-
Notifications
You must be signed in to change notification settings - Fork 2
232 lines (216 loc) · 8.18 KB
/
provenance.yml
File metadata and controls
232 lines (216 loc) · 8.18 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
name: 🔗 Publish
# Dependencies:
# - SocketDev/socket-registry/.github/actions/setup-and-install
on:
workflow_call:
inputs:
access-script:
description: 'Package access control script - either a pnpm script name (e.g., "package-npm-access") or a command'
required: false
type: string
default: ''
debug:
description: 'Enable debug output (e.g., "0" or "1")'
required: false
type: string
default: '0'
dist-tag:
description: 'npm dist-tag for publishing (e.g., "latest", "next", "beta", "canary", "backport")'
required: false
type: string
default: 'latest'
dry-run:
description: 'Stage everything but pass --dry-run to npm publish; nothing reaches the registry. Useful for verifying the manifest + tarball before a real release. Defaults to true: opting INTO a real publish requires unchecking this, so an accidental dispatch never publishes.'
required: false
type: boolean
default: true
force-publish:
description: 'Force publish without commit checks'
required: false
type: boolean
default: false
force-registry:
description: 'Force publish @socketsecurity/registry regardless of version changes'
required: false
type: boolean
default: false
skip-npm-packages:
description: 'Skip publishing npm override packages (packages/*)'
required: false
type: boolean
default: false
node-version:
description: 'Node version to use'
required: false
type: string
default: '25.9.0'
package-name:
description: 'Package name (e.g., "@socketregistry/sdk") - used when scripts are not provided'
required: false
type: string
default: ''
publish-script:
description: 'Publishing script - either a pnpm script name (e.g., "publish:ci") or a command (e.g., "npm publish --access public")'
required: false
type: string
default: ''
ref:
description: 'Git ref (branch, tag, or commit SHA) to checkout'
required: false
type: string
default: ''
registry-url:
description: 'npm registry URL'
required: false
type: string
default: 'https://registry.npmjs.org'
scope:
description: 'npm registry scope for package authentication'
required: false
type: string
default: ''
setup-script:
description: 'Setup script before publishing - either a pnpm script name (e.g., "ci:validate") or a command (e.g., "pnpm run build")'
required: false
type: string
default: ''
timeout-minutes:
description: 'Timeout in minutes'
required: false
type: number
default: 10
use-trusted-publishing:
description: 'Use npm trusted publishing with OIDC instead of npm token'
required: false
type: boolean
default: true
secrets:
SOCKET_API_KEY:
description: 'Socket API key — when provided, uses sfw-enterprise instead of sfw-free'
required: false
permissions: {}
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: false # Don't cancel publishing
jobs:
build-and-publish:
name: Build and Publish
runs-on: ubuntu-latest
timeout-minutes: ${{ inputs.timeout-minutes }}
permissions:
# Needed to create release tags and commits.
contents: write
# Needed for npm provenance via OIDC trusted publishing.
id-token: write
steps:
- name: Validate inputs
env:
PUBLISH_SCRIPT: ${{ inputs.publish-script }}
PACKAGE_NAME: ${{ inputs.package-name }}
run: |
if [ -z "$PUBLISH_SCRIPT" ] && [ -z "$PACKAGE_NAME" ]; then
echo "Error: package-name is required when publish-script is not provided"
exit 1
fi
- uses: SocketDev/socket-registry/.github/actions/setup-and-install@e8e253975a55a519be7e4b520d83a33f52c0b1a4 # main
with:
checkout-ref: ${{ inputs.ref }}
node-version: ${{ inputs.node-version }}
debug: ${{ inputs.debug }}
scope: ${{ inputs.scope }}
registry-url: ${{ inputs.registry-url }}
socket-api-key: ${{ secrets.SOCKET_API_TOKEN }}
- name: Verify sfw is installed
run: |
if [ -z "$SFW_BIN" ] || [ ! -x "$SFW_BIN" ]; then
echo "Error: sfw is not installed — run SocketDev/socket-registry/.github/actions/setup first" >&2
exit 1
fi
- name: Run setup script
if: inputs.setup-script != ''
env:
SETUP_SCRIPT: ${{ inputs.setup-script }}
run: |
# Trim whitespace
SETUP_SCRIPT=$(echo "$SETUP_SCRIPT" | xargs)
# Detect if it contains spaces or shell operators (command) vs script name
if [[ "$SETUP_SCRIPT" =~ ( |&&|\|\||;|\|) ]]; then
# Contains space or shell operators - run as command
$SETUP_SCRIPT
else
# Script name only - run as pnpm script
pnpm run $SETUP_SCRIPT
fi
- name: Publish with custom script
if: inputs.publish-script != ''
env:
DIST_TAG: ${{ inputs.dist-tag }}
DRY_RUN: ${{ inputs.dry-run }}
PUBLISH_SCRIPT: ${{ inputs.publish-script }}
FORCE_PUBLISH: ${{ inputs.force-publish }}
FORCE_REGISTRY: ${{ inputs.force-registry }}
SKIP_NPM_PACKAGES: ${{ inputs.skip-npm-packages }}
run: |
# Trim whitespace
PUBLISH_SCRIPT=$(echo "$PUBLISH_SCRIPT" | xargs)
FLAGS=""
if [ "$FORCE_PUBLISH" = "true" ]; then
FLAGS="$FLAGS --force-publish"
fi
if [ "$FORCE_REGISTRY" = "true" ]; then
FLAGS="$FLAGS --force-registry"
fi
if [ "$SKIP_NPM_PACKAGES" = "true" ]; then
FLAGS="$FLAGS --skip-npm-packages"
fi
if [ "$DRY_RUN" = "true" ]; then
FLAGS="$FLAGS --dry-run"
fi
# Detect if it contains spaces or shell operators (command) vs script name
if [[ "$PUBLISH_SCRIPT" =~ ( |&&|\|\||;|\|) ]]; then
# Contains space or shell operators - run as command. The
# caller's command is responsible for honoring the FLAGS;
# we still export DRY_RUN so command-form scripts can
# branch on it directly.
$PUBLISH_SCRIPT
else
# Script name only - run as pnpm script
if [ -n "$FLAGS" ]; then
pnpm run $PUBLISH_SCRIPT -- $FLAGS
else
pnpm run $PUBLISH_SCRIPT
fi
fi
- name: Publish package
if: inputs.publish-script == '' && inputs.package-name != ''
env:
NPM_CONFIG_IGNORE_SCRIPTS: true
DIST_TAG: ${{ inputs.dist-tag }}
DRY_RUN: ${{ inputs.dry-run }}
run: |
if [ "$DRY_RUN" = "true" ]; then
npm publish --access public --tag $DIST_TAG --dry-run
else
npm publish --access public --tag $DIST_TAG
fi
- name: Set package access
if: inputs.access-script != ''
env:
ACCESS_SCRIPT: ${{ inputs.access-script }}
run: |
# Trim whitespace
ACCESS_SCRIPT=$(echo "$ACCESS_SCRIPT" | xargs)
# Detect if it contains spaces or shell operators (command) vs script name
if [[ "$ACCESS_SCRIPT" =~ ( |&&|\|\||;|\|) ]]; then
# Contains space or shell operators - run as command
$ACCESS_SCRIPT
else
# Script name only - run as pnpm script
pnpm run $ACCESS_SCRIPT
fi
- name: Set MFA automation
if: inputs.access-script == '' && inputs.package-name != ''
run: |
echo "Skipping MFA automation - npm access commands require npm_token authentication"
echo "Trusted publishing uses OIDC tokens which don't support npm access commands"
echo "MFA settings should be configured through npm web interface for trusted publishing"