-
Notifications
You must be signed in to change notification settings - Fork 100
ci: configure npm trusted publishing with provenance #7061
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
b6a9329
ba7ee19
24a3130
8fb3f2f
a0535b5
76fd373
fbe45fb
ef89830
b12382c
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,63 +1,22 @@ | ||
| name: prerelease | ||
| on: | ||
| push: | ||
| branches: | ||
| # releases/<package>/<tag>/<version> | ||
| - releases/*/*/* | ||
| branches: [main] | ||
| pull_request: | ||
| types: [opened, synchronize, reopened] | ||
| jobs: | ||
| prerelease: | ||
| runs-on: ubuntu-24.04 | ||
| runs-on: ubuntu-slim | ||
| steps: | ||
| - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 | ||
| with: | ||
| fetch-depth: 0 | ||
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||
| with: | ||
| node-version: '24' | ||
| check-latest: true | ||
| registry-url: 'https://registry.npmjs.org' | ||
| - name: Extract tag, version and package | ||
| id: extract | ||
| run: |- | ||
| ref=${{ github.ref }} | ||
| branch=${ref:11} | ||
| info=${branch:9} | ||
| package_tag=${info%/*} | ||
| package=${package_tag%/*} | ||
| tag=${package_tag#*/} | ||
| version=${info##*/} | ||
| echo "package=${package}" >> $GITHUB_OUTPUT | ||
| echo "tag=${tag}" >> $GITHUB_OUTPUT | ||
| echo "version=${version}" >> $GITHUB_OUTPUT | ||
| - name: Log extracted information | ||
| run: |- | ||
| echo package=${{ steps.extract.outputs.package }} | ||
| echo tag=${{ steps.extract.outputs.tag }} | ||
| echo version=${{ steps.extract.outputs.version }} | ||
| - name: Setup git user | ||
| run: git config --global user.name github-actions | ||
| - name: Setup git email | ||
| run: git config --global user.email github-actions@github.com | ||
| - name: Create fake .git in package subdirectory | ||
| # See https://github.com/npm/cli/issues/2010,https://github.com/npm/npm/issues/9111 | ||
| run: mkdir packages/${{ steps.extract.outputs.package }}/.git | ||
| - name: Run npm version | ||
| run: | ||
| 'npm version --workspace packages/${{ steps.extract.outputs.package }} ${{ steps.extract.outputs.version | ||
| }}-${{ steps.extract.outputs.tag }} -m "chore: release @netlify/${{ steps.extract.outputs.package }} ${{ | ||
| steps.extract.outputs.version }}-${{ steps.extract.outputs.tag }}"' | ||
| - name: Prefix package to git tag | ||
| run: |- | ||
| old_git_tag=v${{ steps.extract.outputs.version}}-${{ steps.extract.outputs.tag }} | ||
| new_git_tag=${{ steps.extract.outputs.package }}-${old_git_tag} | ||
| git tag ${new_git_tag} ${old_git_tag} | ||
| git tag -d ${old_git_tag} | ||
| - name: Push changes | ||
| run: git push --follow-tags | ||
| - name: Install dependencies | ||
| run: npm install | ||
| run: npm ci | ||
| - name: Build workspaces | ||
| run: npx lerna run build | ||
| - run: npm publish packages/${{ steps.extract.outputs.package }}/ --tag=${{ steps.extract.outputs.tag }} | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} | ||
| - run: npx pkg-pr-new publish './packages/*' | ||
Check warningCode scanning / CodeQL Workflow does not contain permissions Medium
Actions job or workflow does not limit the permissions of the GITHUB_TOKEN. Consider setting an explicit permissions block, using the following as a minimal starting point: {contents: read}
|
||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| name: release | ||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
|
|
||
| permissions: | ||
| contents: write | ||
| pull-requests: write | ||
| id-token: write | ||
|
|
||
| jobs: | ||
| release-please: | ||
| runs-on: ubuntu-24.04 | ||
| outputs: | ||
| releases_created: ${{ steps.release.outputs.releases_created }} | ||
| steps: | ||
| - uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4.4.1 | ||
| id: release | ||
| with: | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| publish: | ||
| needs: release-please | ||
| if: ${{ needs.release-please.outputs.releases_created == 'true' }} | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. on npm publishing flakes when release-please run determine that release was created, but actual publish fails (i.e. some network or npm registry issues) this would mean there is no way to "retry" to actually publish to npm, so this is a change from the way CircleCi workflow works |
||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||
| with: | ||
| node-version: '24' | ||
| check-latest: true | ||
| registry-url: 'https://registry.npmjs.org' | ||
| - name: Install dependencies | ||
| run: npm ci | ||
| - name: Build workspaces | ||
| run: npm run build | ||
| - name: Publish packages | ||
| run: npx lerna publish from-package --yes --no-private | ||
| env: | ||
| NPM_CONFIG_PROVENANCE: true | ||
|
serhalp marked this conversation as resolved.
|
||
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AFAIK this was never actually needed. possibly copypasta.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it might have been needed at least at some point - lerna/lerna#2404 (comment)
But doesn't matter anymore with trusted publishing