Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
298 changes: 232 additions & 66 deletions .github/workflows/npm_release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,81 +9,117 @@
NPM_TAG: "next"
XCODE_VERSION: "^15.0"

# The runtime xcframeworks are no longer shipped inside the npm packages. Each
# build publishes them as GitHub Release assets and points the SwiftPM manifest
# (github.com/NativeScript/ios-spm) at them via binaryTarget(url:checksum:). The
# slim npm package only carries the Xcode project template + metadata generator.
#
# Flow: setup → build (ios, visionos) → test → github-release (assets) →
# spm-update (stamp + tag ios-spm) → publish (npm) → verify-spm
jobs:
setup:
name: Resolve version
runs-on: ubuntu-latest
outputs:
npm_version: ${{ steps.out.outputs.NPM_VERSION }}
npm_tag: ${{ steps.out.outputs.NPM_TAG }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
Comment thread
coderabbitai[bot] marked this conversation as resolved.
with:
fetch-depth: 0
persist-credentials: false
- uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
with:
node-version: 22
- name: Install deps for version scripts
run: npm install --no-audit --no-fund
- name: Compute version and tag
id: out
run: |
NPM_VERSION=$(node -e "console.log(require('./package.json').version);")
if [ "${GITHUB_REF#refs/tags/}" = "$GITHUB_REF" ]; then
# not a tag build -> dev/prerelease version
NPM_VERSION=$(node ./scripts/get-next-version.js)
fi
Comment thread
coderabbitai[bot] marked this conversation as resolved.
Outdated
NPM_TAG=$(NPM_VERSION=$NPM_VERSION node ./scripts/get-npm-tag.js)
echo "NPM_VERSION=$NPM_VERSION" >> $GITHUB_OUTPUT
echo "NPM_TAG=$NPM_TAG" >> $GITHUB_OUTPUT
echo "Resolved $NPM_VERSION (tag: $NPM_TAG)"

build:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
name: Build
name: Build ${{ matrix.target }}
runs-on: macos-14
outputs:
npm_version: ${{ steps.npm_version_output.outputs.NPM_VERSION }}
npm_tag: ${{ steps.npm_version_output.outputs.NPM_TAG }}
needs: setup
strategy:
fail-fast: false
matrix:
target: [ios, visionos]
env:
NPM_VERSION: ${{ needs.setup.outputs.npm_version }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- uses: maxim-lobanov/setup-xcode@ed7a3b1fda3918c0306d1b724322adc0b8cc0a90 # v1.7.0
with:
xcode-version: ${{env.XCODE_VERSION}}
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
submodules: true
persist-credentials: false # disable to prevent leaking credentials to build scripts
- name: LLVM cache
uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
with:
path: ./llvm
key: ${{ hashFiles('download_llvm.sh') }}
- uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
with:
node-version: 22
registry-url: "https://registry.npmjs.org"
- name: Install Python
uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
with:
python-version: "3"
- name: Install Dependencies
run: |
npm install
python3 -m pip install --upgrade pip six
# Ensure CMake is available without conflicting with pinned Homebrew formula
if ! command -v cmake >/dev/null; then
brew list cmake || brew install cmake
fi
# Some scripts expect cmake at /usr/local/bin; create a shim if needed
if [ ! -x /usr/local/bin/cmake ]; then
sudo mkdir -p /usr/local/bin
sudo ln -sf "$(command -v cmake)" /usr/local/bin/cmake
fi
- name: Get Current Version
run: |
NPM_VERSION=$(node -e "console.log(require('./package.json').version);")
echo NPM_VERSION=$NPM_VERSION >> $GITHUB_ENV
- name: Bump version for dev release
if: ${{ !contains(github.ref, 'refs/tags/') }}
run: |
NPM_VERSION=$(node ./scripts/get-next-version.js)
echo NPM_VERSION=$NPM_VERSION >> $GITHUB_ENV
npm version $NPM_VERSION --no-git-tag-version
- name: Output NPM Version and tag
id: npm_version_output
run: |
NPM_TAG=$(node ./scripts/get-npm-tag.js)
echo NPM_VERSION=$NPM_VERSION >> $GITHUB_OUTPUT
echo NPM_TAG=$NPM_TAG >> $GITHUB_OUTPUT
- name: Build
run: npm run build-ios
- name: Set package version
run: npm version $NPM_VERSION --no-git-tag-version --allow-same-version
- name: Build (${{ matrix.target }})
run: npm run build-${{ matrix.target }}
- name: Upload npm package artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: npm-package
path: dist/nativescript-ios-${{steps.npm_version_output.outputs.NPM_VERSION}}.tgz
name: npm-package-${{ matrix.target }}
path: dist/nativescript-*-${{ env.NPM_VERSION }}.tgz
- name: Upload SwiftPM artifacts (xcframework zips + checksums)
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: spm-artifacts-${{ matrix.target }}
path: dist/artifacts/*
- name: Upload dSYMs artifact
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
with:
name: NativeScript-dSYMs
name: dSYMs-${{ matrix.target }}
path: dist/dSYMs

test:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
name: Test
runs-on: macos-14
needs: build
Expand Down Expand Up @@ -153,18 +189,144 @@
with:
name: test-results
path: ${{env.TEST_FOLDER}}/test_results.xcresult

