Skip to content

ci: publish npm package with provenance statement (#151) #16

ci: publish npm package with provenance statement (#151)

ci: publish npm package with provenance statement (#151) #16

Workflow file for this run

name: Publish npm Release
on:
push:
tags:
- v[0-9]+.[0-9]+.[0-9]+
jobs:
test:
uses: ./.github/workflows/test.yml
with:
electron-version: ${{ github.ref_name }}
release:
runs-on: ubuntu-latest
needs: test
environment: npm
permissions:
contents: write # for creating new release
id-token: write # for CFA
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: "Use Node.js ${{ matrix.node-version }}"
uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
with:
node-version: "20.16.0"
- name: Update Version
run: node script/update-version.js ${{ github.ref_name }}
- name: Confirm Version Updated
run: node -e "if (require('./package.json').version === '0.0.0-development') process.exit(1)"
- name: Install Dependencies
run: npm ci
- name: Obtain OIDC token
id: oidc
run: |
token=$(curl --fail -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"$ACTIONS_ID_TOKEN_REQUEST_URL&audience=continuousauth.dev" | jq -r '.value')
echo "::add-mask::${token}"
echo "token=${token}" >> $GITHUB_OUTPUT
- name: Obtain GitHub credentials
id: github_creds
run: |
token=$(curl --fail "https://continuousauth.dev/api/request/${{ secrets.CFA_PROJECT_ID }}/github/credentials" \
-X POST \
-H "Content-Type: application/json" \
-H "Authorization: bearer ${{ secrets.CFA_SECRET }}" \
--data "{\"token\":\"${{ steps.oidc.outputs.token }}\"}" | jq -r '.GITHUB_TOKEN')
echo "::add-mask::${token}"
echo "token=${token}" >> $GITHUB_OUTPUT
- name: Set NPM Credentials
run: echo //registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }} > ~/.npmrc
- name: Check NPM Credentials
run: npm whoami
- name: CFA Publish
env:
CFA_PROJECT_ID: ${{ secrets.CFA_PROJECT_ID }}
CFA_SECRET: ${{ secrets.CFA_SECRET }}
GITHUB_OIDC_TOKEN: ${{ steps.oidc.outputs.token }}
run: node script/publish.js
- name: Create Release
env:
GITHUB_TOKEN: ${{ steps.github_creds.outputs.token }}
run: gh release create ${{ github.ref_name }} -t ${{ github.ref_name }}