From ae878a5bb6b146aec1e92421e5593485964499a4 Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Tue, 4 Nov 2025 23:00:03 +0100 Subject: [PATCH 01/16] build: run dummy release job after unit and e2e test jobs succeed --- .github/workflows/release.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c53f3a15eee..ce4de4ba5fc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -67,3 +67,17 @@ jobs: run: yarn workspaces foreach --all --parallel --topological-dev --exclude @elastic/eui-website --exclude @elastic/eui-monorepo --exclude @elastic/eui-docgen run build - name: Cypress tests run: yarn workspaces foreach --all --parallel --topological-dev --exclude @elastic/eui-website --exclude @elastic/eui-monorepo --exclude @elastic/eui-docgen run test-cypress + release: + name: Release + runs-on: ubuntu-latest + needs: [ lint_and_unit_tests, cypress_tests ] + steps: + - uses: actions/checkout@v4 + with: + persist-credentials: false + - uses: actions/setup-node@v6 + with: + node-version-file: .nvmrc + cache: yarn + - name: Install dependencies + run: yarn install --immutable From 00f96f0a0ce0625d5b920c82a8a3e7603d65bda3 Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Tue, 4 Nov 2025 23:28:44 +0100 Subject: [PATCH 02/16] build: test the actual release script --- .github/workflows/release.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ce4de4ba5fc..4b2d328532f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -81,3 +81,7 @@ jobs: cache: yarn - name: Install dependencies run: yarn install --immutable + - name: Build release scripts + run: yarn workspace @elastic/eui-release-cli run build + - name: Release + run: yarn release run snapshot --workspaces @elastic/eslint-plugin-eui --skip-prompts --use-auth-token From ecafb3bc4c27e0746a6b9505e5cbeea1877b6f89 Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Tue, 4 Nov 2025 23:34:26 +0100 Subject: [PATCH 03/16] build: rename git remote to upstream --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4b2d328532f..cb045de8a66 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -83,5 +83,7 @@ jobs: run: yarn install --immutable - name: Build release scripts run: yarn workspace @elastic/eui-release-cli run build + - name: Rename git remote to upstream + run: git remote rename origin upstream - name: Release run: yarn release run snapshot --workspaces @elastic/eslint-plugin-eui --skip-prompts --use-auth-token From 0dbff4455e70ced38b771d1558852ed98b657e06 Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Tue, 4 Nov 2025 23:45:42 +0100 Subject: [PATCH 04/16] build: add `registry-url` to `actions/setup-node` --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cb045de8a66..a450ddd9ece 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -79,6 +79,7 @@ jobs: with: node-version-file: .nvmrc cache: yarn + registry-url: 'https://registry.npmjs.org' - name: Install dependencies run: yarn install --immutable - name: Build release scripts From 46b6f4c19030c60982abe8504c3eee026512fa5c Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Tue, 4 Nov 2025 23:52:18 +0100 Subject: [PATCH 05/16] build: install latest npm for oidc provenance support --- .github/workflows/release.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a450ddd9ece..4ce5805046e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -73,15 +73,13 @@ jobs: needs: [ lint_and_unit_tests, cypress_tests ] steps: - uses: actions/checkout@v4 - with: - persist-credentials: false - uses: actions/setup-node@v6 with: node-version-file: .nvmrc cache: yarn registry-url: 'https://registry.npmjs.org' - name: Install dependencies - run: yarn install --immutable + run: npm install -g npm@latest && yarn install --immutable - name: Build release scripts run: yarn workspace @elastic/eui-release-cli run build - name: Rename git remote to upstream From 75a3345062c67c469b8e57b3a1dbf0fda9b7d887 Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Wed, 5 Nov 2025 23:04:35 +0100 Subject: [PATCH 06/16] build: update the publish step to use `yarn pack` and `npm publish` instead of `yarn npm publish` --- packages/release-cli/src/npm_utils.ts | 37 +++++++++++- packages/release-cli/src/steps/publish.ts | 17 +++++- packages/release-cli/src/yarn_utils.ts | 68 +++++++++++++++++++++-- 3 files changed, 113 insertions(+), 9 deletions(-) diff --git a/packages/release-cli/src/npm_utils.ts b/packages/release-cli/src/npm_utils.ts index cd4ff291b3b..fd378b58361 100644 --- a/packages/release-cli/src/npm_utils.ts +++ b/packages/release-cli/src/npm_utils.ts @@ -7,7 +7,8 @@ */ import { promisify } from 'node:util'; -import { exec } from 'node:child_process'; +import path from 'node:path'; +import { exec, execSync } from 'node:child_process'; const execPromise = promisify(exec); @@ -20,4 +21,38 @@ export const getNpmPublishedVersions = async (packageName: string) => { } return []; +}; + +export interface ExecPublish { + packageArchivePath: string; + otp: string | undefined; + dryRun: boolean; + tag: string; } + +export const npmExecPublish = ({ + packageArchivePath, + otp, + dryRun, + tag, +}: ExecPublish) => { + if (!path.isAbsolute(packageArchivePath)) { + throw new Error('packageArchivePath is not an absolute path or is empty'); + } + + if (typeof otp === 'string' && !otp.length) { + throw new Error('OTP must be a non-empty string if defined'); + } + + if (!tag) { + throw new Error('tag must be defined'); + } + + const otpStr = otp ? `--otp ${otp}` : ''; + const dryRunStr = dryRun ? '--dry-run' : ''; + // TODO: Un-hardcode dry-run argument + return execSync( + `npm publish ${packageArchivePath} --tag ${tag} --access public --dry-run ${otpStr}`, + { stdio: 'inherit', encoding: 'utf8' } + ); +}; diff --git a/packages/release-cli/src/steps/publish.ts b/packages/release-cli/src/steps/publish.ts index 23bac19c632..7dbf6e9d565 100644 --- a/packages/release-cli/src/steps/publish.ts +++ b/packages/release-cli/src/steps/publish.ts @@ -11,7 +11,8 @@ import chalk from 'chalk'; import prompts from 'prompts'; import { type ReleaseOptions } from '../release'; import { getRootWorkspaceDir, getWorkspacePackageJson } from '../workspace'; -import { execPublish, YarnWorkspace } from '../yarn_utils'; +import { yarnPack, YarnWorkspace } from '../yarn_utils'; +import { npmExecPublish } from '../npm_utils'; interface PublishedWorkspace extends YarnWorkspace { version: string; @@ -53,8 +54,18 @@ export const stepPublish = async ( } try { - // tag is always defined at this stage. See release.ts - execPublish(workspace.name, options.tag!, otp); + // We pack packages using yarn pack and publish using npm publish + // to be able to use npm trusted publishing and more + const packDetails = await yarnPack(workspace.name); + logger.info(`[${workspace.name}] Package successfully packed to "${packDetails.output}" with ${packDetails.files.length} files included`); + + npmExecPublish({ + packageArchivePath: packDetails.output, + dryRun: true, + // tag is always defined at this stage. See release.ts + tag: options.tag!, + otp, + }); } catch (err) { logger.error(err); logger.error(chalk.red(`[${workspace.name}] Failed to publish package`)); diff --git a/packages/release-cli/src/yarn_utils.ts b/packages/release-cli/src/yarn_utils.ts index e73bddbacad..e35a86a464d 100644 --- a/packages/release-cli/src/yarn_utils.ts +++ b/packages/release-cli/src/yarn_utils.ts @@ -7,6 +7,7 @@ */ import { promisify } from 'node:util'; +import path from 'node:path'; import { exec, execSync } from 'node:child_process'; const execPromise = promisify(exec); @@ -37,13 +38,70 @@ export const updateWorkspaceVersion = async (workspace: string, version: string) return execPromise(`yarn workspace ${workspace} version ${version}`); }; -export const execPublish = (workspace: string, tag: string, otp?: string) => { - if (!tag) { - throw new Error('Tag must be defined'); +export interface YarnPackRawDetail { + base?: string; + location?: string; + output?: string; +} + +export interface YarnPackDetails { + /** + * An absolute base path to the workspace root directory + */ + base: string; + /** + * An array of absolute paths to files packed in the tgz archive + */ + files: string[]; + /** + * An absolute path to the output tgz archive + */ + output: string; +} + +export const yarnPack = async (workspace: string)=> { + const result = await execPromise(`yarn workspace ${workspace} pack --json`); + const rawDetails = JSON.parse( + `[${result.stdout.replace(/\n/g, ',').slice(0, -1)}]` + ) as Array; + const details: YarnPackDetails = { + base: '', + files: [], + output: '', + }; + for (const rawDetail of rawDetails) { + if (rawDetail.base) { + details.base = rawDetail.base; + } + if (rawDetail.location) { + details.files.push(rawDetail.location); + } + if (rawDetail.output) { + details.output = rawDetail.output; + } + } + + // Validate the returned data + if (!details.base) { + throw new Error( + 'yarn pack did not return the base path for the workspace. ' + + 'This likely means that the command\'s JSON output changed format. ' + + 'Please check the current yarn pack API and update the code ' + ); + } + + if (!details.output) { + throw new Error( + 'yarn pack did not return the path for the output tgz archive. ' + + 'This likely means that the command\'s JSON output changed format. ' + + 'Please check the current yarn pack API and update the code ' + ); } - const otpStr = otp ? `--otp ${otp}` : ''; - return execSync(`yarn workspace ${workspace} npm publish --access public --tag ${tag} ${otpStr}`, { stdio: 'inherit', encoding: 'utf8' }); + // By default, the returned location property is a path relative + // to the workspace root directory. We want absolute paths instead. + details.files = details.files.map((file) => path.join(details.base, file)); + return details; }; export const getAuthenticatedUser = async () => { From 8bd65a0a8401b2dfa933cf995961da5b3771ce63 Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Wed, 5 Nov 2025 23:15:43 +0100 Subject: [PATCH 07/16] feat(release-cli): add `--skip-auth-check` flag to skip registry authentication check in init_checks --- .github/workflows/release.yml | 2 +- packages/release-cli/src/cli.ts | 14 +++++++++-- packages/release-cli/src/release.ts | 5 ++++ packages/release-cli/src/steps/init_checks.ts | 24 +++++++++++-------- 4 files changed, 32 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4ce5805046e..0bab56b21be 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -85,4 +85,4 @@ jobs: - name: Rename git remote to upstream run: git remote rename origin upstream - name: Release - run: yarn release run snapshot --workspaces @elastic/eslint-plugin-eui --skip-prompts --use-auth-token + run: yarn release run snapshot --workspaces @elastic/eslint-plugin-eui --skip-prompts --skip-auth-check --use-auth-token diff --git a/packages/release-cli/src/cli.ts b/packages/release-cli/src/cli.ts index 8a84c364fff..edddfb337e4 100644 --- a/packages/release-cli/src/cli.ts +++ b/packages/release-cli/src/cli.ts @@ -39,7 +39,8 @@ export const cli = () => { }) .option('allowCustom', { type: 'boolean', - description: '[UNSAFE!] Allow custom releases from unpushed changes. This should only be used with snapshot or custom releases', + description: + '[UNSAFE!] Allow custom releases from unpushed changes. This should only be used with snapshot or custom releases', default: false, }) .option('verbose', { @@ -56,7 +57,14 @@ export const cli = () => { }) .option('skipUpdateVersions', { type: 'boolean', - description: '[UNSAFE!] Skip the update version step. This should only be used for special releases like backports. The --workspaces argument is required when this argument is set.', + description: + '[UNSAFE!] Skip the update version step. This should only be used for special releases like backports. The --workspaces argument is required when this argument is set.', + default: false, + }) + .option('skipAuthCheck', { + type: 'boolean', + description: + '[UNSAFE!] Skip the registry authentication check during init. This should only be used with npm trusted publishing configured.', default: false, }) .option('useAuthToken', { @@ -76,6 +84,7 @@ export const cli = () => { skipPrompts, skipUpdateVersions, useAuthToken, + skipAuthCheck, } = argv; const logger = new Logger(verbose); @@ -88,6 +97,7 @@ export const cli = () => { skipPrompts, skipUpdateVersions, useAuthToken, + skipAuthCheck, allowCustomReleases: allowCustom, }); } catch (err) { diff --git a/packages/release-cli/src/release.ts b/packages/release-cli/src/release.ts index 58e2825350f..aecc1dfbc16 100644 --- a/packages/release-cli/src/release.ts +++ b/packages/release-cli/src/release.ts @@ -30,6 +30,7 @@ export interface ReleaseOptions { allowCustomReleases: boolean; skipPrompts: boolean; skipUpdateVersions: boolean; + skipAuthCheck: boolean; useAuthToken: boolean; } @@ -79,6 +80,10 @@ export const release = async (options: ReleaseOptions) => { } } + if (options.skipAuthCheck) { + logger.warning('--skip-auth-check is set'); + } + const allWorkspaces = await getYarnWorkspaces(); let currentWorkspaces: Array = []; diff --git a/packages/release-cli/src/steps/init_checks.ts b/packages/release-cli/src/steps/init_checks.ts index 018ebffb894..efa4e3b8428 100644 --- a/packages/release-cli/src/steps/init_checks.ts +++ b/packages/release-cli/src/steps/init_checks.ts @@ -75,17 +75,21 @@ export const stepInitChecks = async (options: ReleaseOptions) => { )}) on branch ${chalk.underline.bold(currentBranch)}` ); - const registryUser = await getAuthenticatedUser(); - if (!registryUser) { - throw new ValidationError( - 'Authentication to npmjs is required. Please log in before running' + - ' this command again.', - `To authenticate run the following command:\n` + - ` ${chalk.yellowBright('yarn npm login')}` - ); - } + if (!options.skipAuthCheck) { + const registryUser = await getAuthenticatedUser(); + if (!registryUser) { + throw new ValidationError( + 'Authentication to npmjs is required. Please log in before running' + + ' this command again.', + `To authenticate run the following command:\n` + + ` ${chalk.yellowBright('yarn npm login')}` + ); + } - logger.info(`Logged in to npmjs as ${registryUser}`); + logger.info(`Logged in to npmjs as ${registryUser}`); + } else { + logger.info('Skipping the registry authentication check'); + } const npmRegistry = await getYarnRegistryServer(); if (npmRegistry) { From 9f601dd47585bc26eba15abc4d29a4271db02422 Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Wed, 5 Nov 2025 23:39:25 +0100 Subject: [PATCH 08/16] build: fetch the whole git history and configure git for committing --- .github/workflows/release.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0bab56b21be..df3c2449058 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -73,6 +73,15 @@ jobs: needs: [ lint_and_unit_tests, cypress_tests ] steps: - uses: actions/checkout@v4 + with: + ref: ${{ inputs.release_ref }} + # This is needed for yarn version to work properly, but it increases fetch time. + # We can change this back to "1" if we replace yarn version with something else + fetch-depth: 0 + - name: Configure git + run: | + git config --global user.name 'EUI Machine' + git config --global user.email 'tkajtoch@users.noreply.github.com' - uses: actions/setup-node@v6 with: node-version-file: .nvmrc From 2a1ef0888d857680b56c6f76314c6334a9419779 Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Wed, 12 Nov 2025 23:43:46 +0100 Subject: [PATCH 09/16] build: add `--dry-run` flag # Conflicts: # packages/release-cli/src/npm_utils.ts # Conflicts: # packages/release-cli/src/npm_utils.ts --- .github/workflows/release.yml | 2 +- packages/release-cli/src/cli.ts | 9 ++++++++- packages/release-cli/src/npm_utils.ts | 3 +-- packages/release-cli/src/release.ts | 7 ++++++- packages/release-cli/src/steps/publish.ts | 4 ++-- 5 files changed, 18 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index df3c2449058..f399e07c02f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -94,4 +94,4 @@ jobs: - name: Rename git remote to upstream run: git remote rename origin upstream - name: Release - run: yarn release run snapshot --workspaces @elastic/eslint-plugin-eui --skip-prompts --skip-auth-check --use-auth-token + run: yarn release run snapshot --workspaces @elastic/eslint-plugin-eui --skip-prompts --skip-auth-check --use-auth-token --dry-run diff --git a/packages/release-cli/src/cli.ts b/packages/release-cli/src/cli.ts index edddfb337e4..b7bff92046a 100644 --- a/packages/release-cli/src/cli.ts +++ b/packages/release-cli/src/cli.ts @@ -49,6 +49,11 @@ export const cli = () => { description: 'Enable verbose logging', default: false, }) + .option('dryRun', { + type: 'boolean', + description: 'Do not publish any packages to the npm registry', + default: false, + }) .option('skipPrompts', { type: 'boolean', description: @@ -72,7 +77,7 @@ export const cli = () => { description: 'Use npm auth token instead of the regular npm user authentication and one-time passwords (OTP). Use in CI only!', default: false, - }); + }) }, async (argv) => { const { @@ -81,6 +86,7 @@ export const cli = () => { workspaces, allowCustom, verbose, + dryRun, skipPrompts, skipUpdateVersions, useAuthToken, @@ -94,6 +100,7 @@ export const cli = () => { tag, workspaces, logger, + dryRun, skipPrompts, skipUpdateVersions, useAuthToken, diff --git a/packages/release-cli/src/npm_utils.ts b/packages/release-cli/src/npm_utils.ts index fd378b58361..b135e9176cd 100644 --- a/packages/release-cli/src/npm_utils.ts +++ b/packages/release-cli/src/npm_utils.ts @@ -50,9 +50,8 @@ export const npmExecPublish = ({ const otpStr = otp ? `--otp ${otp}` : ''; const dryRunStr = dryRun ? '--dry-run' : ''; - // TODO: Un-hardcode dry-run argument return execSync( - `npm publish ${packageArchivePath} --tag ${tag} --access public --dry-run ${otpStr}`, + `npm publish ${packageArchivePath} --tag ${tag} --access public ${dryRunStr} ${otpStr}`, { stdio: 'inherit', encoding: 'utf8' } ); }; diff --git a/packages/release-cli/src/release.ts b/packages/release-cli/src/release.ts index aecc1dfbc16..0fd05f07213 100644 --- a/packages/release-cli/src/release.ts +++ b/packages/release-cli/src/release.ts @@ -27,6 +27,7 @@ export interface ReleaseOptions { tag?: string; workspaces?: string[]; logger: Logger; + dryRun: boolean; allowCustomReleases: boolean; skipPrompts: boolean; skipUpdateVersions: boolean; @@ -35,7 +36,11 @@ export interface ReleaseOptions { } export const release = async (options: ReleaseOptions) => { - const { type, logger } = options; + const { dryRun, type, logger } = options; + + if (dryRun) { + logger.warning('--dry-run is enabled. No packages will be published to the npm registry'); + } // Process tag if (type === 'official') { diff --git a/packages/release-cli/src/steps/publish.ts b/packages/release-cli/src/steps/publish.ts index 7dbf6e9d565..e2633306f15 100644 --- a/packages/release-cli/src/steps/publish.ts +++ b/packages/release-cli/src/steps/publish.ts @@ -25,7 +25,7 @@ export const stepPublish = async ( options: ReleaseOptions, workspacesToPublish: Array ) => { - const { logger } = options; + const { logger, dryRun } = options; const rootWorkspaceDir = getRootWorkspaceDir(); const publishedWorkspaces: Array = []; @@ -61,9 +61,9 @@ export const stepPublish = async ( npmExecPublish({ packageArchivePath: packDetails.output, - dryRun: true, // tag is always defined at this stage. See release.ts tag: options.tag!, + dryRun, otp, }); } catch (err) { From c001ec90d169f96598bf26deef631f434d7cd614 Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Fri, 14 Nov 2025 19:28:40 +0100 Subject: [PATCH 10/16] build: populate the workspaces argument based on workflow input --- .github/workflows/release.yml | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f399e07c02f..ec254c9c479 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -67,9 +67,10 @@ jobs: run: yarn workspaces foreach --all --parallel --topological-dev --exclude @elastic/eui-website --exclude @elastic/eui-monorepo --exclude @elastic/eui-docgen run build - name: Cypress tests run: yarn workspaces foreach --all --parallel --topological-dev --exclude @elastic/eui-website --exclude @elastic/eui-monorepo --exclude @elastic/eui-docgen run test-cypress - release: - name: Release + release_snapshot: + name: Create a snapshot release runs-on: ubuntu-latest + if: ${{ inputs.type == 'snapshot' }} needs: [ lint_and_unit_tests, cypress_tests ] steps: - uses: actions/checkout@v4 @@ -93,5 +94,18 @@ jobs: run: yarn workspace @elastic/eui-release-cli run build - name: Rename git remote to upstream run: git remote rename origin upstream + - name: Prepare list of workspaces + id: prepare_workspaces_arg + uses: actions/github-script@v8 + env: + WORKSPACES: ${{ inputs.workspaces }} + with: + # language=javascript + script: | + if (!process.env.WORKSPACES || typeof process.env.WORKSPACES !