Skip to content

Commit

Permalink
chore: slsa publishing flow for npm
Browse files Browse the repository at this point in the history 
Signed-off-by: Sam Gammon <[email protected]>
  • Loading branch information
@sgammon
sgammon committed Mar 18, 2024
1 parent 915930b commit 0d9a02c
Show file tree
Hide file tree
Showing 3 changed files with 293 additions and 34 deletions.
220 changes: 220 additions & 0 deletions .github/workflows/ci.publish-package.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,220 @@
name: "Publish: Package"

on:
workflow_call:
inputs:
package:
description: "Package"
type: string
required: true
registry:
description: "Registry"
type: string
default: 'https://registry.npmjs.org'
dry-run:
description: "Dry Run"
type: boolean
default: false
release:
description: "Release to GitHub"
type: boolean
default: false
tag:
description: "Release: Tag"
type: string
draft:
description: "Release: Draft"
type: boolean
prerelease:
description: "Release: Pre-release"
type: boolean
release-name:
description: "Release: Name"
type: string
release-generate:
description: "Release: Generate Notes"
type: boolean
release-latest:
description: "Release: Latest"
type: boolean

secrets:
PUBLISH_TOKEN:
description: "Publishing Token"
required: true

workflow_dispatch:
inputs:
package:
description: "Package"
type: choice
required: true
options:
- java
- maven
- gradle
- indexer
dry-run:
description: "Dry Run"
type: boolean
default: false
registry:
description: "Registry"
type: string
default: 'https://registry.npmjs.org'
release:
description: "Release to GitHub"
type: boolean
default: false
tag:
description: "Release Tag"
type: string
draft:
description: "Release: Draft"
type: boolean
prerelease:
description: "Release: Pre-release"
type: boolean
release-name:
description: "Release: Name"
type: string
release-generate:
description: "Release: Generate Notes"
type: boolean
release-latest:
description: "Release: Latest"
type: boolean

jobs:
build:
name: "Package: Build (${{ inputs.package }})"
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
permissions:
contents: read
id-token: write
steps:
- name: "Setup: Harden Runner"
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: "Setup: Checkout"
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
persist-credentials: false
submodules: true
- name: "Setup: Node"
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: ${{ vars.NODE_VERSION || '21' }}
registry-url: 'https://registry.npmjs.org'
- name: "Setup: PNPM"
uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
with:
version: ${{ vars.PNPM_VERSION || '8' }}
run_install: |
- recursive: true
args: [--frozen-lockfile, --strict-peer-dependencies]
- name: "Build: Package (${{ inputs.package }})"
run: cd packages/${{ inputs.package }} && pnpm pack
- name: "Build: Provenance Hashes"
shell: bash
id: hash
run: |
echo "Release assets:"
ls -la packages/*/*.tgz
file packages/*/*.tgz
du -h file packages/*/*.tgz
echo ""
sha256sum packages/*/*.tgz > ./packages/${{ inputs.package }}/pkg-hashes.txt
echo "Hashes:"
cat ./packages/${{ inputs.package }}/pkg-hashes.txt
echo ""
cat ./packages/${{ inputs.package }}/pkg-hashes.txt | base64 -w0 ./packages/${{ inputs.package }}/pkg-hashes-encoded.txt
echo "Encoded Hashes:"
cat ./packages/${{ inputs.package }}/pkg-hashes-encoded.txt
echo ""
echo "hashes=$(cat /tmp/pkg-hashes-encoded.txt)" >> "$GITHUB_OUTPUT"
- name: "Artifact: Packages"
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: javamodules-pkg-${{ inputs.package }}-${{ github.sha }}
retention-days: 30
compression-level: 1
overwrite: true
path: |
packages/${{ inputs.package }}/*.tgz
packages/${{ inputs.package }}/pkg-hashes.txt
packages/${{ inputs.package }}/pkg-hashes-encoded.txt
provenance:
name: "SLSA Provenance (${{ inputs.package }})"
needs: [build]
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
permissions:
actions: read
id-token: write
contents: write
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: ${{ !inputs.dry-run }}

