Version or Publish Package #5
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Version or Publish Package | |
on: | |
workflow_dispatch: | |
inputs: | |
version_tag: | |
required: true | |
description: The release version | |
type: string | |
concurrency: ${{ github.workflow }}-${{ github.ref }} | |
permissions: | |
id-token: write | |
contents: write | |
attestations: write | |
actions: write | |
pull-requests: write | |
jobs: | |
provenance: | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
run-scripts: "install-pnpm, install-deps, style, nx-build-skip-cache, nx-test-skip-cache, skip-lib-ignore" | |
node-version: "20.11.1" | |
release: | |
needs: [provenance] | |
name: Version or Publish | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: audit | |
- name: Download Artifacts | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
- name: Checkout Repo | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.5.4 | |
with: | |
token: ${{ secrets.SAI_PAT }} | |
- name: Prepare pre-requisites | |
uses: ./.github/actions/prepare | |
- name: Import GPG key | |
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 | |
with: | |
gpg_private_key: ${{ secrets.SVC_GPG_KEY }} | |
passphrase: ${{ secrets.SVC_GPG_PASSPHRASE }} | |
git_config_global: true | |
git_tag_gpgsign: true | |
git_user_signingkey: true | |
git_commit_gpgsign: true | |
- name: Create temp dir | |
id: temp-dir | |
run: | | |
set -euo pipefail | |
temp_dir=$(mktemp -d) | |
echo "path=${temp_dir}" >>"${GITHUB_OUTPUT}" | |
- name: Download tarball | |
uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@934435652996c02a6317092984312602dfaf2a21 # main | |
with: | |
name: ${{ needs.provenance.outputs.package-download-name }} | |
path: "${{ steps.temp-dir.outputs.path }}/${{ needs.provenance.outputs.package-name }}" | |
sha256: ${{ needs.provenance.outputs.package-download-sha256 }} | |
- name: Download provenance | |
uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@0779f7bec68e2bf54a7b0a32bf4763f25ab29702 # v1.6.0 | |
with: | |
name: ${{ needs.provenance.outputs.provenance-download-name }} | |
path: "${{ steps.temp-dir.outputs.path }}" | |
sha256: ${{ needs.provenance.outputs.provenance-download-sha256 }} | |
- name: Unpack the zipped artifact | |
run: | | |
set -euo pipefail | |
cd "${{ steps.temp-dir.outputs.path }}" | |
tar -xzvf "${{ needs.provenance.outputs.package-name }}" -C $GITHUB_WORKSPACE --strip-components=1 | |
cd "$GITHUB_WORKSPACE" | |
pnpm run install-deps | |
pnpm nx-test-skip-cache | |
- name: Enable NPM PROVENANCE | |
run: echo "NPM_CONFIG_PROVENANCE=true" >> $GITHUB_ENV | |
- name: Publish to NPM | |
id: changesets | |
uses: changesets/action@3de3850952bec538fde60aac71731376e57b9b57 # v1.4.8 | |
with: | |
setupGitUser: false | |
version: pnpm ci:version | |
title: "ci: Update the version packages" | |
publish: pnpm release | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
- name: Generate SBOM | |
uses: anchore/sbom-action@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 | |
with: | |
artifact-name: sbom-${{ github.event.repository.name }}-${{ inputs.version_tag }}.spdx.json | |
output-file: /${{ steps.temp-dir.outputs.path }}/sbom-${{ github.event.repository.name }}-${{ inputs.version_tag }}.spdx.json | |
upload-artifact: false | |
upload-release-assets: false | |
- name: Download Artifacts | |
uses: actions/download-artifact@fb598a63ae348fa914e94cd0ff38f362e927b741 | |
- name: Upload attestations SLSA | |
uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 | |
with: | |
subject-path: ${{ needs.provenance.outputs.provenance-download-name }} | |
subject-name: ${{ github.event.repository.name }}-${{ inputs.version_tag }} | |
- name: Upload attestations SBOM | |
uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 | |
with: | |
subject-path: /${{ steps.temp-dir.outputs.path }}/sbom-${{ github.event.repository.name }}-${{ inputs.version_tag }}.spdx.json |