feat(web): 公开仓库 web 扫描器 + 本地客户端模式 (v0.7.0) #11
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| # Publishes to npm with provenance (SLSA build attestation) when a version tag | |
| # is pushed (e.g. `git tag v0.5.12 && git push --tags`). | |
| # Requires an NPM_TOKEN repo secret (automation token, publish scope). | |
| on: | |
| push: | |
| tags: | |
| - 'v*' | |
| permissions: | |
| contents: read | |
| id-token: write # required for npm provenance | |
| jobs: | |
| publish: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-node@v4 | |
| with: | |
| node-version: 20 | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: Install dependencies | |
| run: npm install | |
| - name: Typecheck | |
| run: npx tsc --noEmit | |
| - name: Test | |
| run: npm test | |
| - name: Detection benchmark gate | |
| run: npm run bench -- --ci | |
| - name: Build | |
| run: npm run build | |
| # Idempotent: skip if this version is already on npm (e.g. published locally). | |
| - name: Check if version already published | |
| id: check | |
| run: | | |
| V=$(node -p "require('./package.json').version") | |
| if npm view "shellward@$V" version >/dev/null 2>&1; then | |
| echo "exists=true" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "exists=false" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Publish with provenance | |
| if: steps.check.outputs.exists == 'false' | |
| run: npm publish --provenance --access public | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |