fix(ci): use dart-lang/setup-dart reusable workflow for OIDC publish#116
Merged
kherembourg merged 2 commits intomainfrom May 4, 2026
Merged
fix(ci): use dart-lang/setup-dart reusable workflow for OIDC publish#116kherembourg merged 2 commits intomainfrom
kherembourg merged 2 commits intomainfrom
Conversation
`flutter pub publish --force` does not perform the OIDC token exchange with pub.dev on its own, so the previous job fell back to interactive OAuth and hung waiting for a localhost callback. Switch the 3 publish jobs to call the official reusable workflow `dart-lang/setup-dart/.github/workflows/publish.yml@v1`, which sets up dart, exchanges the GitHub OIDC token for pub.dev credentials, and runs `dart pub publish --force`. The validate job (with `flutter pub publish --dry-run`) is unchanged. A small `wait-after-purchasely` job preserves the 30s sleep before the google/player packages publish, since they depend on `purchasely_flutter` and need pub.dev to have indexed it. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
| Filename | Overview |
|---|---|
| .github/workflows/publish.yml | Replaces custom OAuth publish steps with the official dart-lang/setup-dart OIDC reusable workflow; extracts a wait-after-purchasely job to preserve the 30 s pub.dev indexing delay. Two minor P2 style items: floating @v1 tag instead of a pinned SHA, and the wait job lacks an explicit if guard. |
Flowchart
%%{init: {'theme': 'neutral'}}%%
flowchart TD
A([Tag push / workflow_dispatch]) --> B[validate]
B --> C{publish condition met?}
C -- No --> Z([skip publish jobs])
C -- Yes --> D[publish-purchasely\nOIDC via dart-lang/setup-dart]
D --> E[wait-after-purchasely\nsleep 30s]
E --> F[publish-google\nOIDC via dart-lang/setup-dart]
E --> G[publish-player\nOIDC via dart-lang/setup-dart]
F --> H[summary]
G --> H
Prompt To Fix All With AI
Fix the following 2 code review issues. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 2
.github/workflows/publish.yml:101
**Pin reusable workflow to a commit SHA**
The `@v1` floating tag means the workflow will automatically pick up any new commits the `dart-lang` maintainers push to that tag, including potential supply-chain compromises. Pinning to a full SHA is the GitHub-recommended hardening step for third-party Actions and reusable workflows — and the pattern applies to all three `uses:` references here (`publish-purchasely`, `publish-google`, `publish-player`).
(Replace the SHA with the current HEAD of the `v1` tag at merge time.)
### Issue 2 of 2
.github/workflows/publish.yml:106-111
**`wait-after-purchasely` inherits implicit skip via `success()` — consider making it explicit**
When `publish-purchasely` is skipped (e.g. `workflow_dispatch` with `dry_run: true`), GitHub's default `if: success()` on `wait-after-purchasely` will correctly skip it too, and the downstream publish jobs follow suit. The behaviour is correct, but adding the same guard as `publish-purchasely` makes the intent self-documenting and prevents surprises if the dependency chain is ever restructured.
Reviews (1): Last reviewed commit: "fix(ci): use dart-lang/setup-dart reusab..." | Re-trigger Greptile
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
chouaibMo
approved these changes
May 4, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the pub.dev publishing workflow to use the official dart-lang/setup-dart reusable workflow so publishing can authenticate via GitHub OIDC instead of hanging on interactive OAuth.
Changes:
- Replaces the three
flutter pub publish --forcejobs with calls todart-lang/setup-dart/.github/workflows/publish.yml@v1(OIDC-based publish). - Adds a lightweight
wait-after-purchaselyjob to preserve the 30s delay before publishing dependent packages. - Keeps the existing validation flow (
flutter pub publish --dry-run) unchanged.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Pin dart-lang/setup-dart reusable workflow to commit SHA 65eb853c7ba17dde3be364c3d2858773e7144260 (v1) for supply-chain hardening per Greptile suggestion. - Add explicit `contents: read` permission to the 3 publish jobs (Copilot): when overriding permissions, the implicit defaults are removed; actions/checkout in the called workflow needs read access. - Make the skip condition on `wait-after-purchasely` explicit (Greptile) for self-documentation and resilience to future dependency changes. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The previous
flutter pub publish --forcejob hung on interactive OAuth (localhost callback) because it never performed the OIDC token exchange with pub.dev.Switch the 3 publish jobs to call the official reusable workflow
dart-lang/setup-dart/.github/workflows/publish.yml@v1, which:dart pub publish --force.The
validatejob (withflutter pub publish --dry-run) is unchanged.A small
wait-after-purchaselyjob preserves the 30s sleep before publishingpurchasely_googleandpurchasely_android_player, since they depend onpurchasely_flutterand need pub.dev to have indexed it.Prerequisite
Automated publishing has been configured on pub.dev for the 3 packages with:
Purchasely/Purchasely-Flutterv{{version}}pub.devTest plan
v5.7.3to retrigger publish.yml — expect successful publish to pub.dev for the 3 packages🤖 Generated with Claude Code