# Publish the xcframework zips + dSYMs as a GitHub Release asset for EVERY
# version (prerelease unless 'latest'), because the SwiftPM binaryTarget url
# must resolve for `next`/`pr` consumers too — not only tagged releases.
github-release:
name: GitHub Release (SPM assets)
runs-on: ubuntu-latest
permissions:
contents: write
needs:
- setup
- build
- test
env:
NPM_VERSION: ${{ needs.setup.outputs.npm_version }}
NPM_TAG: ${{ needs.setup.outputs.npm_tag }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
persist-credentials: false
- uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
with:
node-version: 22
- name: Setup
run: npm install --no-audit --no-fund
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: spm-artifacts-*
path: spm-artifacts
merge-multiple: true
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: dSYMs-*
path: dist/dSYMs
merge-multiple: true
- name: Zip dSYMs
working-directory: dist/dSYMs
run: find . -maxdepth 1 -name '*.dSYM' -print | xargs -I@ zip -r @.zip @ || true
- name: Partial Changelog
run: npx conventional-changelog -p angular -r2 > body.md
- name: Create / update release with SPM artifacts
uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
with:
tag: "v${{ env.NPM_VERSION }}"
name: "v${{ env.NPM_VERSION }}"
commit: ${{ github.sha }}
artifacts: "spm-artifacts/*.xcframework.zip,dist/dSYMs/*.zip"
bodyFile: "body.md"
prerelease: ${{ needs.setup.outputs.npm_tag != 'latest' }}
allowUpdates: true

# Stamp + tag github.com/NativeScript/ios-spm to point at this release's assets.
# Requires a cross-repo token (GITHUB_TOKEN cannot write to ios-spm). Enable by
# setting repo variable ENABLE_SPM_UPDATE=true and secret IOS_SPM_TOKEN.
spm-update:
name: Update ios-spm manifest
runs-on: ubuntu-latest
if: ${{ vars.ENABLE_SPM_UPDATE == 'true' }}
needs:
- setup
- build
- test
- github-release
env:
NPM_VERSION: ${{ needs.setup.outputs.npm_version }}
NPM_TAG: ${{ needs.setup.outputs.npm_tag }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- name: Checkout ios (for stamping script)
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
path: ios
persist-credentials: false
- name: Checkout ios-spm
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
repository: NativeScript/ios-spm
token: ${{ secrets.IOS_SPM_TOKEN }}
path: ios-spm
Comment thread
coderabbitai[bot] marked this conversation as resolved.
- uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
with:
node-version: 22
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
pattern: spm-artifacts-*
path: spm-artifacts
merge-multiple: true
- name: Stamp Package.swift
run: |
STRICT=""
if [ "$NPM_TAG" = "latest" ]; then STRICT="--strict"; fi
CHECKSUM_ARGS=""
for f in spm-artifacts/checksums-*.env; do
[ -f "$f" ] && CHECKSUM_ARGS="$CHECKSUM_ARGS --checksums $f"
done
echo "Using checksum files:$CHECKSUM_ARGS"
if [ -z "$CHECKSUM_ARGS" ]; then echo "No checksum files found" >&2; exit 1; fi
node ios/scripts/stamp-spm-release.mjs \
--package ios-spm/Package.swift \
--version "$NPM_VERSION" \
$CHECKSUM_ARGS $STRICT
- name: Commit and tag ios-spm
working-directory: ios-spm
run: |
git config user.name "NativeScript Bot"
git config user.email "oss@nativescript.org"
git add Package.swift
git commit -m "release: $NPM_VERSION" || echo "no changes to commit"
git tag -f "$NPM_VERSION"
git push origin HEAD:main
git push -f origin "refs/tags/$NPM_VERSION"

publish:

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
name: Publish ${{ matrix.target }}
runs-on: ubuntu-latest
environment: npm-publish
needs:
- setup
- build
- test
permissions:
contents: read
id-token: write
strategy:
fail-fast: false
matrix:
target: [ios, visionos]
env:
NPM_VERSION: ${{needs.build.outputs.npm_version}}
NPM_TAG: ${{needs.build.outputs.npm_tag}}
NPM_VERSION: ${{ needs.setup.outputs.npm_version }}
NPM_TAG: ${{ needs.setup.outputs.npm_tag }}
Comment thread
coderabbitai[bot] marked this conversation as resolved.
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
Expand All @@ -176,73 +338,77 @@
registry-url: "https://registry.npmjs.org"
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: npm-package
name: npm-package-${{ matrix.target }}
path: dist
- name: Update npm (required for OIDC trusted publishing)
run: |
corepack enable npm
corepack install -g npm@11.5.1
test "$(npm --version)" = "11.5.1"
test "$(npx --version)" = "11.5.1"
- name: Resolve package name
run: |
if [ "${{ matrix.target }}" = "ios" ]; then echo "PKG=ios" >> $GITHUB_ENV; else echo "PKG=visionos" >> $GITHUB_ENV; fi
- name: Publish package (OIDC trusted publishing)
if: ${{ vars.USE_NPM_TOKEN != 'true' }}
run: |
echo "Publishing @nativescript/ios@$NPM_VERSION to NPM with tag $NPM_TAG via OIDC trusted publishing..."
echo "Publishing @nativescript/$PKG@$NPM_VERSION to NPM with tag $NPM_TAG via OIDC trusted publishing..."
unset NODE_AUTH_TOKEN
if [ -n "${NPM_CONFIG_USERCONFIG:-}" ]; then
rm -f "$NPM_CONFIG_USERCONFIG"
fi
npm publish ./dist/nativescript-ios-${{env.NPM_VERSION}}.tgz --tag $NPM_TAG --access public --provenance
npm publish ./dist/nativescript-${PKG}-${NPM_VERSION}.tgz --tag $NPM_TAG --access public --provenance
env:
NODE_AUTH_TOKEN: ""

