mistica-web/.github/workflows/release.yml at master · Telefonica/mistica-web · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: Release
on:
    workflow_dispatch:
        inputs:
            cliArgs:
                description: 'CLI args'
                required: false
                default: ''

permissions:
    contents: write
    issues: write
    pull-requests: write

jobs:
    release:
        name: Release
        runs-on: ubuntu-latest
        # Requires manual approval to run - protects NPM_PUBLISH_TOKEN secret
        environment: production
        steps:
            # persist-credentials: false - git remote configured manually in Release step with GH_TOKEN_MISTICA
            - uses: actions/checkout@v6
              with:
                  token: ${{ secrets.GITHUB_TOKEN }}
                  persist-credentials: false

            - name: Install dependencies
              env:
                  PUPPETEER_SKIP_CHROMIUM_DOWNLOAD: 'true'
              run: yarn install --immutable --immutable-cache

            - name: Husky install
              if: steps.yarn-cache.outputs.cache-hit == 'true'
              run: yarn husky install

            - name: 'Set npm token'
              uses: './.github/actions/set-npm-token'
              with:
                  npm-token: ${{ secrets.NPM_PUBLISH_TOKEN }}

            - name: Validate cli args
              id: validate
              env:
                  CLI_ARGS_INPUT: ${{ github.event.inputs.cliArgs }}
              run: |
                  if [ -z "$CLI_ARGS_INPUT" ]; then
                    echo "safe_args=" >> $GITHUB_OUTPUT
                    exit 0
                  fi

                  # Build allowlist from semantic-release help
                  ALLOWED_FLAGS=$(npx semantic-release -h | grep -oE '(-[a-z]|--[a-z-]+)' | sort -u | tr '\n' '|' | sed 's/|$//')

                  # Validate tokens: flags must be in allowlist, values must follow flags
                  PREV_WAS_FLAG=false
                  for TOKEN in $CLI_ARGS_INPUT; do
                    if echo "$TOKEN" | grep -qE '^-'; then
                      if ! echo "$TOKEN" | grep -qE "^($ALLOWED_FLAGS)$"; then
                        echo "Error: Invalid flag: $TOKEN"
                        exit 1
                      fi
                      PREV_WAS_FLAG=true
                    else
                      if [ "$PREV_WAS_FLAG" != "true" ]; then
                        echo "Error: Value must follow a flag: $TOKEN"
                        exit 1
                      fi
                      PREV_WAS_FLAG=false
                    fi
                  done

                  # Preventive escaping
                  SAFE_ARGS=$(printf "%q" "$CLI_ARGS_INPUT")
                  echo "safe_args=$SAFE_ARGS" >> $GITHUB_OUTPUT

            - name: Release
              env:
                  GITHUB_TOKEN: ${{ secrets.GH_TOKEN_MISTICA }}
                  NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
              run: |
                  # Configure git remote with token for push
                  git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${{ github.repository }}.git"
                  npx semantic-release ${{ steps.validate.outputs.safe_args }}