From 43530c087fb86e8632c31451744a2e334b1e2aaf Mon Sep 17 00:00:00 2001
From: Varun Sharma <varunsh@stepsecurity.io>
Date: Fri, 14 Oct 2022 11:25:15 -0700
Subject: [PATCH] Address review comments

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
---
 .github/workflows/npm-publish.yml | 39 ++++++++++++++++---------------
 1 file changed, 20 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index f94f9b4fe4..acb9d31f03 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -19,31 +19,30 @@ jobs:
         with:
           ref: ${{ github.event.inputs.tag }}
 
-      - name: Match semver pattern
-        uses: actions-ecosystem/action-regex-match@v2
-        id: regex-match
-        with:
-          text: ${{ github.event.inputs.tag }}
-          regex: '^v((([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)$'
-
       - name: Check package version
         id: cpv
         uses: PostHog/check-package-version@v2
 
+      - run: npm install semver
+
       - name: Validate tag
         uses: actions/github-script@v6
         with:
           script: |
-            const match = `${{ steps.regex-match.outputs.match }}`;
-            if(match === '') {
-              core.setFailed(`Tag ${context.payload.inputs.tag} does not match semver pattern`);
-            } else {
+            const semver = require('semver')
+
+            const tag = `${context.payload.inputs.tag}`;
+            const version = tag.substring(1);
+
+            if (semver.valid(version)) {
               const isNewVersion = `${{ steps.cpv.outputs.is-new-version }}`;
-              if(isNewVersion === 'true') {
+              if (isNewVersion === 'true') {
                 console.log(`Version ${context.payload.inputs.tag} has not been published yet`);
               } else {
                 core.setFailed(`Version ${context.payload.inputs.tag} is already published`);
               }
+            } else {
+              core.setFailed(`Tag ${context.payload.inputs.tag} does not match semver pattern`);
             }
   check-status:
     needs: check-version
@@ -86,7 +85,7 @@ jobs:
               });
 
               for (const check_run of check_runs.data.check_runs) {
-                if (!(check_run.status === 'completed' && check_run.conclusion === 'success')){
+                if (check_run.status !== 'completed' || check_run.conclusion !== 'success') {
                   console.log(`${check_run.name} check failed`);
                   core.setFailed(`Required status check ${check_run.name} did not succeed`);
                 }
@@ -107,6 +106,7 @@ jobs:
           allowed-endpoints: >
             github.com:443
             hooks.slack.com:443
+            nodejs.org:443
             prod.api.stepsecurity.io:443
             registry.npmjs.org:443
 
@@ -114,12 +114,15 @@ jobs:
         with:
           ref: ${{ github.event.inputs.tag }}
 
-      - uses: actions/setup-node@v3
+      - uses: ljharb/actions/node/install@main
+        name: "nvm install lts/* && npm install"
         with:
-          node-version: "16.x"
-          registry-url: "https://registry.npmjs.org"
+          node-version: "lts/*"
+        env:
+          NPM_CONFIG_LEGACY_PEER_DEPS: true
 
-      - run: npm install
+      - run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NODE_AUTH_TOKEN }}" >> .npmrc
+      - run: npm publish --dry-run
 
       - uses: step-security/wait-for-secrets@v1
         id: wait-for-secrets
@@ -131,5 +134,3 @@ jobs:
               description: 'OTP from authenticator app'
 
       - run: npm publish --access public --otp ${{ steps.wait-for-secrets.outputs.OTP }}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}