- name: Publish package (granular token)
if: ${{ vars.USE_NPM_TOKEN == 'true' }}
run: |
echo "Publishing @nativescript/ios@$NPM_VERSION to NPM with tag $NPM_TAG via granular token..."
npm publish ./dist/nativescript-ios-${{env.NPM_VERSION}}.tgz --tag $NPM_TAG --access public --provenance
echo "Publishing @nativescript/$PKG@$NPM_VERSION to NPM with tag $NPM_TAG via granular token..."
npm publish ./dist/nativescript-${PKG}-${NPM_VERSION}.tgz --tag $NPM_TAG --access public --provenance
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
github-release:
runs-on: ubuntu-latest
# only runs on tagged commits
if: ${{ contains(github.ref, 'refs/tags/') }}
permissions:
contents: write

# Post-publish smoke test: resolve ios-spm at the released tag and verify the
# iOS binary artifact downloads + checksum-validates against the real Release.
verify-spm:
name: Verify SPM resolution
runs-on: macos-14
if: ${{ vars.ENABLE_SPM_UPDATE == 'true' }}
needs:
- build
- test
- setup
- spm-update
env:
NPM_VERSION: ${{needs.build.outputs.npm_version}}
NPM_VERSION: ${{ needs.setup.outputs.npm_version }}
steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: audit
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0
- uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
with:
node-version: 22
- name: Setup
run: npm install
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: npm-package
path: dist
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
with:
name: NativeScript-dSYMs
path: dist/dSYMs
- name: Zip dSYMs
working-directory: dist/dSYMs
run: find . -maxdepth 1 -name '*.dSYM' -print | xargs -I@ zip -r @.zip @
- name: Partial Changelog
run: npx conventional-changelog -p angular -r2 > body.md
- uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
with:
artifacts: "dist/nativescript-ios-*.tgz,dist/dSYMs/*.zip"
bodyFile: "body.md"
prerelease: ${{needs.build.outputs.npm_tag != 'latest'}}
allowUpdates: true
- name: Generate a probe package that depends on ios-spm
run: |
node -e '
const fs = require("fs");
const v = process.env.NPM_VERSION;
fs.mkdirSync("spmverify/Sources/Probe", { recursive: true });
fs.writeFileSync("spmverify/Package.swift",
"// swift-tools-version: 5.10\n" +
"import PackageDescription\n" +
"let package = Package(\n" +
" name: \"Probe\",\n" +
" platforms: [.iOS(.v13)],\n" +
" dependencies: [.package(url: \"https://github.com/NativeScript/ios-spm.git\", exact: \"" + v + "\")],\n" +
" targets: [.target(name: \"Probe\", dependencies: [.product(name: \"NativeScript\", package: \"ios-spm\")])]\n" +
")\n");
fs.writeFileSync("spmverify/Sources/Probe/Probe.swift", "// probe\n");
'
- name: Resolve (downloads the xcframework zip and verifies its checksum)
working-directory: spmverify
run: |
# Resolution fetches the binary artifacts for the NativeScript product
# and verifies each checksum against the stamped manifest; a mismatch or
# a missing release asset fails the release here.
swift package resolve
echo "ios-spm@$NPM_VERSION resolved and checksum-verified."

Check warning

Code scanning / CodeQL

Workflow does not contain permissions Medium

Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
Comment thread
github-advanced-security[bot] marked this conversation as resolved.
Fixed
1 change: 1 addition & 0 deletions build_all_ios.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ rm -rf ./dist
./build_nativescript.sh --no-vision
./build_tklivesync.sh --no-vision
./prepare_dSYMs.sh
./build_spm_artifacts.sh ios
./build_npm_ios.sh
1 change: 1 addition & 0 deletions build_all_vision.sh
Original file line number Diff line number Diff line change
Expand Up @@ -7,4 +7,5 @@ rm -rf ./dist
./build_nativescript.sh --no-catalyst --no-iphone --no-sim
./build_tklivesync.sh --no-catalyst --no-iphone --no-sim
./prepare_dSYMs.sh
./build_spm_artifacts.sh visionos
./build_npm_vision.sh
Loading
Loading