mirror of
https://github.com/better-auth/better-auth.git
synced 2026-05-23 15:42:09 -05:00
423 lines
17 KiB
YAML
423 lines
17 KiB
YAML
# cSpell:words anthropics
|
|
name: Release
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- next
|
|
- release/**
|
|
workflow_dispatch:
|
|
inputs:
|
|
snapshot:
|
|
description: 'Snapshot tag (e.g. "snapshot"). Leave empty for normal release.'
|
|
required: false
|
|
default: ''
|
|
type: string
|
|
preview_version:
|
|
description: 'Preview release notes for a version (e.g. "1.6.0-beta.0"). Leave empty for normal release.'
|
|
required: false
|
|
default: ''
|
|
type: string
|
|
preview_branch:
|
|
description: 'Branch to read changeset data from (for preview mode).'
|
|
required: false
|
|
default: 'next'
|
|
type: string
|
|
|
|
permissions: {}
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref_name }}
|
|
cancel-in-progress: false
|
|
|
|
env:
|
|
TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
|
|
TURBO_TEAM: ${{ vars.TURBO_TEAM || github.repository_owner }}
|
|
TURBO_CACHE: remote:rw
|
|
BETTER_AUTH_TELEMETRY_ENDPOINT: ${{ vars.BETTER_AUTH_TELEMETRY_ENDPOINT }}
|
|
|
|
jobs:
|
|
release:
|
|
if: >
|
|
(github.event_name != 'workflow_dispatch' || (inputs.snapshot == '' && inputs.preview_version == '')) &&
|
|
github.repository_owner == 'better-auth' &&
|
|
(github.event_name != 'workflow_dispatch' || github.ref == 'refs/heads/main' || github.ref == 'refs/heads/next' || startsWith(github.ref, 'refs/heads/release/'))
|
|
runs-on: ubuntu-latest
|
|
environment: Release
|
|
permissions:
|
|
contents: write
|
|
pull-requests: write
|
|
id-token: write
|
|
steps:
|
|
- name: Generate App Token
|
|
id: app-token
|
|
uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
|
|
if: vars.RELEASE_APP_ID != ''
|
|
with:
|
|
app-id: ${{ vars.RELEASE_APP_ID }}
|
|
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
|
|
|
|
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
|
|
|
|
- uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
|
|
|
|
- uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
|
|
with:
|
|
node-version-file: '.nvmrc'
|
|
cache: pnpm
|
|
registry-url: 'https://registry.npmjs.org'
|
|
|
|
- run: pnpm install --frozen-lockfile
|
|
|
|
- name: Guard next branch pre-release state
|
|
id: guard
|
|
if: github.ref_name == 'next'
|
|
run: |
|
|
if [ ! -f .changeset/pre.json ]; then
|
|
echo "::warning::next branch is not in pre-release mode (promote in progress). Skipping release."
|
|
echo "skip=true" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Determine npm dist-tag
|
|
id: npm-tag
|
|
run: |
|
|
REF="${GITHUB_REF_NAME}"
|
|
if [[ "$REF" == "main" ]]; then
|
|
echo "tag=latest" >> "$GITHUB_OUTPUT"
|
|
elif [[ "$REF" =~ ^release/ ]]; then
|
|
# Maintenance branches publish with a version-specific tag (e.g., release-1.5)
|
|
TAG="release-${REF#release/}"
|
|
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
|
|
else
|
|
# next and other branches: changesets handles the tag via pre.json
|
|
echo "tag=" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
env:
|
|
GITHUB_REF_NAME: ${{ github.ref_name }}
|
|
|
|
- name: Create Release Pull Request or Publish
|
|
id: changesets
|
|
if: steps.guard.outputs.skip != 'true'
|
|
uses: changesets/action@c8bada60c408975afd1a20b3db81d6eee6789308 # v1
|
|
with:
|
|
version: pnpm ci:version
|
|
publish: pnpm ci:release
|
|
title: "chore: version packages"
|
|
commit: "chore: version packages"
|
|
createGithubReleases: false
|
|
env:
|
|
GITHUB_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
|
|
NPM_CONFIG_TAG: ${{ steps.npm-tag.outputs.tag }}
|
|
|
|
- name: Generate raw release notes
|
|
id: raw-notes
|
|
if: steps.changesets.outputs.published == 'true'
|
|
continue-on-error: true
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
|
|
GITHUB_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
|
|
PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
|
|
NPM_DIST_TAG: ${{ steps.npm-tag.outputs.tag }}
|
|
run: node .github/scripts/release-notes.ts --branch "$GITHUB_REF_NAME"
|
|
|
|
