Skip to content

Commit ab4a4c3

Browse files
Merge pull request #14 from anand-testcompare/fix/publish-oidc-verification
ci: fix publish verification
2 parents cea36ed + d027f80 commit ab4a4c3

2 files changed

Lines changed: 37 additions & 4 deletions

File tree

.github/workflows/publish.yml

Lines changed: 30 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -102,9 +102,24 @@ jobs:
102102
EXPECTED_OIDC_EMAIL="npm-oidc-no-reply@github.com"
103103
NPM_USER_EMAIL=""
104104
NPM_USER_NAME=""
105+
NPM_USER_RAW=""
105106
for i in $(seq 1 20); do
106107
VIEW_JSON="$(npm view "${NAME}@${VERSION}" --json 2>/dev/null || true)"
107108
109+
NPM_USER_RAW="$(
110+
printf '%s' "$VIEW_JSON" | node -e '
111+
const fs = require("fs");
112+
const s = fs.readFileSync(0, "utf8").trim();
113+
if (!s) process.exit(0);
114+
try {
115+
const j = JSON.parse(s);
116+
const u = j._npmUser ?? j.dist?._npmUser ?? null;
117+
if (u == null) process.exit(0);
118+
if (typeof u === "string") process.stdout.write(u);
119+
else if (typeof u === "object" && typeof u.name === "string") process.stdout.write(u.name);
120+
} catch {}
121+
'
122+
)"
108123
NPM_USER_EMAIL="$(
109124
printf '%s' "$VIEW_JSON" | node -e '
110125
const fs = require("fs");
@@ -113,7 +128,12 @@ jobs:
113128
try {
114129
const j = JSON.parse(s);
115130
const u = j._npmUser ?? j.dist?._npmUser ?? null;
116-
if (u && typeof u === "object" && u.email) process.stdout.write(String(u.email));
131+
if (typeof u === "string") {
132+
const m = u.match(/<([^>]+)>/);
133+
if (m) process.stdout.write(String(m[1]));
134+
} else if (u && typeof u === "object" && u.email) {
135+
process.stdout.write(String(u.email));
136+
}
117137
} catch {}
118138
'
119139
)"
@@ -125,17 +145,23 @@ jobs:
125145
try {
126146
const j = JSON.parse(s);
127147
const u = j._npmUser ?? j.dist?._npmUser ?? null;
128-
if (u && typeof u === "object" && u.name) process.stdout.write(String(u.name));
148+
if (typeof u === "string") {
149+
const m = u.match(/^([^<]+)</);
150+
if (m) process.stdout.write(String(m[1]).trim());
151+
else process.stdout.write(u);
152+
} else if (u && typeof u === "object" && u.name) {
153+
process.stdout.write(String(u.name));
154+
}
129155
} catch {}
130156
'
131157
)"
132158
133-
if [ "$NPM_USER_EMAIL" = "$EXPECTED_OIDC_EMAIL" ] || [ "$NPM_USER_NAME" = "$EXPECTED_OIDC_EMAIL" ]; then
159+
if [ "$NPM_USER_EMAIL" = "$EXPECTED_OIDC_EMAIL" ] || [ "$NPM_USER_NAME" = "$EXPECTED_OIDC_EMAIL" ] || printf '%s' "$NPM_USER_RAW" | grep -q "$EXPECTED_OIDC_EMAIL"; then
134160
break
135161
fi
136162
137163
if [ "$i" -eq 20 ]; then
138-
echo "[ERROR] expected OIDC publish; npm reports _npmUser.email='${NPM_USER_EMAIL:-<empty>}' _npmUser.name='${NPM_USER_NAME:-<empty>}'"
164+
echo "[ERROR] expected OIDC publish; npm reports _npmUser.raw='${NPM_USER_RAW:-<empty>}' _npmUser.email='${NPM_USER_EMAIL:-<empty>}' _npmUser.name='${NPM_USER_NAME:-<empty>}'"
139165
exit 1
140166
fi
141167

.mise/tasks/publish

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -49,6 +49,13 @@ fi
4949

5050
# Publish directly from source (allows provenance generation in CI)
5151
if [ "${usage_dry_run}" != "true" ]; then
52+
NAME="$(node -p 'require("./package.json").name')"
53+
VERSION="$(node -p 'require("./package.json").version')"
54+
if npm view "${NAME}@${VERSION}" version >/dev/null 2>&1; then
55+
echo " > ${NAME}@${VERSION} already exists on npm; skipping publish"
56+
exit 0
57+
fi
58+
5259
npm publish \
5360
--access public \
5461
--tag "${usage_tag}" \

0 commit comments

Comments
 (0)