== 'string') { + return ''; + } + return `--workspaces ${process.env.WORKSPACES.split(',').join(' ')}`; + result-encoding: string - name: Release - run: yarn release run snapshot --workspaces @elastic/eslint-plugin-eui --skip-prompts --skip-auth-check --use-auth-token --dry-run + run: yarn release run snapshot --skip-prompts --skip-auth-check --use-auth-token --dry-run ${{ steps.prepare_workspaces.outputs.result }} From 3f2bb900c2917fbadcdd9063cdb66d6892628892 Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Fri, 14 Nov 2025 19:46:52 +0100 Subject: [PATCH 11/16] build: enable `--dry-run` flag control through workflow input --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ec254c9c479..d2a44c9da2c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -108,4 +108,4 @@ jobs: return `--workspaces ${process.env.WORKSPACES.split(',').join(' ')}`; result-encoding: string - name: Release - run: yarn release run snapshot --skip-prompts --skip-auth-check --use-auth-token --dry-run ${{ steps.prepare_workspaces.outputs.result }} + run: yarn release run snapshot --skip-prompts --skip-auth-check --use-auth-token ${{ inputs.dry_run && '--dry-run'}} ${{ steps.prepare_workspaces.outputs.result }} From 6a07d3b4221fe188e20ebc6f218e1ccda1099496 Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Fri, 14 Nov 2025 20:24:01 +0100 Subject: [PATCH 12/16] build: allow snapshot releases from a commit other than HEAD --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d2a44c9da2c..fd96ddc03bd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -108,4 +108,4 @@ jobs: return `--workspaces ${process.env.WORKSPACES.split(',').join(' ')}`; result-encoding: string - name: Release - run: yarn release run snapshot --skip-prompts --skip-auth-check --use-auth-token ${{ inputs.dry_run && '--dry-run'}} ${{ steps.prepare_workspaces.outputs.result }} + run: yarn release run snapshot --skip-prompts --skip-auth-check --use-auth-token --allow-custom ${{ inputs.dry_run && '--dry-run'}} ${{ steps.prepare_workspaces.outputs.result }} From 49f33d20414dc836f851140e57ab055ced33637b Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Fri, 14 Nov 2025 20:59:50 +0100 Subject: [PATCH 13/16] build: fix typo in `prepare_workspaces` --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fd96ddc03bd..fac136e701f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -108,4 +108,4 @@ jobs: return `--workspaces ${process.env.WORKSPACES.split(',').join(' ')}`; result-encoding: string - name: Release - run: yarn release run snapshot --skip-prompts --skip-auth-check --use-auth-token --allow-custom ${{ inputs.dry_run && '--dry-run'}} ${{ steps.prepare_workspaces.outputs.result }} + run: yarn release run snapshot --skip-prompts --skip-auth-check --use-auth-token --allow-custom ${{ inputs.dry_run && '--dry-run'}} ${{ steps.prepare_workspaces_arg.outputs.result }} From 42d0b81bf81b367f330713cd824880fe448dafd3 Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Fri, 14 Nov 2025 21:26:27 +0100 Subject: [PATCH 14/16] build: enable trusted publishing --- .github/workflows/release.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fac136e701f..6ad064b8430 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,9 +24,9 @@ on: required: true type: boolean -#permissions: -# id-token: write # Required for OIDC -# contents: read +permissions: + id-token: write # Required for OIDC + contents: read jobs: lint_and_unit_tests: From 3832d904c628f7cb1b82bc183cb4b7fe44445f67 Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Fri, 14 Nov 2025 21:49:46 +0100 Subject: [PATCH 15/16] build: fix `dry_run` input value in the release command --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6ad064b8430..5ff5ed050f8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -108,4 +108,4 @@ jobs: return `--workspaces ${process.env.WORKSPACES.split(',').join(' ')}`; result-encoding: string - name: Release - run: yarn release run snapshot --skip-prompts --skip-auth-check --use-auth-token --allow-custom ${{ inputs.dry_run && '--dry-run'}} ${{ steps.prepare_workspaces_arg.outputs.result }} + run: yarn release run snapshot --skip-prompts --skip-auth-check --use-auth-token --allow-custom ${{ inputs.dry_run && '--dry-run' || ''}} ${{ steps.prepare_workspaces_arg.outputs.result }} From 3eab44b42b14d866b2414989b853d8a8ce9448c4 Mon Sep 17 00:00:00 2001 From: Tomasz Kajtoch Date: Mon, 17 Nov 2025 11:51:21 +0100 Subject: [PATCH 16/16] Use static version of npm --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5ff5ed050f8..b6d4df9b35d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -89,7 +89,7 @@ jobs: cache: yarn registry-url: 'https://registry.npmjs.org' - name: Install dependencies - run: npm install -g npm@latest && yarn install --immutable + run: npm install -g npm@11.6.2 && yarn install --immutable - name: Build release scripts run: yarn workspace @elastic/eui-release-cli run build - name: Rename git remote to upstream