- name: Build AI prompt from template
|
|
id: ai-prompt
|
|
if: steps.raw-notes.outcome == 'success'
|
|
continue-on-error: true
|
|
env:
|
|
RAW_PATH: ${{ steps.raw-notes.outputs.raw_changelog_path }}
|
|
run: |
|
|
PROMPT=$(sed \
|
|
-e "s|__RAW_CHANGELOG_PATH__|${RAW_PATH}|g" \
|
|
-e "s|__GITHUB_REPOSITORY__|${GITHUB_REPOSITORY}|g" \
|
|
.github/prompts/release-notes-rewrite.md)
|
|
EOF_DELIM="PROMPT_EOF_$(openssl rand -hex 8)"
|
|
echo "prompt<<${EOF_DELIM}" >> "$GITHUB_OUTPUT"
|
|
echo "$PROMPT" >> "$GITHUB_OUTPUT"
|
|
echo "${EOF_DELIM}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Rewrite release notes with AI
|
|
id: ai-notes
|
|
if: steps.raw-notes.outcome == 'success'
|
|
continue-on-error: true
|
|
uses: anthropics/claude-code-action@1b8ee3b94104046d71fde52ec3557651ad8c0d71 # v1.0.29
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
|
|
with:
|
|
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
|
|
github_token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
|
|
prompt: ${{ steps.ai-prompt.outputs.prompt }}
|
|
claude_args: --max-turns 100 --allowedTools "Read Write Bash(gh pr diff*) Bash(gh pr view*)"
|
|
|
|
- name: Create GitHub Release
|
|
if: steps.changesets.outputs.published == 'true'
|
|
continue-on-error: true
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
|
|
VERSION: ${{ steps.raw-notes.outputs.version }}
|
|
IS_BETA: ${{ steps.raw-notes.outputs.is_beta }}
|
|
RAW_PATH: ${{ steps.raw-notes.outputs.raw_changelog_path }}
|
|
PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
|
|
run: |
|
|
# Determine version: from raw-notes output, or parse from publishedPackages
|
|
if [ -z "$VERSION" ]; then
|
|
VERSION=$(echo "$PUBLISHED_PACKAGES" | jq -r '.[0].version // empty')
|
|
fi
|
|
if [ -z "$VERSION" ]; then
|
|
echo "::warning::Could not determine version, skipping release creation"
|
|
exit 0
|
|
fi
|
|
|
|
TAG="v${VERSION}"
|
|
|
|
# Use AI-rewritten notes > raw notes > minimal fallback
|
|
if [ -n "$RAW_PATH" ] && [ -f "${RAW_PATH}.final" ]; then
|
|
NOTES_FILE="${RAW_PATH}.final"
|
|
echo "Using AI-rewritten release notes"
|
|
elif [ -n "$RAW_PATH" ] && [ -f "${RAW_PATH}" ]; then
|
|
NOTES_FILE="${RAW_PATH}"
|
|
echo "Using raw release notes (AI step skipped or failed)"
|
|
else
|
|
NOTES_FILE=$(mktemp)
|
|
echo "Release ${TAG}" > "$NOTES_FILE"
|
|
echo "Using minimal fallback (note generation failed)"
|
|
fi
|
|
|
|
# Tag the exact commit that triggered this workflow run
|
|
COMMIT_SHA="${GITHUB_SHA}"
|
|
|
|
# Create tag via GitHub API (git push has no credentials with persist-credentials: false)
|
|
gh api "repos/${GITHUB_REPOSITORY}/git/refs" \
|
|
-f ref="refs/tags/${TAG}" -f sha="$COMMIT_SHA" 2>/dev/null \
|
|
|| echo "Tag $TAG already exists"
|
|
|
|
# Create or update release, targeting the exact commit
|
|
PRERELEASE_FLAG=""
|
|
if [ "$IS_BETA" = "true" ] || echo "$VERSION" | grep -q '-'; then
|
|
PRERELEASE_FLAG="--prerelease"
|
|
fi
|
|
|
|
if gh release view "$TAG" --repo "$GITHUB_REPOSITORY" >/dev/null 2>&1; then
|
|
gh release edit "$TAG" --repo "$GITHUB_REPOSITORY" --notes-file "$NOTES_FILE" $PRERELEASE_FLAG
|
|
echo "Updated release $TAG"
|
|
else
|
|
gh release create "$TAG" --repo "$GITHUB_REPOSITORY" --title "$TAG" --notes-file "$NOTES_FILE" --target "$COMMIT_SHA" $PRERELEASE_FLAG
|
|
echo "Created release $TAG"
|
|
fi
|
|
|
|
- name: Sync main to next via PR
|
|
if: github.ref_name == 'main'
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
git fetch origin next || { echo "next branch does not exist, skipping"; exit 0; }
|
|
|
|
AHEAD=$(git rev-list --count origin/next..origin/main)
|
|
if [ "$AHEAD" -eq 0 ]; then
|
|
echo "No new commits to sync"
|
|
exit 0
|
|
fi
|
|
echo "Found $AHEAD commit(s) to sync from main to next"
|
|
|
|
EXISTING=$(gh pr list --base next --head "${GITHUB_REPOSITORY_OWNER}:main" --state open --repo "$GITHUB_REPOSITORY" --json number --jq '.[0].number // empty')
|
|
if [ -n "$EXISTING" ]; then
|
|
echo "Sync PR #$EXISTING already exists ($AHEAD commits pending)"
|
|
else
|
|
SYNC_BODY="Brings stable fixes from main into the next branch."
