name: Publish on: push: tags: - "v*" jobs: publish: name: publish runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 with: fetch-depth: 0 - name: Setup Dart uses: dart-lang/setup-dart@v1 - name: Publish package from version tag env: PUB_CREDENTIALS_JSON: ${{ secrets.PUB_CREDENTIALS_JSON }} FALLBACK_PUB_CREDENTIALS_JSON: ${{ secrets.REPO_PUB_CREDENTIALS_JSON }} run: | set -euo pipefail TAG="${GITHUB_REF#refs/tags/}" if ! printf '%s' "$TAG" | grep -Eq '^v[0-9]+\.[0-9]+\.[0-9]+$'; then echo "Tag $TAG does not match required semver pattern vX.Y.Z; skipping." exit 0 fi PACKAGE_NAME="$(sed -nE 's/^name:\s*([^[:space:]]+)\s*$/\1/p' pubspec.yaml | head -n1)" PACKAGE_VERSION="$(sed -nE 's/^version:\s*([^[:space:]]+)\s*$/\1/p' pubspec.yaml | head -n1)" if [ -z "$PACKAGE_NAME" ] || [ -z "$PACKAGE_VERSION" ]; then echo "Failed to parse package name/version from pubspec.yaml." exit 1 fi if [ "$TAG" != "v${PACKAGE_VERSION}" ]; then echo "Tag ($TAG) does not match pubspec version (v${PACKAGE_VERSION})." exit 1 fi if curl -fsSL "https://pub.dev/api/packages/${PACKAGE_NAME}" | grep -q "\"version\":\"${PACKAGE_VERSION}\""; then echo "${PACKAGE_NAME} ${PACKAGE_VERSION} is already published; skipping." exit 0 fi RESOLVED_PUB_CREDENTIALS_JSON="${PUB_CREDENTIALS_JSON:-}" if [ -z "$RESOLVED_PUB_CREDENTIALS_JSON" ]; then RESOLVED_PUB_CREDENTIALS_JSON="${FALLBACK_PUB_CREDENTIALS_JSON:-}" fi if [ -z "$RESOLVED_PUB_CREDENTIALS_JSON" ]; then echo "Missing required pub.dev credentials secret." echo "Expected one of: PUB_CREDENTIALS_JSON (preferred) or REPO_PUB_CREDENTIALS_JSON." echo "If using user-level secrets, verify this repository is allowed to read them; otherwise set the same secret at repo level." exit 1 fi mkdir -p "$HOME/.pub-cache" printf '%s' "$RESOLVED_PUB_CREDENTIALS_JSON" > "$HOME/.pub-cache/credentials.json" chmod 600 "$HOME/.pub-cache/credentials.json" dart pub get dart pub publish --dry-run dart pub publish --force