publish.yml

# Version tags only

name: Publish

on:
  push:
    tags:
      - v[0-9]+.[0-9]+.[0-9]+

jobs:
  publish:
    name: Publish
    runs-on: ubuntu-latest
    env:
      # It'll work with secrets.GITHUB_TOKEN (which is provided by GitHub unconditionally)
      # Still then release author would be "github-actions". It's better if it's dedicated repo bot
      GITHUB_TOKEN: ${{ secrets.USER_GITHUB_TOKEN }}
    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Retrieve node_modules from cache
        id: cacheNodeModules
        uses: actions/cache@v1
        with:
          path: node_modules
          key: node-modules-v16-${{ runner.os }}-refs/heads/main-${{ hashFiles('package.json') }}

      - name: Install Node.js and npm
        uses: actions/setup-node@v1
        with:
          node-version: 16.x
          registry-url: https://registry.npmjs.org

      - name: Publish new version
        # Note: Setting NODE_AUTH_TOKEN as job|workspace wide env var won't work
        #       as it appears actions/setup-node sets own value
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: npm publish

      # Normally we have a guarantee that deps are already there, still it may not be the case when:
      # - `main` build for same commit failed (and we still pushed tag manually)
      # - We've pushed tag manually before `main` build finalized
      - name: Install dependencies
        if: steps.cacheNpm.outputs.cache-hit != 'true'
        run: |
          npm update --no-save
          npm update --save-dev --no-save

      - name: Publish release notes
        run: |
          TEMP_ARRAY=($(echo $GITHUB_REF | tr "/" "\n"))
          TAG=${TEMP_ARRAY[@]: -1}
          npx github-release-from-cc-changelog $TAG