Publish Packages #11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Packages | |
| # This workflow publishes packages to npm when changes are merged to main branch or when manually triggered. | |
| on: | |
| push: | |
| paths: | |
| - package.json | |
| # For security reasons, this should never be set to anything but `main` | |
| branches: [main] | |
| workflow_dispatch: | |
| permissions: | |
| contents: read | |
| # For npm OIDC (https://docs.npmjs.com/trusted-publishers) | |
| id-token: write | |
| env: | |
| COMMIT_SHA: ${{ github.sha }} | |
| jobs: | |
| prepare: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| # Output the matrix of packages to publish for use in the publish job | |
| should_publish: ${{ steps.check.outputs.should_publish }} | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2 | |
| with: | |
| egress-policy: audit | |
| - name: Verify commit authenticity | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| # Get commit data from GitHub API to verify its authenticity | |
| COMMIT_DATA=$(gh api repos/${{ github.repository }}/commits/$COMMIT_SHA) | |
| # Check if commit signature is verified (GPG signed) | |
| VERIFIED=$(echo "$COMMIT_DATA" | jq -r '.commit.verification.verified') | |
| # Check if commit was made through GitHub's web interface (merge queue) | |
| COMMITTER=$(echo "$COMMIT_DATA" | jq -r '.commit.committer.email') | |
| # Security checks to ensure we only publish from verified and trusted sources | |
| if [[ "$VERIFIED" != "true" ]]; then | |
| echo "❌ Unverified commit! Aborting." | |
| exit 1 | |
| fi | |
| if [[ "$COMMITTER" != "noreply@github.com" ]]; then | |
| echo "❌ Not merged with the merge queue! Aborting." | |
| exit 1 | |
| fi | |
| echo "✅ Commit is verified and trusted." | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| fetch-depth: 2 # Need at least 2 commits to detect changes between commits | |
| - name: Check if we should publish | |
| id: check | |
| env: | |
| EVENT_NAME: ${{ github.event_name }} | |
| run: | | |
| OLD_VERSION=$(git show $COMMIT_SHA~1:package.json | jq -r '.version') | |
| NEW_VERSION=$(jq -r '.version' "package.json") | |
| if [ "$OLD_VERSION" != "$NEW_VERSION" ]; then | |
| echo "should_publish=true" >> $GITHUB_OUTPUT | |
| fi | |
| publish: | |
| needs: prepare | |
| runs-on: ubuntu-latest | |
| if: needs.prepare.outputs.should_publish == 'true' | |
| steps: | |
| - uses: nodejs/web-team/actions/setup-environment@9f3c83af227d721768d9dbb63009a47ed4f4282f | |
| with: | |
| pnpm: true | |
| use-version-file: true | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: Publish | |
| run: npm publish --access public --no-git-checks | |
| - name: Notify | |
| uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # 2.3.3 | |
| env: | |
| SLACK_COLOR: '#43853D' | |
| SLACK_ICON: https://github.com/nodejs.png?size=48 | |
| SLACK_TITLE: ':rocket: Package Published: @node-core/doc-kit' | |
| SLACK_MESSAGE: | | |
| :package: *Package*: `@node-core/doc-kit` (<https://www.npmjs.com/package/@node-core/doc-kit|View on npm>) | |
| :bust_in_silhouette: *Published by*: ${{ github.triggering_actor }} | |
| :octocat: *Commit*: <https://github.com/${{ github.repository }}/commit/${{ env.COMMIT_SHA }}|${{ env.COMMIT_SHA }}> | |
| SLACK_USERNAME: nodejs-bot | |
| SLACK_CHANNEL: nodejs-web-infra | |
| SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }} |