release:
name: "Release to GitHub (${{ inputs.package }})"
needs: [build, provenance]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/') || inputs.release
steps:
- name: "Artifact: Package"
id: releaseArtifact
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: javamodules-pkg-${{ inputs.package }}-${{ github.sha }}
- name: "Artifact: Provenance"
id: provenanceArtifact
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.provenance.outputs.provenance-name }}
- name: "Publish: Release"
uses: softprops/action-gh-release@d99959edae48b5ffffd7b00da66dcdb0a33a52ee # v2.0.2
if: !inputs.dry-run
with:
draft: ${{ inputs.draft }}
prerelease: ${{ inputs.prerelease }}
name: ${{ inputs.release-name }}
tag_name: ${{ inputs.tag || github.ref }}
generate_release_notes: ${{ inputs.release-generate }}
append_body: true
files: |
${{ steps.releaseArtifact.outputs.download-path }}
${{ steps.provenanceArtifact.outputs.download-path }}
publish-npm:
name: "Publish to Registry (${{ inputs.package }})"
needs: [build, provenance, release]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/') || inputs.release
permissions:
id-token: write
contents: write
packages: write
steps:
- name: "Artifact: Package"
id: releaseArtifact
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: javamodules-pkg-${{ inputs.package }}-${{ github.sha }}
- name: "Artifact: Provenance"
id: provenanceArtifact
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.provenance.outputs.provenance-name }}
- name: "Publish to Registry"
if: !inputs.dry-run
run: cd packages/${{ inputs.package }} && pnpm run ${{ inputs.dry-run && 'publish:dry' || 'publish:live' }} --registry=${{ inputs.registry }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
106 changes: 72 additions & 34 deletions .github/workflows/ci.publish-packages.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,32 @@ on:
description: "Dry Run"
type: boolean
default: false
registry:
description: "Registry"
type: string
default: 'https://registry.npmjs.org'
release:
description: "Release to GitHub"
type: boolean
default: false
tag:
description: "Release: Tag"
type: string
draft:
description: "Release: Draft"
type: boolean
prerelease:
description: "Release: Pre-release"
type: boolean
release-name:
description: "Release: Name"
type: string
release-generate:
description: "Release: Generate Notes"
type: boolean
release-latest:
description: "Release: Latest"
type: boolean

secrets:
NPM_PUBLISH_TOKEN:
Expand All @@ -19,47 +45,59 @@ on:
description: "Dry Run"
type: boolean
default: false
registry:
description: "Registry"
type: string
default: 'https://registry.npmjs.org'
release:
description: "Release to GitHub"
type: boolean
default: false
tag:
description: "Release: Tag"
type: string
draft:
description: "Release: Draft"
type: boolean
prerelease:
description: "Release: Pre-release"
type: boolean
release-name:
description: "Release: Name"
type: string
release-generate:
description: "Release: Generate Notes"
type: boolean
release-latest:
description: "Release: Latest"
type: boolean

permissions:
contents: read

jobs:
pack-npm:
name: "Package: JavaScript Releases"
publish-npm:
name: "Publish to NPM (${{ matrix.package }})"
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
id-token: write
contents: write
packages: write
strategy:
fail-fast: false
matrix:
package: ["java", "gradle", "maven"]
steps:
- name: "Setup: Harden Runner"
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
egress-policy: audit
- name: "Setup: Checkout"
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
with:
persist-credentials: false
submodules: true
- name: "Setup: Node"
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
with:
node-version: ${{ vars.NODE_VERSION || '21' }}
registry-url: 'https://registry.npmjs.org'
- name: "Setup: PNPM"
uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
with:
version: ${{ vars.PNPM_VERSION || '8' }}
run_install: |
- recursive: true
args: [--frozen-lockfile, --strict-peer-dependencies]
- name: "Build: Packages"
run: pnpm run -r pack
- name: "Artifact: Packages"
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
- name: "Publish Package"
uses: ./.github/workflows/ci.publish-package.yml
with:
name: javamodules-pkg-release-${{ github.sha }}
retention-days: 30
compression-level: 1
overwrite: true
path: |
packages/*/*.tgz
package: ${{ matrix.package }}
dry-run: ${{ inputs.dry-run }}
registry: ${{ inputs.registry }}
release: ${{ inputs.release }}
tag: ${{ inputs.tag }}
draft: ${{ inputs.draft }}
prerelease: ${{ inputs.prerelease }}
release-name: ${{ inputs.release-name }}
release-latest: ${{ inputs.release-latest }}
1 change: 1 addition & 0 deletions .github/workflows/on.release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ jobs:
packages: write
with:
dry-run: false
release: true

deploy-site:
name: "Deploy"
Expand Down

0 comments on commit 0d9a02c

Please sign in to comment.