Enable npm publish --provenance (#311)

Kesin11 · May 15, 2024 · a4207bf · a4207bf
2 parents 2b3eab5 + c7623cc
commit a4207bf
Show file tree

Hide file tree

Showing 4 changed files with 69 additions and 18 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -29,26 +29,37 @@ jobs:
         run: |
           export TAG_NAME=${{ needs.draft_release.outputs.tag_name }}
           echo "VERSION=${TAG_NAME:1}" >> $GITHUB_ENV
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20.x'
+          registry-url: 'https://registry.npmjs.org'
       - uses: earthly/[email protected]
         with:
           version: latest
           github-token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: actions/checkout@v4
-        with:
-          ref: master
 
       # Use GitHub App for bypassing ruleset guard when git push by npm publish
       - uses: actions/create-github-app-token@v1
         id: app-token
         with:
           app-id: ${{ secrets.BYPASS_APP_ID }}
           private-key: ${{ secrets.BYPASS_APP_PRIVATE_KEY }}
+      - uses: actions/checkout@v4
+        with:
+          ref: master
+          token: ${{ steps.app-token.outputs.token }}
+      - name: Setup git config
+        run: |
+          git config user.name github-actions
+          git config user.email [email protected]
+
       # npm publish and push updated package.json
       - name: Publish
         run: |
           npm run release -- --VERSION=$VERSION
+          git push origin master
         env:
-          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
           NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
 
       # Publish github releases. Also tag will be created.

diff --git a/.github/workflows/release_test.yml b/.github/workflows/release_test.yml
@@ -0,0 +1,42 @@
+name: Prepublish for release test
+on:
+  workflow_dispatch:
+jobs:
+  prerelease:
+    runs-on: ubuntu-latest
+    environment:
+        name: dev
+        url: https://www.npmjs.com/package/junit2json
+    permissions:
+      contents: write
+      id-token: write
+    if: github.event_name == 'workflow_dispatch'
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20.x'
+          registry-url: 'https://registry.npmjs.org'
+      - uses: earthly/[email protected]
+        with:
+          version: latest
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup git config
+        run: |
+          git config user.name github-actions
+          git config user.email [email protected]
+
+      # npm publish and push updated package.json
+      - name: PrePublish
+        run: |
+          npm run release:prepublish
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }}
+
+      - name: Commit and push changes
+        run: |
+          git add package*.json
+          git commit -m "debug: npm run release:prepublish"
+          git push
diff --git a/Earthfile b/Earthfile
@@ -12,18 +12,16 @@ build:
   RUN npm run build
   SAVE ARTIFACT dist/ dist
 
-publish:
-  RUN --no-cache --secret GITHUB_TOKEN \
-      git clone --depth=1 --branch=master https://github.com/Kesin11/ts-junit2json.git && \
-      git config --global user.name "github-actions" && \
-      git config --global user.email "[email protected]" && \
-      git config --global url."https://x-access-token:${GITHUB_TOKEN}@github.com/".insteadOf "https://github.com/"
-  WORKDIR ts-junit2json
+# Test publishing from local purpose
+prepublish:
+  LOCALLY
+  COPY +build/dist dist/
+  RUN npm version prerelease --no-git-tag-version && \
+      npm publish --provenance --tag=beta
 
+publish:
+  LOCALLY
   ARG --required VERSION
   COPY +build/dist dist/
-  RUN --no-cache --secret NODE_AUTH_TOKEN \
-      echo '//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}' > $HOME/.npmrc && \
-      npm version $VERSION && \
-      npm publish
-  RUN --no-cache --secret GITHUB_TOKEN git push origin master
+  RUN npm version $VERSION && \
+      npm publish --provenance
diff --git a/package.json b/package.json
@@ -34,8 +34,8 @@
     "test": "jest",
     "test:watch": "jest --watch",
     "integrate_test": "node --test integrate_tests/",
-    "release:prepublish": "npm run clean && npm run build && npm version prerelease --no-git-tag-version && npm publish --tag=beta",
-    "release": "earthly --secret NODE_AUTH_TOKEN --secret GITHUB_TOKEN +publish"
+    "release:prepublish": "earthly +prepublish",
+    "release": "earthly +publish"
   },
   "repository": {
     "type": "git",