fix: rotate access token and store in github repository secrets #41
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
permissions: | |
actions: read | |
contents: read | |
env: | |
NX_CLOUD_ACCESS_TOKEN: ${{ secrets.NX_CLOUD_ACCESS_TOKEN }} | |
jobs: | |
main: | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
contents: write | |
steps: | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
ref: ${{ github.head_ref }} | |
- name: Setup git | |
id: git | |
uses: ./.github/actions/setup-git | |
# This enables task distribution via Nx Cloud | |
# Run this command as early as possible, before dependencies are installed | |
# Learn more at https://nx.dev/ci/reference/nx-cloud-cli#npx-nxcloud-startcirun | |
# - run: npx nx-cloud start-ci-run --distribute-on="3 linux-medium-js" --stop-agents-after="build" | |
# Cache node_modules | |
- uses: actions/setup-node@v4 | |
with: | |
node-version: 20 | |
cache: 'npm' | |
- run: npm ci --legacy-peer-deps | |
- uses: nrwl/nx-set-shas@v4 | |
# Prepend any command with "nx-cloud record --" to record its logs to Nx Cloud | |
# - run: npx nx-cloud record -- echo Hello World | |
# Nx Affected runs only tasks affected by the changes in this PR/commit. Learn more: https://nx.dev/ci/features/affected | |
- run: npx nx affected -t lint test build typecheck docker-build | |
- name: Version | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
THDK_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
run: | | |
if [[ "${{ steps.git.outputs.branch-name }}" == "main" ]]; then | |
npx nx release --skip-publish --verbose | |
else | |
npx nx release version --preid ${{ steps.git.outputs.commit-sha-short }} --no-git-commit --no-git-tag --verbose | |
fi | |
- name: Push version bumps, tags and changelogs | |
if: ${{ steps.git.outputs.branch-name == 'main' }} | |
run: | | |
git push | |
git push --tags | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Publish | |
run: | | |
npx nx release publish --yes --verbose | |
env: | |
THDK_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |