stack/.github/workflows/release.yml at main · cipherstash/stack · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
name: Release JS

# Permissions for the workflow to use Trusted Actions
# See https://docs.npmjs.com/trusted-publishers#supported-cicd-providers
permissions:
  id-token: write  # Required for OIDC
  contents: write  # Required for changesets to commit and push
  pull-requests: write  # Required for changesets to check existing PRs

on:
  push:
    branches:
      - main

concurrency: ${{ github.workflow }}-${{ github.ref }}

jobs:
  release:
    name: Release
    # GitHub-hosted (not Blacksmith): npm provenance attestations, which are
    # generated automatically by OIDC trusted publishing, are only accepted
    # from github-hosted runners — self-hosted runners are rejected with E422.
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repo
        uses: actions/checkout@v6

      - uses: pnpm/action-setup@v6.0.8
        name: Install pnpm
        with:
          run_install: false
          # Supply-chain hardening — never cache the pnpm store; a poisoned
          # cache entry would execute in this credential-bearing workflow.
          cache: false

      - name: Install Node.js
        uses: actions/setup-node@v6
        with:
          node-version: 22
          # No `cache:`, and package-manager-cache disabled. release.yml
          # publishes to npm (OIDC trusted publishing) and must not restore the
          # GitHub Actions cache — a cache-poisoning / supply-chain vector.
          # Enforced by .github/workflows/tests-supply-chain.yml.
          package-manager-cache: false

      # node-pty's install hook falls back to `node-gyp rebuild` when no
      # linux-x64 prebuild matches. pnpm/action-setup v6 no longer ships
      # node-gyp on PATH, so install it explicitly.
      - name: Install node-gyp
        run: npm install -g node-gyp

      # npm OIDC trusted publishing requires npm >= 11.5.1; Node 22 ships
      # npm 10.x. `changeset publish` shells out to this npm to publish.
      - name: Upgrade npm for OIDC trusted publishing
        run: npm install -g npm@^11.5.1

      - name: Install dependencies
        run: pnpm install

      - name: Publish to npm
        id: changesets
        uses: changesets/action@v1.8.0
        with:
          publish: pnpm run release
          commitMode: 'github-api'
        env:
          # No NPM_TOKEN — publishing authenticates via npm OIDC trusted
          # publishing (id-token: write above). If NPM_TOKEN is set,
          # changesets/action writes a token .npmrc that shadows OIDC and
          # every publish fails with E404 (see npm/cli#8976).
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}