From 76604ce0754ed70d8603805ac39bfbc4b9209cc7 Mon Sep 17 00:00:00 2001
From: Daniel Roe <daniel@roe.dev>
Date: Sat, 16 Mar 2024 13:32:53 -0700
Subject: [PATCH] ci: add release workflow

---
 .github/workflows/release-nightly.yml | 37 +++++++++++++++++++++++++++
 .github/workflows/release.yml         | 21 ++++++++-------
 2 files changed, 49 insertions(+), 9 deletions(-)
 create mode 100644 .github/workflows/release-nightly.yml

diff --git a/.github/workflows/release-nightly.yml b/.github/workflows/release-nightly.yml
new file mode 100644
index 000000000..d16519f76
--- /dev/null
+++ b/.github/workflows/release-nightly.yml
@@ -0,0 +1,37 @@
+name: ci
+
+on:
+  push:
+    branches:
+      - main
+
+# Remove default permissions of GITHUB_TOKEN for security
+# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
+permissions: {}
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    if: ${{ github.repository_owner == 'nuxt' && github.event_name == 'push' }}
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - run: corepack enable
+      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: 20
+          registry-url: "https://registry.npmjs.org/"
+          cache: "pnpm"
+
+      - name: Install dependencies
+        run: pnpm install
+
+      - name: Prepare build environment
+        run: pnpm dev:prepare
+
+      - name: nightly release
+        run: pnpm changelogen --canary nightly --publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 29f602b3c..943d0c1b4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,20 +1,23 @@
-name: ci
+name: release
 
 on:
-  push:
-    branches:
-      - main
+  workflow_dispatch:
 
+# Remove default permissions of GITHUB_TOKEN for security
+# https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
 permissions: {}
 
 jobs:
   release:
-    runs-on: ubuntu-latest
-    if: ${{ github.repository_owner == 'nuxt' && github.event_name == 'push' }}
+    if: github.repository_owner == 'nuxt'
     permissions:
       id-token: write
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          fetch-depth: 0
       - run: corepack enable
       - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
@@ -28,8 +31,8 @@ jobs:
       - name: Prepare build environment
         run: pnpm dev:prepare
 
-      - name: nightly release
-        run: pnpm changelogen --canary nightly --publish
+      - name: Release
+        run: pnpm changelogen --publish
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.RELEASE_NODE_AUTH_TOKEN }}
           NPM_CONFIG_PROVENANCE: true