diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3c9cc9f..5da95d2 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,3 @@ - name: Release Full on: @@ -29,7 +28,7 @@ on: - latest - beta - alpha - + dry_run: type: boolean description: "DryRun release" @@ -37,6 +36,7 @@ on: default: false permissions: + contents: write # To publish packages with provenance id-token: write @@ -44,10 +44,6 @@ jobs: release: name: Release environment: npm - permissions: - contents: write - # To publish packages with provenance - id-token: write runs-on: ubuntu-latest steps: @@ -63,41 +59,21 @@ jobs: node-version: 20 cache: "pnpm" + # Update npm to the latest version to enable OIDC + - name: Update npm + run: | + npm install -g npm@latest + npm --version + - name: Install Dependencies run: pnpm install - name: Run Test run: pnpm run test - - name: Obtain OIDC token - id: oidc - run: | - token=$(curl --fail -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ - "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=cfa.rspack.dev" | jq -r '.value') - echo "::add-mask::${token}" - echo "token=${token}" >> $GITHUB_OUTPUT - shell: bash - - name: Obtain GitHub credentials - id: github_creds - run: | - token=$(curl --fail "https://cfa.rspack.dev/api/request/${{ secrets.CFA_PROJECT_ID }}/github/credentials" \ - -X POST \ - -H "Content-Type: application/json" \ - -H "Authorization: bearer ${{ secrets.CFA_SECRET }}" \ - --data "{\"token\":\"${{ steps.oidc.outputs.token }}\"}" | jq -r '.GITHUB_TOKEN') - echo "::add-mask::${token}" - echo "token=${token}" >> $GITHUB_OUTPUT - shell: bash + - name: Try release to npm run: pnpm run release env: DRY_RUN: ${{ inputs.dry_run }} TAG: ${{ inputs.tag }} VERSION: ${{ inputs.version }} - CFA_HOST: https://cfa.rspack.dev - GITHUB_TOKEN: ${{ steps.github_creds.outputs.token }} - GITHUB_OIDC_TOKEN: ${{ steps.oidc.outputs.token }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - CFA_PROJECT_ID: ${{ secrets.CFA_PROJECT_ID }} - CFA_SECRET: ${{ secrets.CFA_SECRET }} - - diff --git a/package.json b/package.json index e45c6d5..48fff0f 100644 --- a/package.json +++ b/package.json @@ -41,7 +41,6 @@ }, "devDependencies": { "@biomejs/biome": "^1.9.4", - "@continuous-auth/client": "2.3.2", "@rslib/core": "^0.11.0", "@rspack/core": "1.4.11", "@types/jest": "29.5.14", @@ -76,7 +75,6 @@ "packageManager": "pnpm@10.14.0", "publishConfig": { "access": "public", - "registry": "https://registry.npmjs.org/", - "provenance": true + "registry": "https://registry.npmjs.org/" } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 4a02a3b..ec78c73 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -21,9 +21,6 @@ importers: '@biomejs/biome': specifier: ^1.9.4 version: 1.9.4 - '@continuous-auth/client': - specifier: 2.3.2 - version: 2.3.2 '@rslib/core': specifier: ^0.11.0 version: 0.11.0(typescript@5.9.2) @@ -352,9 +349,6 @@ packages: cpu: [x64] os: [win32] - '@continuous-auth/client@2.3.2': - resolution: {integrity: sha512-/QG87OYqFbNkM7fxEf53QN6KKvXQF4SyBp4eQk4uCM2O24dNj2fBfEUNS2NYgEoGCtu9YHGn3dcCLrgNAcBaGw==} - '@cspotcode/source-map-support@0.8.1': resolution: {integrity: sha512-IchNf6dN4tHoMFIn/7OE8LWZ19Y6q/67Bmf6vnGREv8RSbBVb9LPJxEcnwrcwX6ixSvaiGoomAUvu4YSxXrVgw==} engines: {node: '>=12'} @@ -690,12 +684,6 @@ packages: async@3.2.6: resolution: {integrity: sha512-htCUDlxyyCLMgaM3xXg0C0LW2xqfuQ6p05pCEIsXuyQ+a1koYKTuBMzRNwmybfLgvJDMd0r1LTn4+E0Ti6C2AA==} - asynckit@0.4.0: - resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==} - - axios@1.7.9: - resolution: {integrity: sha512-LhLcE7Hbiryz8oMDdDptSrWowmB4Bl6RCt6sIJKpRB4XtVf0iEgewX3au/pJqm+Py1kCASkb/FFKjxQaLtxJvw==} - babel-jest@29.7.0: resolution: {integrity: sha512-BrvGY3xZSwEcCzKvKsCi2GgHqDqsYkOP4/by5xCgIwGXQxIEh+8ew3gmrE1y7XRR6LHZIj6yLYnUi/mm2KXKBg==} engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0} @@ -807,10 +795,6 @@ packages: color-name@1.1.4: resolution: {integrity: sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==} - combined-stream@1.0.8: - resolution: {integrity: sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==} - engines: {node: '>= 0.8'} - concat-map@0.0.1: resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==} @@ -858,10 +842,6 @@ packages: resolution: {integrity: sha512-3sUqbMEc77XqpdNO7FRyRog+eW3ph+GYCbj+rK+uYyRMuwsVy0rMiVtPn+QJlKFvWP/1PYpapqYn0Me2knFn+A==} engines: {node: '>=0.10.0'} - delayed-stream@1.0.0: - resolution: {integrity: sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==} - engines: {node: '>=0.4.0'} - detect-newline@3.1.0: resolution: {integrity: sha512-TLz+x/vEXm/Y7P7wn1EJFNLxYpUD4TgMosxY6fAVJUnJMbupHBOncxyWUG9OpTaH9EBD7uFI5LfEgmMOc54DsA==} engines: {node: '>=8'} @@ -957,19 +937,6 @@ packages: resolution: {integrity: sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==} engines: {node: '>=8'} - follow-redirects@1.15.9: - resolution: {integrity: sha512-gew4GsXizNgdoRyqmyfMHyAmXsZDk6mHkSxZFCzW9gwlbtOW44CDtYavM+y+72qD/Vq2l550kMF52DT8fOLJqQ==} - engines: {node: '>=4.0'} - peerDependencies: - debug: '*' - peerDependenciesMeta: - debug: - optional: true - - form-data@4.0.1: - resolution: {integrity: sha512-tzN8e4TX8+kkxGPK8D5u0FNmjPUjw3lwC9lSLxxoB/+GtsJG91CO8bSWy73APlgAZzZbXEYZJuxjkHH2w+Ezhw==} - engines: {node: '>= 6'} - fs-extra@11.3.0: resolution: {integrity: sha512-Z4XaCL6dUDHfP/jT25jJKMmtxvuwbkrD1vNSMFlo9lNLY2c5FHYSQgHPRZUjAB26TpDEoW9HCOgplrdbaPV/ew==} engines: {node: '>=14.14'} @@ -1322,14 +1289,6 @@ packages: resolution: {integrity: sha512-LPP/3KorzCwBxfeUuZmaR6bG2kdeHSbe0P2tY3FLRU4vYrjYz5hI4QZwV0njUx3jeuKe67YukQ1LSPZBKDqO/Q==} engines: {node: '>=8.6'} - mime-db@1.52.0: - resolution: {integrity: sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==} - engines: {node: '>= 0.6'} - - mime-types@2.1.35: - resolution: {integrity: sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==} - engines: {node: '>= 0.6'} - mimic-fn@2.1.0: resolution: {integrity: sha512-OqbOk5oEQeAZ8WXWydlu9HJjz9WVdEIvamMCcXmuqUYjTknH/sqsWvhQ3vgwKFRR1HpjvNBKQ37nbJgYzGqGcg==} engines: {node: '>=6'} @@ -1457,9 +1416,6 @@ packages: resolution: {integrity: sha512-NxNv/kLguCA7p3jE8oL2aEBsrJWgAakBpgmgK6lpPWV+WuOmY6r2/zbAVnP+T8bQlA0nzHXSJSJW0Hq7ylaD2Q==} engines: {node: '>= 6'} - proxy-from-env@1.1.0: - resolution: {integrity: sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==} - pure-rand@6.1.0: resolution: {integrity: sha512-bVWawvoZoBYpp6yIoQtQXHZjmz35RSVHnUOTefl8Vcjr8snTPY1wnpSPMWekcFwbxI6gtmT7rSYPFvz71ldiOA==} @@ -2040,12 +1996,6 @@ snapshots: '@biomejs/cli-win32-x64@1.9.4': optional: true - '@continuous-auth/client@2.3.2': - dependencies: - axios: 1.7.9 - transitivePeerDependencies: - - debug - '@cspotcode/source-map-support@0.8.1': dependencies: '@jridgewell/trace-mapping': 0.3.9 @@ -2485,16 +2435,6 @@ snapshots: async@3.2.6: {} - asynckit@0.4.0: {} - - axios@1.7.9: - dependencies: - follow-redirects: 1.15.9 - form-data: 4.0.1 - proxy-from-env: 1.1.0 - transitivePeerDependencies: - - debug - babel-jest@29.7.0(@babel/core@7.25.2): dependencies: '@babel/core': 7.25.2 @@ -2626,10 +2566,6 @@ snapshots: color-name@1.1.4: {} - combined-stream@1.0.8: - dependencies: - delayed-stream: 1.0.0 - concat-map@0.0.1: {} convert-source-map@2.0.0: {} @@ -2672,8 +2608,6 @@ snapshots: deepmerge@4.3.1: {} - delayed-stream@1.0.0: {} - detect-newline@3.1.0: {} diff-sequences@29.6.3: {} @@ -2770,14 +2704,6 @@ snapshots: locate-path: 5.0.0 path-exists: 4.0.0 - follow-redirects@1.15.9: {} - - form-data@4.0.1: - dependencies: - asynckit: 0.4.0 - combined-stream: 1.0.8 - mime-types: 2.1.35 - fs-extra@11.3.0: dependencies: graceful-fs: 4.2.11 @@ -3284,12 +3210,6 @@ snapshots: braces: 3.0.3 picomatch: 2.3.1 - mime-db@1.52.0: {} - - mime-types@2.1.35: - dependencies: - mime-db: 1.52.0 - mimic-fn@2.1.0: {} minimatch@3.1.2: @@ -3395,8 +3315,6 @@ snapshots: kleur: 3.0.3 sisteransi: 1.0.5 - proxy-from-env@1.1.0: {} - pure-rand@6.1.0: {} react-is@18.3.1: {} diff --git a/scripts/release.mjs b/scripts/release.mjs index 95e081f..bcdff49 100644 --- a/scripts/release.mjs +++ b/scripts/release.mjs @@ -1,6 +1,5 @@ import path from 'path'; import * as url from 'url'; -import { getOtp } from '@continuous-auth/client'; import { $ } from 'execa'; import fs from 'fs-extra'; import { inc } from 'semver'; @@ -8,7 +7,6 @@ import { inc } from 'semver'; const RELEASE_TAG = process.env.TAG || 'beta'; const RELEASE_DRY_RUN = process.env.DRY_RUN || 'true'; const RELEASE_VERSION_TYPE = process.env.VERSION || 'prerelease'; -const RELEASE_NPM_TOKEN = process.env.NPM_TOKEN || ''; const __dirname = url.fileURLToPath(new URL('.', import.meta.url)); const PKG_PATH = path.resolve(__dirname, '../package.json'); @@ -28,29 +26,16 @@ console.info(`Updating version from ${currentVersion} to ${nextVersion}`); pkg.version = nextVersion; fs.writeJsonSync(PKG_PATH, pkg, { spaces: 2 }); -// Write npmrc -const npmrcPath = `${process.env.HOME}/.npmrc`; -console.info(`Writing npmrc to ${npmrcPath}`); -fs.writeFileSync( - npmrcPath, - `//registry.npmjs.org/:_authToken=${RELEASE_NPM_TOKEN}`, -); - // Publish to npm console.info(`Publishing to npm with tag ${RELEASE_TAG}`); const dryRun = RELEASE_DRY_RUN === 'true' ? ['--dry-run'] : []; -console.log('Getting OTP code'); -let otp = await getOtp(); -console.log('OTP code get, continuing...'); try { - await $`pnpm publish ${dryRun} --tag ${RELEASE_TAG} --otp ${otp} --no-git-checks --provenance`; + await $`pnpm publish ${dryRun} --tag ${RELEASE_TAG} --no-git-checks`; console.info(`Published successfully`); } catch (e) { console.error(`Publish failed: ${e.message}`); process.exit(1); -} finally { - fs.removeSync(npmrcPath); } // Push tag to github