forked from slsa-framework/slsa-github-generator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
action.yml
125 lines (113 loc) · 4.58 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
# Copyright 2023 SLSA Authors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: "npm-publish"
description: "Publish package and provenance to npm"
inputs:
access:
description: "The package access level. Defaults to 'restricted' for scoped packages, 'public' for unscoped packages"
required: false
default: ""
dist-tag:
description: "The package dist-tag to attach. See `npm help dist-tag` for more information."
required: false
default: "latest"
node-auth-token:
description: "The npm registry auth token used to publish the package."
required: true
node-version:
description: "Version Spec of the version to use. Examples: 12.x, 10.15.1, >=10.15.0."
required: false
type: string
node-version-file:
description: "File containing the version Spec of the version to use. Examples: .nvmrc, .node-version, .tool-versions."
required: false
type: string
package-name:
description: "The file name for the package tarball in the artifact."
required: true
package-download-name:
description: "The artifact name for the package tarball."
required: true
package-download-sha256:
description: "The sha256 of the package tarball artifact."
required: true
provenance-name:
description: "The file name for the package provenance in the artifact."
required: true
provenance-download-name:
description: "The artifact name for the package provenance."
required: true
provenance-download-sha256:
description: "The sha256 of the package provenance artifact."
required: false
runs:
using: "composite"
steps:
- name: Setup Node
uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
with:
node-version: ${{ inputs.node-version }}
node-version-file: ${{ inputs.node-version-file }}
- name: Create temp dir
id: temp-dir
shell: bash
run: |
set -euo pipefail
temp_dir=$(mktemp -d)
echo "path=${temp_dir}" >>"${GITHUB_OUTPUT}"
- name: Download tarball
uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@main
with:
name: ${{ inputs.package-download-name }}
path: "${{ steps.temp-dir.outputs.path }}/${{ inputs.package-name }}"
sha256: ${{ inputs.package-download-sha256 }}
- name: Download provenance
uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@main
with:
name: ${{ inputs.provenance-download-name }}
path: "${{ steps.temp-dir.outputs.path }}"
sha256: ${{ inputs.provenance-download-sha256 }}
- name: Publish the package
id: publish
shell: bash
env:
ACCESS: ${{ inputs.access }}
PACKAGE_PATH: "${{ steps.temp-dir.outputs.path }}/${{ inputs.package-name }}"
ATTESTATION_PATH: "${{ steps.temp-dir.outputs.path }}/${{ inputs.provenance-download-name }}/${{ inputs.provenance-name }}"
DIST_TAG: ${{ inputs.dist-tag }}
NODE_AUTH_TOKEN: ${{ inputs.node-auth-token }}
run: |
set -euo pipefail
temp_dir=$(mktemp -d)
cd "${temp_dir}"
# Install npm >9.7.0 which includes support for --provenance-file.
# This installs locally in the temp directory.
npm install npm@^9.7.0
# Print the npm version.
echo "** Installed local version of npm**"
./node_modules/.bin/npm version
# Return to the working directory.
cd -
publish_flags=("--provenance-file=${ATTESTATION_PATH}")
if [[ "${ACCESS}" != "" ]]; then
publish_flags+=("--access=${ACCESS}")
fi
if [[ "${DIST_TAG}" != "" ]]; then
publish_flags+=("--tag=${DIST_TAG}")
fi
# NOTE: Use the absolute path to the tarball because npm tries to check
# a remote github.com repository if the "package spec" looks like it
# could be a "<owner>/<repo-name>" resulting in git errors.
package_abs_path=$(readlink -m "${PACKAGE_PATH}")
"${temp_dir}/node_modules/.bin/npm" publish --loglevel verbose "${package_abs_path}" "${publish_flags[@]}"