refactor(github): single workflow CI-driven release

morbeo · morbeo · commit 61099bac8fa7 · 2026-04-16T17:14:48.000+03:00
Replace release-it (blocked by branch protection) with a workflow_dispatch
release.yml that runs lint/typecheck/test, bumps version, generates the
changelog, commits and tags directly to master via RELEASE_PAT (which must
have bypass rights on the branch protection rule), creates a GitHub Release
via actions/create-release with a prerelease toggle, then triggers deploy.yml.

deploy.yml gains a skip guard so the release bump commit does not trigger a
redundant deploy — release.yml dispatches deploy explicitly after tagging.

Requires: RELEASE_PAT secret (classic PAT, repo scope) with bypass rights
on the master branch protection rule.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -13,13 +13,6 @@ on:
       - 'package-lock.json'
 
   workflow_dispatch:
-    inputs:
-      skip_checks:
-        description: "Skip lint/test (emergency deploy)"
-        required: false
-        default: "false"
-        type: choice
-        options: ["false", "true"]
 
 permissions:
   contents: read
@@ -35,7 +28,7 @@ env:
 
 jobs:
   deploy:
-    # Skip when the push is a release bump commit — publish.yml owns that deploy
+    # release.yml triggers this explicitly after tagging; skip the push event
     if: |
       github.event_name == 'workflow_dispatch' ||
       !startsWith(github.event.head_commit.message, 'chore(release):')
@@ -46,29 +39,26 @@ jobs:
       url: ${{ steps.deployment.outputs.page_url }}
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           cache: npm
           cache-dependency-path: package-lock.json
 
       - name: Install deps
         run: npm ci --legacy-peer-deps
 
       - name: Lint
-        if: inputs.skip_checks != 'true'
         run: npm run lint
 
       - name: Test
-        if: inputs.skip_checks != 'true'
         run: npm run test
 
       - name: Type-check
-        if: inputs.skip_checks != 'true'
         run: npm run typecheck
 
       - name: Build
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -22,7 +22,7 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           token: ${{ secrets.RELEASE_PAT }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,49 +4,59 @@ on:
   workflow_dispatch:
     inputs:
       bump:
-        description: "Version bump type"
+        description: "Version bump"
         required: true
         default: patch
         type: choice
         options: [patch, minor, major]
+      prerelease:
+        description: "Pre-release"
+        required: false
+        default: "false"
+        type: choice
+        options: ["false", "true"]
 
 concurrency:
   group: release
   cancel-in-progress: false
 
 permissions:
   contents: write
-  pull-requests: write
+
+env:
+  FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
 jobs:
-  open-release-pr:
+  release:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
           token: ${{ secrets.RELEASE_PAT }}
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: npm
+          cache-dependency-path: package-lock.json
 
       - name: Install deps
         run: npm ci --legacy-peer-deps
 
-      - name: Lint and test
+      - name: Lint, typecheck, test
         run: |
           npm run lint
+          npm run typecheck
           npm run test
 
       - name: Configure git
         run: |
           git config user.name "Vladimir Kirov"
           git config user.email "morbeo@gmail.com"
 
-      - name: Bump version (no commit, no tag)
+      - name: Bump version
         id: bump
         run: |
           VERSION=$(npm version ${{ inputs.bump }} --no-git-tag-version)
@@ -55,23 +65,24 @@ jobs:
       - name: Generate changelog
         run: npx git-cliff --tag ${{ steps.bump.outputs.version }} -o CHANGELOG.md
 
-      - name: Commit and push release branch
+      - name: Commit, tag, push
         run: |
-          BRANCH="chore/release-${{ steps.bump.outputs.version }}"
-          git checkout -b "$BRANCH"
           git add package.json package-lock.json CHANGELOG.md
           git commit -m "chore(release): ${{ steps.bump.outputs.version }}"
-          git push origin "$BRANCH"
-          echo "branch=$BRANCH" >> "$GITHUB_OUTPUT"
-        id: branch
+          git tag ${{ steps.bump.outputs.version }}
+          git push origin master --follow-tags
 
-      - name: Open PR
-        run: |
-          gh pr create \
-            --title "chore(release): ${{ steps.bump.outputs.version }}" \
-            --body "Automated release bump for ${{ steps.bump.outputs.version }}. Merging this PR will trigger the deploy workflow." \
-            --base master \
-            --head "${{ steps.branch.outputs.branch }}" \
-            --label "release"
+      - name: Create GitHub Release
+        uses: actions/create-release@latest
+        with:
+          tag_name: ${{ steps.bump.outputs.version }}
+          release_name: ${{ steps.bump.outputs.version }}
+          body: ${{ steps.changelog.outputs.content }}
+          prerelease: ${{ inputs.prerelease == 'true' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.RELEASE_PAT }}
+
+      - name: Trigger deploy
+        run: gh workflow run deploy.yml --ref master
         env:
           GH_TOKEN: ${{ secrets.RELEASE_PAT }}
