ci: publish npm package with provenance statement (#130) #34
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish npm Release | |
on: | |
push: | |
tags: | |
- v[0-9]+.[0-9]+.[0-9]+ | |
jobs: | |
test: | |
uses: ./.github/workflows/test.yml | |
with: | |
electron-version: ${{ github.ref_name }} | |
release: | |
runs-on: ubuntu-latest | |
needs: test | |
environment: npm | |
permissions: | |
contents: write # for creating new release | |
id-token: write # for CFA | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: "Use Node.js ${{ matrix.node-version }}" | |
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3 | |
with: | |
node-version: "20.16.0" | |
- name: Update Version | |
run: node script/update-version.js ${{ github.ref_name }} | |
- name: Confirm Version Updated | |
run: node -e "if (require('./package.json').version === '0.0.0-development') process.exit(1)" | |
- name: Install Dependencies | |
run: npm ci | |
- name: Obtain OIDC token | |
id: oidc | |
run: | | |
token=$(curl --fail -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ | |
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=continuousauth.dev" | jq -r '.value') | |
echo "::add-mask::${token}" | |
echo "token=${token}" >> $GITHUB_OUTPUT | |
- name: Obtain GitHub credentials | |
id: github_creds | |
run: | | |
token=$(curl --fail "https://continuousauth.dev/api/request/${{ secrets.CFA_PROJECT_ID }}/github/credentials" \ | |
-X POST \ | |
-H "Content-Type: application/json" \ | |
-H "Authorization: bearer ${{ secrets.CFA_SECRET }}" \ | |
--data "{\"token\":\"${{ steps.oidc.outputs.token }}\"}" | jq -r '.GITHUB_TOKEN') | |
echo "::add-mask::${token}" | |
echo "token=${token}" >> $GITHUB_OUTPUT | |
- name: Set NPM Credentials | |
run: echo //registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }} > ~/.npmrc | |
- name: Check NPM Credentials | |
run: npm whoami | |
- name: CFA Publish | |
env: | |
CFA_PROJECT_ID: ${{ secrets.CFA_PROJECT_ID }} | |
CFA_SECRET: ${{ secrets.CFA_SECRET }} | |
GITHUB_OIDC_TOKEN: ${{ steps.oidc.outputs.token }} | |
run: node script/publish.js | |
- name: Create Release | |
env: | |
GITHUB_TOKEN: ${{ steps.github_creds.outputs.token }} | |
run: gh release create ${{ github.ref_name }} -t ${{ github.ref_name }} |