chore: Introduce OIDC auth for npm publishing (#14279)
This commit is contained in:
Oli Juhl
GitHub
144
.github/workflows/trigger-release.yml
vendored
144
.github/workflows/trigger-release.yml
vendored
@@ -23,12 +23,20 @@ on:
|
||||
- ".github/**"
|
||||
schedule:
|
||||
- cron: "0 */3 * * *"
|
||||
issue_comment:
|
||||
types:
|
||||
- created
|
||||
|
||||
concurrency: ${{ github.workflow }}-${{ github.ref }}
|
||||
|
||||
permissions:
|
||||
pull-requests: write # to be able to comment on released pull requests
|
||||
id-token: write # to enable use of OIDC for trusted publishing and npm provenance
|
||||
|
||||
jobs:
|
||||
release:
|
||||
name: Trigger Preview Release
|
||||
if: github.event_name != 'issue_comment'
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout Repo
|
||||
@@ -39,13 +47,8 @@ jobs:
|
||||
with:
|
||||
node-version: 20
|
||||
|
||||
- name: Creating .npmrc
|
||||
run: |
|
||||
cat << EOF > "$HOME/.npmrc"
|
||||
//registry.npmjs.org/:_authToken=$NPM_TOKEN
|
||||
EOF
|
||||
env:
|
||||
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
|
||||
- name: Ensure npm 11.5.1+ for OIDC
|
||||
run: npm install -g npm@latest
|
||||
|
||||
- name: Install Dependencies
|
||||
run: yarn
|
||||
@@ -92,3 +95,130 @@ jobs:
|
||||
env:
|
||||
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_RELEASE }}
|
||||
SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK
|
||||
|
||||
snapshot:
|
||||
name: Snapshot Release
|
||||
if: |
|
||||
github.event.issue.pull_request &&
|
||||
github.event.comment.body == '/snapshot-this'
|
||||
runs-on: ubuntu-latest
|
||||
env:
|
||||
TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
|
||||
TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
|
||||
NODE_OPTIONS: "--max_old_space_size=4096"
|
||||
steps:
|
||||
- name: Validate pull request
|
||||
uses: actions/github-script@v6
|
||||
with:
|
||||
script: |
|
||||
try {
|
||||
// Add a rocket reaction to the comment
|
||||
await github.rest.reactions.createForIssueComment({
|
||||
...context.repo,
|
||||
comment_id: context.payload.comment.id,
|
||||
content: 'rocket',
|
||||
})
|
||||
|
||||
// Only allow comment creators who have "write" permissions to repo
|
||||
const actorPermission = (await github.rest.repos.getCollaboratorPermissionLevel({
|
||||
...context.repo,
|
||||
username: context.actor
|
||||
})).data.permission
|
||||
const isPermitted = ['write', 'admin'].includes(actorPermission)
|
||||
if (!isPermitted) {
|
||||
const errorMessage = 'Only users with write permission to the respository can run /snapshot-this'
|
||||
await github.rest.issues.createComment({
|
||||
...context.repo,
|
||||
issue_number: context.issue.number,
|
||||
body: errorMessage,
|
||||
})
|
||||
core.setFailed(errorMessage)
|
||||
return;
|
||||
}
|
||||
|
||||
const pullRequest = await github.rest.pulls.get({
|
||||
...context.repo,
|
||||
pull_number: context.issue.number,
|
||||
})
|
||||
// Pull request from fork
|
||||
if (context.payload.repository.full_name !== pullRequest.data.head.repo.full_name) {
|
||||
const errorMessage = '`/snapshot-this` is not supported on pull requests from forked repositories.'
|
||||
await github.rest.issues.createComment({
|
||||
...context.repo,
|
||||
issue_number: context.issue.number,
|
||||
body: errorMessage,
|
||||
})
|
||||
core.setFailed(errorMessage)
|
||||
}
|
||||
} catch (err) {
|
||||
core.setFailed(`Request failed with error ${err}`)
|
||||
}
|
||||
- name: Checkout pull request branch
|
||||
uses: actions/checkout@v3
|
||||
with:
|
||||
ref: ${{ format('refs/pull/{0}/merge', github.event.issue.number) }}
|
||||
|
||||
# Because changeset entries are consumed and removed on the
|
||||
# 'changeset-release/main' branch, we need to reset the files
|
||||
# so the following 'changeset version --snapshot' command will
|
||||
# regenerate the package version bumps with the snapshot releases
|
||||
- name: Reset changeset entries on changeset-release/main branch
|
||||
run: |
|
||||
if [[ $(git branch --show-current) == 'changeset-release/main' ]]; then
|
||||
git checkout origin/main -- .changeset
|
||||
fi
|
||||
- name: Setup Node.js
|
||||
uses: actions/setup-node@v4
|
||||
with:
|
||||
node-version: 20
|
||||
cache: "yarn"
|
||||
|
||||
- name: Ensure npm 11.5.1+ for OIDC
|
||||
run: npm install -g npm@latest
|
||||
|
||||
- name: Install dependencies
|
||||
uses: ./.github/actions/cache-deps
|
||||
with:
|
||||
extension: snapshot-this
|
||||
skip-build: "true"
|
||||
|
||||
- name: Build Packages
|
||||
shell: "bash"
|
||||
run: yarn build
|
||||
|
||||
- name: Create and publish snapshot release
|
||||
uses: actions/github-script@v6
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
with:
|
||||
script: |
|
||||
await exec.exec('yarn run changeset version --snapshot snapshot')
|
||||
const {stdout} = await exec.getExecOutput('yarn run release:snapshot')
|
||||
const newTags = Array
|
||||
.from(stdout.matchAll(/New tag:\s+([^\s\n]+)/g))
|
||||
.map(([_, tag]) => tag)
|
||||
if (newTags.length) {
|
||||
const multiple = newTags.length > 1
|
||||
const body = (
|
||||
`#### :rocket: A snapshot release has been made for this PR\n\n` +
|
||||
`Test the snapshot${multiple ? 's' : ''} by updating your \`package.json\` ` +
|
||||
`with the newly published version${multiple ? 's' : ''}:\n` +
|
||||
newTags.map(tag => (
|
||||
'```sh\n' +
|
||||
`yarn add ${tag}\n` +
|
||||
'```'
|
||||
)).join('\n') +
|
||||
`\n\n> Latest commit: ${context.sha}`
|
||||
|
||||
)
|
||||
await github.rest.issues.createComment({
|
||||
...context.repo,
|
||||
issue_number: context.issue.number,
|
||||
body,
|
||||
})
|
||||
await github.rest.reactions.createForIssueComment({
|
||||
...context.repo,
|
||||
comment_id: context.payload.comment.id,
|
||||
content: 'hooray',
|
||||
})
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user