Skip to content

meta: bump tinyglobby from 0.2.16 to 0.2.17 (#865) #54

meta: bump tinyglobby from 0.2.16 to 0.2.17 (#865)

meta: bump tinyglobby from 0.2.16 to 0.2.17 (#865) #54

Workflow file for this run

name: Publish Packages
# This workflow publishes packages to npm when changes are merged to main branch or when manually triggered.
on:
push:
paths:
- package.json
# For security reasons, this should never be set to anything but `main`
branches: [main]
workflow_dispatch:
permissions:
contents: read
env:
COMMIT_SHA: ${{ github.sha }}
jobs:
prepare:
runs-on: ubuntu-latest
outputs:
# Output the matrix of packages to publish for use in the publish job
should_publish: ${{ steps.check.outputs.should_publish }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
egress-policy: block
allowed-endpoints: >
github.com:443
api.github.com:443
- name: Verify commit authenticity
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
if: ${{ github.event_name != 'workflow_dispatch' }}
run: |
# Get commit data from GitHub API to verify its authenticity
COMMIT_DATA=$(gh api repos/${{ github.repository }}/commits/$COMMIT_SHA)
# Check if commit signature is verified (GPG signed)
VERIFIED=$(echo "$COMMIT_DATA" | jq -r '.commit.verification.verified')
# Check if commit was made through GitHub's web interface (merge queue)
COMMITTER=$(echo "$COMMIT_DATA" | jq -r '.commit.committer.email')
# Security checks to ensure we only publish from verified and trusted sources
if [[ "$VERIFIED" != "true" ]]; then
echo "❌ Unverified commit! Aborting."
exit 1
fi
if [[ "$COMMITTER" != "noreply@github.com" ]]; then
echo "❌ Not merged with the merge queue! Aborting."
exit 1
fi
echo "✅ Commit is verified and trusted."
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
fetch-depth: 2 # Need at least 2 commits to detect changes between commits
- name: Check if we should publish
id: check
env:
EVENT_NAME: ${{ github.event_name }}
run: |
OLD_VERSION=$(git show $COMMIT_SHA~1:package.json | jq -r '.version')
NEW_VERSION=$(jq -r '.version' "package.json")
if [ "$OLD_VERSION" != "$NEW_VERSION" ] || [ "$EVENT_NAME" == "workflow_dispatch" ]; then
echo "should_publish=true" >> $GITHUB_OUTPUT
fi
publish:
needs: prepare
runs-on: ubuntu-latest
if: needs.prepare.outputs.should_publish == 'true'
permissions:
# For npm OIDC (https://docs.npmjs.com/trusted-publishers)
id-token: write
steps:
- uses: nodejs/web-team/actions/setup-environment@9f3c83af227d721768d9dbb63009a47ed4f4282f
with:
use-version-file: true
registry-url: 'https://registry.npmjs.org'
- name: Publish
run: npm publish --access public --no-git-checks
- name: Notify
uses: rtCamp/action-slack-notify@33ca3be66c6f378fe1610fd1d5258632dbed5e58 # v2.4.0
env:
SLACK_COLOR: '#43853D'
SLACK_ICON: https://github.com/nodejs.png?size=48
SLACK_TITLE: ':rocket: Package Published: @node-core/doc-kit'
SLACK_MESSAGE: |
:package: *Package*: `@node-core/doc-kit` (<https://www.npmjs.com/package/@node-core/doc-kit|View on npm>)
:bust_in_silhouette: *Published by*: ${{ github.triggering_actor }}
:octocat: *Commit*: <https://github.com/${{ github.repository }}/commit/${{ env.COMMIT_SHA }}|${{ env.COMMIT_SHA }}>
SLACK_USERNAME: nodejs-bot
SLACK_CHANNEL: nodejs-web-infra-alerts
SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }}