CI/CD
Stable publish (publish.yml)
Section titled “Stable publish (publish.yml)”Trigger: Push to main
on: push: branches: [main]Pipeline
Section titled “Pipeline”| Step | Command | Purpose |
|---|---|---|
| Checkout | actions/checkout@v4 | Clone the repo |
| pnpm setup | pnpm/action-setup@v4 | Install pnpm v9 |
| Node setup | actions/setup-node@v4 | Node 20, npm registry, pnpm cache |
| Install | pnpm install --frozen-lockfile | Install deps (lockfile must be up to date) |
| Build | pnpm turbo run build --filter=@westopp/semtest | Build the main package only |
| Test | pnpm turbo run test --filter=@westopp/semtest | Run vitest |
| Publish | pnpm publish --no-git-checks | Publish to public npm registry |
Homebrew tap update
Section titled “Homebrew tap update”A second job (update-homebrew) runs after a successful publish:
| Step | Purpose |
|---|---|
| Read version | Extract version from package.json |
| Compute SHA256 | Download the npm tarball and hash it (retries for propagation) |
| Checkout tap repo | Clone westopp/homebrew-semtest using HOMEBREW_TAP_TOKEN |
| Write formula | Overwrite Formula/semtest.rb with updated URL and hash |
| Push | Commit and push to the tap repo |
Permissions
Section titled “Permissions”permissions: contents: readAuthentication
Section titled “Authentication”| Secret | Purpose |
|---|---|
NPM_TOKEN | Publish to public npm (NODE_AUTH_TOKEN) |
HOMEBREW_TAP_TOKEN | Push formula updates to westopp/homebrew-semtest |
Build filter
Section titled “Build filter”Only @westopp/semtest is built and tested. The docs sites are not part of the publish pipeline.
Release candidate (rc.yml)
Section titled “Release candidate (rc.yml)”Trigger: Push to release
on: push: branches: [release]Pipeline
Section titled “Pipeline”Same build and test steps as stable. The publish step differs:
- Reads the current version from
package.json - Appends
-rc.{run_number}(e.g.0.1.0-rc.5) - Publishes to GitHub Packages with the
rcdist-tag
VERSION=$(node -p "require('./package.json').version")npm version "${VERSION}-rc.${GITHUB_RUN_NUMBER}" --no-git-tag-versionpnpm publish --no-git-checks --tag rcThis means:
- RC versions auto-increment via the GitHub Actions run number
- Installing
@westopp/semtest@rcgets the latest RC - The version bump is not committed — it only affects the published artifact
- RC builds require GitHub Packages auth to install (internal testing only)
Permissions
Section titled “Permissions”permissions: contents: read packages: writeAuthentication
Section titled “Authentication”Uses GITHUB_TOKEN (automatically provided by GitHub Actions) as NODE_AUTH_TOKEN. No manual secret setup needed.