Merge pull request #1588 from Adyen/copilot/fix-unsafe-package-publishing

Secure NPM publishing workflow against supply chain attacks

Author: gcatanese

.github/workflows/npmpublish.yml

@@ -11,20 +11,44 @@ permissions:
   contents: read
 
 jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          node-version: '18.x'
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+      - name: Build package
+        run: npm run build
+      - name: Run tests
+        run: npm run test
+      - name: Upload build artifact
+        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        with:
+          name: build-output
+          path: lib/
+          retention-days: 1
+
   publish-npm:
     runs-on: ubuntu-latest
+    needs: build
     environment: release
-    env:
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_ADYEN_NODE_API_LIBRARY_TOKEN }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: '18.x'
           registry-url: 'https://registry.npmjs.org'
           always-auth: true
-      - run: |
-          npm install
-          npm run build
-      - run: npm publish
+      - name: Download build artifact
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: build-output
+          path: lib/
+      - name: Publish to NPM
+        run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_ADYEN_NODE_API_LIBRARY_TOKEN }}