|
|
SYNC_BODY="$SYNC_BODY\n\n**This PR must be merged by a maintainer using 'Create a merge commit'** (not squash, not rebase). This preserves individual fix commits and their verified signatures."
|
|
SYNC_BODY="$SYNC_BODY\n\nIf there are conflicts, resolve them by keeping next's versions for \`package.json\` files (next is always ahead of main in version numbers)."
|
|
|
|
gh pr create \
|
|
--base next \
|
|
--head main \
|
|
--repo "$GITHUB_REPOSITORY" \
|
|
--title "chore: sync main to next" \
|
|
--body "$(echo -e "$SYNC_BODY")" || true
|
|
|
|
EXISTING=$(gh pr list --base next --head "${GITHUB_REPOSITORY_OWNER}:main" --state open --repo "$GITHUB_REPOSITORY" --json number --jq '.[0].number // empty')
|
|
fi
|
|
|
|
# Check for merge conflicts (GitHub computes merge state asynchronously)
|
|
if [ -n "$EXISTING" ]; then
|
|
sleep 10
|
|
for _ in 1 2 3 4 5; do
|
|
MERGEABLE=$(gh pr view "$EXISTING" --repo "$GITHUB_REPOSITORY" --json mergeable --jq '.mergeable')
|
|
[ "$MERGEABLE" != "UNKNOWN" ] && break
|
|
sleep 10
|
|
done
|
|
if [ "$MERGEABLE" = "CONFLICTING" ]; then
|
|
gh pr edit "$EXISTING" --repo "$GITHUB_REPOSITORY" --add-label "has-conflicts" || true
|
|
echo "::warning::Sync PR #$EXISTING has merge conflicts. Resolve by keeping next's versions for package.json files."
|
|
elif [ "$MERGEABLE" = "MERGEABLE" ]; then
|
|
gh pr edit "$EXISTING" --repo "$GITHUB_REPOSITORY" --remove-label "has-conflicts" 2>/dev/null || true
|
|
fi
|
|
fi
|
|
|
|
snapshot:
|
|
if: github.event_name == 'workflow_dispatch' && inputs.snapshot != '' && github.repository_owner == 'better-auth'
|
|
runs-on: ubuntu-latest
|
|
environment: Release
|
|
permissions:
|
|
contents: read
|
|
id-token: write
|
|
steps:
|
|
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
|
|
- uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
|
|
|
|
- uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
|
|
with:
|
|
node-version-file: '.nvmrc'
|
|
registry-url: 'https://registry.npmjs.org'
|
|
cache: pnpm
|
|
|
|
- run: pnpm install --frozen-lockfile
|
|
|
|
- name: Version snapshot
|
|
env:
|
|
SNAPSHOT_TAG: ${{ inputs.snapshot }}
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
run: |
|
|
if [ -f .changeset/pre.json ]; then
|
|
echo "::error::Snapshots are not supported on branches in pre-release mode."
|
|
exit 1
|
|
fi
|
|
if echo "$SNAPSHOT_TAG" | grep -qE '^(latest|next|beta|rc)$'; then
|
|
echo "::error::Snapshot tag '$SNAPSHOT_TAG' conflicts with a stable dist-tag. Use a descriptive name."
|
|
exit 1
|
|
fi
|
|
pnpm changeset version --snapshot "$SNAPSHOT_TAG"
|
|
|
|
- name: Build
|
|
run: pnpm build
|
|
|
|
- name: Publish snapshot
|
|
env:
|
|
SNAPSHOT_TAG: ${{ inputs.snapshot }}
|
|
run: pnpm changeset publish --no-git-tag --tag "$SNAPSHOT_TAG"
|
|
|
|
preview-notes:
|
|
if: github.event_name == 'workflow_dispatch' && inputs.preview_version != '' && github.repository_owner == 'better-auth'
|
|
runs-on: ubuntu-latest
|
|
environment: Release
|
|
permissions:
|
|
contents: read
|
|
pull-requests: read
|
|
steps:
|
|
- name: Generate App Token
|
|
id: app-token
|
|
uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
|
|
if: vars.RELEASE_APP_ID != ''
|
|
with:
|
|
app-id: ${{ vars.RELEASE_APP_ID }}
|
|
private-key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
|
|
|
|
# Always check out main for trusted scripts — the preview_branch
|
|
# input controls which ref changeset files are read from (via --branch),
|
|
# not which code is executed.
|
|
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
|
|
with:
|
|
ref: main
|
|
fetch-depth: 0
|
|
persist-credentials: false
|
|
token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
|
|
|
|
- uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
|
|
with:
|
|
node-version-file: '.nvmrc'
|
|
|
|
- name: Validate inputs
|
|
env:
|
|
INPUT_VERSION: ${{ inputs.preview_version }}
|
|
INPUT_BRANCH: ${{ inputs.preview_branch }}
|
|
run: |
|
|
git fetch origin "$INPUT_BRANCH" || { echo "::error::Branch '$INPUT_BRANCH' not found"; exit 1; }
|
|
if echo "$INPUT_VERSION" | grep -q '-'; then
|
|
if ! git show "origin/${INPUT_BRANCH}:.changeset/pre.json" >/dev/null 2>&1; then
|
|
echo "::error::Version '$INPUT_VERSION' is a pre-release but branch '$INPUT_BRANCH' has no .changeset/pre.json"
|
|
exit 1
|
|
fi
|
|
fi
|
|
|
|
- name: Generate raw release notes
|
|
id: raw-notes
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
|
|
GITHUB_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
|
|
INPUT_VERSION: ${{ inputs.preview_version }}
|
|
INPUT_BRANCH: ${{ inputs.preview_branch }}
|
|
run: |
|
|
# Infer dist-tag from the branch (matches the npm-tag step in the release job)
|
|
DIST_TAG=""
|
|
if [[ "$INPUT_BRANCH" =~ ^release/ ]]; then
|
|
DIST_TAG="release-${INPUT_BRANCH#release/}"
|
|
elif [[ "$INPUT_BRANCH" == "main" ]]; then
|
|
DIST_TAG="latest"
|
|
fi
|
|
|
|
DIST_TAG_ARGS=""
|
|
if [ -n "$DIST_TAG" ]; then
|
|
DIST_TAG_ARGS="--dist-tag $DIST_TAG"
|
|
fi
|
|
|
|
node .github/scripts/release-notes.ts \
|
|
--version "$INPUT_VERSION" \
|
|
--branch "origin/$INPUT_BRANCH" \
|
|
$DIST_TAG_ARGS
|
|
|
|
- name: Build AI prompt from template
|
|
id: ai-prompt
|
|
continue-on-error: true
|
|
env:
|
|
RAW_PATH: ${{ steps.raw-notes.outputs.raw_changelog_path }}
|
|
run: |
|
|
PROMPT=$(sed \
|
|
-e "s|__RAW_CHANGELOG_PATH__|${RAW_PATH}|g" \
|
|
-e "s|__GITHUB_REPOSITORY__|${GITHUB_REPOSITORY}|g" \
|
|
.github/prompts/release-notes-rewrite.md)
|
|
EOF_DELIM="PROMPT_EOF_$(openssl rand -hex 8)"
|
|
echo "prompt<<${EOF_DELIM}" >> "$GITHUB_OUTPUT"
|
|
echo "$PROMPT" >> "$GITHUB_OUTPUT"
|
|
echo "${EOF_DELIM}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Rewrite release notes with AI
|
|
id: ai-notes
|
|
continue-on-error: true
|
|
uses: anthropics/claude-code-action@1b8ee3b94104046d71fde52ec3557651ad8c0d71 # v1.0.29
|
|
env:
|
|
GH_TOKEN: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
|
|
with:
|
|
claude_code_oauth_token: ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }}
|
|
github_token: ${{ steps.app-token.outputs.token || secrets.GITHUB_TOKEN }}
|
|
prompt: ${{ steps.ai-prompt.outputs.prompt }}
|
|
claude_args: --max-turns 100 --allowedTools "Read Write Bash(gh pr diff*) Bash(gh pr view*)"
|
|
|
|
- name: Post results to job summary
|
|
env:
|
|
RAW_PATH: ${{ steps.raw-notes.outputs.raw_changelog_path }}
|
|
VERSION: ${{ steps.raw-notes.outputs.version }}
|
|
run: |
|
|
{
|
|
echo "# Release Notes Preview: v${VERSION}"
|
|
echo ""
|
|
if [ -f "${RAW_PATH}.final" ]; then
|
|
echo "## AI-Rewritten (final)"
|
|
echo ""
|
|
cat "${RAW_PATH}.final"
|
|
echo ""
|
|
echo "---"
|
|
echo ""
|
|
fi
|
|
echo "## Raw (deterministic)"
|
|
echo ""
|
|
cat "${RAW_PATH}"
|
|
} >> "$GITHUB_STEP_SUMMARY"
|