Skip to content

Commit

Permalink
ci: enable pipeline publishing
Browse files Browse the repository at this point in the history
Signed-off-by: Rifa Achrinza <[email protected]>
  • Loading branch information
achrinza committed Nov 5, 2024
1 parent bc36815 commit be592b0
Show file tree
Hide file tree
Showing 6 changed files with 171 additions and 14 deletions.
11 changes: 11 additions & 0 deletions .editorconfig
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# SPDX-License-Identifier: FSFAP
# SPDX-FileCopyrightText: Copyright (c) 2024 Rifa Achrinza
root = true

[*]
end_of_line = lf
insert_final_newline = true
charset = utf-8
indent_style = space
indent_size = 2
max_line_length = 80
78 changes: 78 additions & 0 deletions .github/workflows/cd.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
name: CD

on:
push: {} # Remove me!
workflow_dispatch:
inputs:
branch:
description: Branch to publish a release from
required: true
default: main
type: choice
options:
- main
- v9.x

permissions: {}

jobs:
test:
name: Test
uses: ./.github/workflows/ci.yaml
build:
name: Build
permissions:
id-token: write
contents: read
actions: read
# Do not pin to hash
# See: https://github.com/slsa-framework/slsa-verifier/issues/12
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
node-version: 22
run-scripts: ci, test
publish:
name: Publish
runs-on: ubuntu-24.04
needs: [build]
permissions:
contents: read
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Download Tarball
uses: slsa-framework/slsa-github-generator/actions/nodejs/[email protected]
with:
name: ${{ needs.build.outputs.package-download-name }}
path: ${{ needs.build.outputs.package-name }}
sha256: ${{ needs.build.outputs.package-download-sha256 }}
- name: Download Provenance
uses: slsa-framework/slsa-github-generator/actions/nodejs/[email protected]
with:
name: ${{ needs.build.outputs.provenance-download-name }}
path: attestations
sha256: ${{ needs.build.outputs.provenance-download-sha256 }}
- name: Publish Dry-Run
env:
TARBALL_PATH: ${{ needs.build.outputs.package-name }}
run: npm publish --dry-run "$TARBALL_PATH"
- name: Request for NPM 2FA Code
uses: step-security/wait-for-secrets@5809f7d044804a5a1d43217fa8f3e855939fc9ef # v1.2.0
with:
secrets: |
npm-otp:
name: NPM Registry OTP
description: NPM Registry TOTP code for `achrinza-bot` NPM account
- name: Publish Package
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
TARBALL_PATH: ${{ needs.build.outputs.package-name }}
PROVENANCE_PATH: ./attestations/${{ needs.build.outputs.provenance-name }}
run: |
npm publish \
--access=public \
--provenance-file="$PROVENANCE_PATH" \
"$TARBALL_PATH"
44 changes: 30 additions & 14 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,23 @@ name: CI

on:
push:
branches: [ main ]
branches: [main]
pull_request:
branches: [ main ]
branches: [main]
workflow_call: {}

permissions: {}

jobs:
test:
name: Test
runs-on: ${{ matrix.os }}
strategy:
matrix:
os:
- ubuntu-latest
- ubuntu-24.04
- macos-13
- windows-latest
- windows-2022
node-version:
- 14
- 16
Expand All @@ -25,31 +28,44 @@ jobs:
- 20
- 21
- 22
- 23
steps:
- uses: actions/checkout@v2
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v1
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: ${{ matrix.node-version }}
cache: npm
- name: Install Dependencies
run: npm ci --ignore-scripts
run: npm ci --prefer-offline --ignore-scripts
- name: Run Tests
run: npm test
run: npm test --ignore-scripts
code-lint:
name: Code Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Use Node.js 16
uses: actions/setup-node@v1
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Use Node.js 22
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 16 # LTS
node-version: 22 # LTS
cache: npm
- name: Install Dependencies
run: npm ci --ignore-scripts
run: npm ci --prefer-offline --ignore-scripts
- name: Lockfile Lint
run: |
npm exec \
--no-install \
--no \
--package=lockfile-lint \
-- \
lockfile-lint \
Expand Down
5 changes: 5 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -4,3 +4,8 @@
npm-debug.log
node-ipc.cjs
/coverage/

# Code editors
\#*#
.#*
*~
46 changes: 46 additions & 0 deletions RELEASE.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# Publishing a Release

This project uses a manually-invoked GitHub Actions workflow to publish its packages.

This workflow uses:
- The SLSA Node.js builder to achieve SLSA v3-level provenance
- An NPM granular access token for `achrinza-bot`

## Publishing

Before continuing, enusre that you have:

1. A GitHub account with the `Repository Admin` role for the `achrinza/node-ipc` repository
2. The username and password for the `achrinza-bot` NPM account or any account that has:
1. TOTP 2FA enabled
2. Write access to the `@achrinza/node-ipc` NPM package
3. The TOTP generator for said account

### 1. Regenerating the NPM Granular Token
1. Go to [New Granular Access Token](https://www.npmjs.com/settings/achrinza/tokens/granular-access-tokens/new)
2. Generate a granular access token that:
1. expires in 1 day
2. has `Read and write` permssions for only the `@achrinza/node-ipc` package.
3. Click `Generate` and copy the token
4. Go to [Update Action secret NPM_TOKEN](https://github.com/achrinza/node-ipc/settings/secrets/actions/NPM_TOKEN)
5. Paste the token and click `Update secret`

### 2. Creating a GitHub "Release"

1. Delete and re-fetch all Git tags
This is necessary to prevent accidental tags from being pushed to the GitHub repository

On Linux or macOS:
```sh
$ git branch -l | xargs -I{} git branch -d {}
$ git fetch 'refs/tags/*:refs/tags/*'
```

2. De

### 3. Creating an NPM Release

> [!NOTE]
> Ensure the Git comit and tag from the previous step has been completed
3. Go to [CD * workflow runs](https://github.com/achrinza/node-ipc/actions/workflows/cd.yaml)
1 change: 1 addition & 0 deletions package.json
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
"node-http-server": "^8.1.4"
},
"scripts": {
"ci": "npm ci",
"prepare": "esbuild node-ipc.js --bundle --format=cjs --target=es2018 --platform=node --outfile=node-ipc.cjs",
"test": "c8 -r lcov -r html node test/CI.js && c8 report && node ./lcov.js",
"coverage": "echo 'See your coverage report at http://localhost:8080' && node-http-server port=8080 root=./coverage/"
Expand Down

0 comments on commit be592b0

Please sign in to comment.