Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[actions]: Add npm publish workflow #3460

Merged
merged 1 commit into from Oct 22, 2022

Conversation

varunsh-coder
Copy link
Contributor

This PR adds a GitHub Actions workflow to publish to npm registry using one-time password (OTP).

  • Runs on workflow dispatch and expects a tag
  • It checks that the tag follows semver pattern and version has not been published before to npm registry
  • Checks that required checks have run and passed when the tag was pushed
  • Uses step-security/wait-for-secrets so OTP can be sent to the workflow

It requires setting two secrets:

  1. NODE_AUTH_TOKEN - this should be a Publish token for npm registry. The package should have require two-factor authentication to publish checked in the package settings.
  2. SLACK_WEBHOOK_URL - this is to get notification on Slack when OTP needs to be entered. If this notification is not needed, I can remove this part from the workflow.

I have also added harden-runner to the publish job.

Examples:

  1. Publish to npm registry: https://github.com/harden-runner-canary/eslint-plugin-react/actions/runs/3237008675/jobs/5303545348#step:8:1
  2. Tag not in semver pattern (failed as expected): https://github.com/harden-runner-canary/eslint-plugin-react/actions/runs/3235307416/jobs/5299550718#step:5:22
  3. Version already published (failed as expected): https://github.com/harden-runner-canary/eslint-plugin-react/actions/runs/3236736891/jobs/5302945983#step:5:22

@ljharb, please let me know if you have any feedback.

Signed-off-by: Varun Sharma varunsh@stepsecurity.io

Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
@codecov
Copy link

codecov bot commented Oct 12, 2022

Codecov Report

Merging #3460 (f17395e) into master (f17395e) will not change coverage.
The diff coverage is n/a.

Current head f17395e differs from pull request most recent head 2d24640. Consider uploading reports for the commit 2d24640 to get more accurate results

@@           Coverage Diff           @@
##           master    #3460   +/-   ##
=======================================
  Coverage   97.57%   97.57%           
=======================================
  Files         129      129           
  Lines        9192     9192           
  Branches     3331     3331           
=======================================
  Hits         8969     8969           
  Misses        223      223           

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

Copy link
Member

@ljharb ljharb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems great! Just a few comments before we merge it and give it a shot.

.github/workflows/npm-publish.yml Outdated Show resolved Hide resolved
.github/workflows/npm-publish.yml Outdated Show resolved Hide resolved
.github/workflows/npm-publish.yml Outdated Show resolved Hide resolved
.github/workflows/npm-publish.yml Outdated Show resolved Hide resolved
.github/workflows/npm-publish.yml Outdated Show resolved Hide resolved
.github/workflows/npm-publish.yml Outdated Show resolved Hide resolved
@varunsh-coder
Copy link
Contributor Author

Thanks @ljharb for the review! Updated the workflow.

Here is the latest run:
https://github.com/harden-runner-canary/eslint-plugin-react/actions/runs/3251993055/jobs/5337708215#step:9:156

Example of when version did not match semver pattern using semver module:
https://github.com/harden-runner-canary/eslint-plugin-react/actions/runs/3251600036

Copy link
Member

@ljharb ljharb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this seems pretty good :-)

.github/workflows/npm-publish.yml Outdated Show resolved Hide resolved
.github/workflows/npm-publish.yml Outdated Show resolved Hide resolved
.github/workflows/npm-publish.yml Outdated Show resolved Hide resolved
ljharb
ljharb approved these changes Oct 22, 2022
.github/workflows/npm-publish.yml Show resolved Hide resolved
.github/workflows/npm-publish.yml Outdated Show resolved Hide resolved
@ljharb ljharb merged commit 88cbcde into jsx-eslint:master Oct 22, 2022
264 checks passed
ljharb pushed a commit to ljharb/eslint-plugin-react that referenced this pull request Nov 18, 2022
Signed-off-by: Varun Sharma <varunsh@stepsecurity.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants