Skip to content

Commit

Permalink
[actions]: Add npm publish workflow
Browse files Browse the repository at this point in the history 
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
  • Loading branch information
@varunsh-coder
varunsh-coder committed Oct 19, 2022
1 parent f17395e commit 611b7ac
Showing 1 changed file with 135 additions and 0 deletions.
135 changes: 135 additions & 0 deletions .github/workflows/npm-publish.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
name: Publish Package to npm
on:
workflow_dispatch:
inputs:
tag:
description: "Tag to publish"
required: true

permissions:
contents: read

jobs:
check-version:
runs-on: ubuntu-latest
outputs:
is-new-version: ${{ steps.cpv.outputs.is-new-version }}
steps:
- uses: actions/checkout@v3
with:
ref: ${{ github.event.inputs.tag }}

- name: Match semver pattern
uses: actions-ecosystem/action-regex-match@v2
id: regex-match
with:
text: ${{ github.event.inputs.tag }}
regex: '^v((([0-9]+)\.([0-9]+)\.([0-9]+)(?:-([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)(?:\+([0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?)$'

- name: Check package version
id: cpv
uses: PostHog/check-package-version@v2

- name: Validate tag
uses: actions/github-script@v6
with:
script: |
const match = `${{ steps.regex-match.outputs.match }}`;
if(match === '') {
core.setFailed(`Tag ${context.payload.inputs.tag} does not match semver pattern`);
} else {
const isNewVersion = `${{ steps.cpv.outputs.is-new-version }}`;
if(isNewVersion === 'true') {
console.log(`Version ${context.payload.inputs.tag} has not been published yet`);
} else {
core.setFailed(`Version ${context.payload.inputs.tag} is already published`);
}
}
check-status:
needs: check-version
if: needs.check-version.outputs.is-new-version == 'true'
runs-on: ubuntu-latest
steps:
- name: Verify checks passed
uses: actions/github-script@v6
with:
result-encoding: string
retries: 3
script: |
console.log(`Checking status checks for ${context.payload.inputs.tag}`);
const check_suites = await github.rest.checks.listSuitesForRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: context.payload.inputs.tag
});
for (const check_suite of check_suites.data.check_suites) {
if (check_suite.status !== 'completed') {
core.setFailed(`Some workflows for ${context.payload.inputs.tag} are still in-progress`);
}
}
const branch = await github.rest.repos.getBranch({
owner: context.repo.owner,
repo: context.repo.repo,
branch: context.payload.repository.default_branch
});
for (const requiredCheck of branch.data.protection.required_status_checks.checks) {
const check_runs = await github.rest.checks.listForRef({
owner: context.repo.owner,
repo: context.repo.repo,
ref: context.payload.inputs.tag,
check_name: requiredCheck.context
});
for (const check_run of check_runs.data.check_runs) {
if (!(check_run.status === 'completed' && check_run.conclusion === 'success')){
console.log(`${check_run.name} check failed`);
core.setFailed(`Required status check ${check_run.name} did not succeed`);
}
console.log(`${check_run.name} check passed`);
}
}
publish:
needs: check-status
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: step-security/harden-runner@v1
with:
egress-policy: block
allowed-endpoints: >
github.com:443
hooks.slack.com:443
prod.api.stepsecurity.io:443
registry.npmjs.org:443
- uses: actions/checkout@v3
with:
ref: ${{ github.event.inputs.tag }}

- uses: actions/setup-node@v3
with:
node-version: "16.x"
registry-url: "https://registry.npmjs.org"

- run: npm install

- uses: step-security/wait-for-secrets@v1
id: wait-for-secrets
with:
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
secrets: |
OTP:
name: 'OTP to publish package'
description: 'OTP from authenticator app'
- run: npm publish --access public --otp ${{ steps.wait-for-secrets.outputs.OTP }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}

0 comments on commit 611b7ac

Please sign in to comment.