socket-cli/.github/workflows/provenance.yml at 70abf8b5a0233f45b7bb2a07bf5659f34994fcbc · SocketDev/socket-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
name: 📦 Publish @socketsecurity/cli to npm registry

on:
  workflow_dispatch:
    inputs:
      debug:
        description: 'Enable debug output'
        required: false
        default: '0'
        type: string
        options:
          - '0'
          - '1'
      js-fallback:
        description: 'Publish JS-only fallback version (no native binaries)'
        required: false
        type: boolean
        default: false
jobs:
  build:
    runs-on: ubuntu-latest

    permissions:
      contents: read
      id-token: write

    steps:
      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
        with:
          autocrlf: false
      - uses: SocketDev/socket-registry/.github/actions/setup@d8ff3b0581d799466cfbf150f715c1a4bf9f84a5 # main
        with:
          scope: '@socketsecurity'
      - name: Cache build artifacts (external files)
        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
        with:
          path: packages/cli/external
          key: socket-cli-external-${{ hashFiles('packages/cli/package.json') }}
          restore-keys: |
            socket-cli-external-
      - run: npm install -g npm@latest
      - run: pnpm install

      # Build and publish 'socket' package (default).
      - name: Prepare socket package for publishing
        run: |
          SOCKET_VERSION=$(node -p "require('./packages/socket/package.json').version")
          echo "Socket version: $SOCKET_VERSION"
          echo "SOCKET_VERSION=$SOCKET_VERSION" >> $GITHUB_ENV
          node scripts/prepare-package-for-publish.mjs packages/socket
      - name: Build socket package
        run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 pnpm run build:dist
      - name: Validate socket package
        run: node scripts/pre-publish-validate.mjs
      - name: Publish socket package
        run: cd dist && npm publish --provenance --access public --no-git-checks
        continue-on-error: true
        env:
          SOCKET_CLI_DEBUG: ${{ inputs.debug }}

      # Build and publish '@socketsecurity/cli' package (legacy).
      - name: Prepare @socketsecurity/cli package for publishing
        run: node scripts/prepare-package-for-publish.mjs packages/cli ${{ env.SOCKET_VERSION }}
      - name: Build @socketsecurity/cli package
        run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 INLINED_SOCKET_CLI_LEGACY_BUILD=1 pnpm run build:dist
        env:
          SOCKET_CLI_DEBUG: ${{ inputs.debug }}
      - name: Validate @socketsecurity/cli package
        run: node scripts/pre-publish-validate.mjs
      - name: Publish @socketsecurity/cli package
        run: cd dist && npm publish --provenance --access public --no-git-checks
        continue-on-error: true
        env:
          SOCKET_CLI_DEBUG: ${{ inputs.debug }}

      # Build and publish '@socketsecurity/cli-with-sentry' package.
      - name: Prepare @socketsecurity/cli-with-sentry package for publishing
        run: node scripts/prepare-package-for-publish.mjs packages/cli-with-sentry ${{ env.SOCKET_VERSION }}
      - name: Build @socketsecurity/cli-with-sentry package
        run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 INLINED_SOCKET_CLI_SENTRY_BUILD=1 pnpm run build:dist
        env:
          SOCKET_CLI_DEBUG: ${{ inputs.debug }}
      - name: Validate @socketsecurity/cli-with-sentry package
        run: node scripts/pre-publish-validate.mjs
      - name: Publish @socketsecurity/cli-with-sentry package
        run: cd dist && npm publish --provenance --access public --no-git-checks
        continue-on-error: true
        env:
          SOCKET_CLI_DEBUG: ${{ inputs.debug }}

      # Build and publish JS-only fallback version (when native binaries fail).
      - name: Build JS-only fallback package
        if: ${{ inputs.js-fallback }}
        working-directory: packages/cli
        run: pnpm run build:js
      - name: Validate JS-only fallback package
        if: ${{ inputs.js-fallback }}
        working-directory: packages/cli
        run: |
          # Verify build artifacts exist
          test -f dist/cli.js || exit 1
          test -f dist/npm-cli.js || exit 1
          test -f dist/npx-cli.js || exit 1
          test -f dist/pnpm-cli.js || exit 1
          test -f dist/yarn-cli.js || exit 1
          echo "✓ JS-only fallback package built successfully"
      - name: Publish JS-only fallback package
        if: ${{ inputs.js-fallback }}
        working-directory: packages/cli
        run: npm publish --provenance --access public --no-git-checks
        continue-on-error: true