/bin/bun /usr/local/bin/bun
+          node --version
+          npm --version
+          bun --version

-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '20'
-          registry-url: 'https://registry.npmjs.org'
-
-      - name: Set up Bun
-        uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: '1.3.13'
+      - name: Clone tagged source
+        run: |
+          set -euo pipefail
+          REPO_URL="${{ gitea.server_url }}/${{ gitea.repository }}.git"
+          AUTH_HEADER="$(printf '%s' '${{ gitea.actor }}:${{ secrets.GITEA_TOKEN }}' | base64 -w0)"
+          git -c http.extraHeader="Authorization: Basic $AUTH_HEADER" clone --depth 1 --branch "${{ gitea.ref_name }}" "$REPO_URL" repo
+          git -C repo rev-parse HEAD

      - name: Install dependencies
-        run: bun install --frozen-lockfile
+        working-directory: repo
+        run: |
+          set -euo pipefail
+          bun install --frozen-lockfile

      - name: Build package
-        run: bun run build
+        working-directory: repo
+        run: |
+          set -euo pipefail
+          bun run build

      - name: Publish package to npm
+        working-directory: repo
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: npm publish
+        run: |
+          set -euo pipefail
+          printf '//registry.npmjs.org/:_authToken=%s\n' "$NODE_AUTH_TOKEN" > ~/.npmrc
+          npm publish
Author	SHA1	Message	Date
Shinwoo PARK	283f91ed91	ci: configure npm auth for release publish All checks were successful npm release / verify (push) Successful in 13s Details npm release / publish to npm (push) Successful in 12s Details	2026-05-11 13:59:29 +09:00
Shinwoo PARK	5991e4f1f0	ci: run Gitea release steps with bash Some checks failed npm release / verify (push) Successful in 13s Details npm release / publish to npm (push) Failing after 11s Details	2026-05-11 13:57:45 +09:00
Shinwoo PARK	0dc657c97b	ci: make Gitea release workflow self-contained Some checks failed npm release / verify (push) Failing after 10s Details npm release / publish to npm (push) Has been skipped Details	2026-05-11 13:56:39 +09:00
Shinwoo PARK	96d0568197	ci: set writable HOME for Gitea release workflow Some checks failed npm release / verify (push) Failing after 2s Details npm release / publish to npm (push) Has been skipped Details	2026-05-11 13:53:04 +09:00