chore(ci): npm-publish via reusable workflows #75
+102
−0
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,95 @@ | ||||||
| name: Publish package to npm | ||||||
|
|
||||||
| on: | ||||||
| release: | ||||||
| types: [created] | ||||||
|
|
||||||
| concurrency: | ||||||
| group: "${{ github.workflow }} ✨ ${{ github.ref }}" | ||||||
| cancel-in-progress: false | ||||||
|
|
||||||
| permissions: | ||||||
| contents: read | ||||||
|
|
||||||
| jobs: | ||||||
| audit: | ||||||
| name: Audit production dependencies | ||||||
| runs-on: ubuntu-latest | ||||||
| steps: | ||||||
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||||||
| with: | ||||||
| persist-credentials: false | ||||||
|
|
||||||
| - name: Setup Node.js | ||||||
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||||||
| with: | ||||||
| node-version: "lts/*" | ||||||
|
|
||||||
| - name: Audit production dependencies | ||||||
| run: npm audit --omit=dev | ||||||
|
|
||||||
| lint: | ||||||
| name: Lint | ||||||
| runs-on: ubuntu-latest | ||||||
| steps: | ||||||
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||||||
| with: | ||||||
| persist-credentials: false | ||||||
|
|
||||||
| - name: Setup Node.js | ||||||
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||||||
| with: | ||||||
| node-version: "lts/*" | ||||||
|
|
||||||
| - name: Install dependencies | ||||||
| run: npm install --ignore-scripts --include=dev | ||||||
|
|
||||||
| - name: Run lint | ||||||
| run: node --run lint | ||||||
|
|
||||||
| test: | ||||||
| name: Test | ||||||
| runs-on: ubuntu-latest | ||||||
| steps: | ||||||
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||||||
| with: | ||||||
| persist-credentials: false | ||||||
|
|
||||||
| - name: Setup Node.js | ||||||
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||||||
| with: | ||||||
| node-version: "lts/*" | ||||||
|
|
||||||
| - name: Install dependencies | ||||||
| run: npm install | ||||||
|
|
||||||
| - name: Run tests | ||||||
| run: npm test | ||||||
|
|
||||||
| publish: | ||||||
| name: Publish to npm | ||||||
| needs: [audit, lint, test] | ||||||
| runs-on: ubuntu-latest | ||||||
| permissions: | ||||||
| contents: read | ||||||
| id-token: write | ||||||
| steps: | ||||||
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||||||
| with: | ||||||
| persist-credentials: false | ||||||
|
|
||||||
| - name: Setup Node.js | ||||||
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||||||
| with: | ||||||
| node-version: "lts/*" | ||||||
| registry-url: "https://registry.npmjs.org" | ||||||
|
|
||||||
| # npm stage publish requires npm >= 11.15.0 | ||||||
| - name: Upgrade npm | ||||||
| run: npm install -g npm@latest | ||||||
|
|
||||||
| - name: Install dependencies | ||||||
| run: npm install --ignore-scripts | ||||||
|
Comment on lines
+91
to
+92
Member
There was a problem hiding this comment.
Suggested change
We can skip this :) |
||||||
|
|
||||||
| - name: Stage publish to npm | ||||||
| run: npm stage publish | ||||||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change | ||||
|---|---|---|---|---|---|---|
| @@ -0,0 +1,7 @@ | ||||||
| allow-file=none | ||||||
| allow-remote=none | ||||||
| allow-git=none | ||||||
| allow-directory=none | ||||||
|
|
||||||
| min-release-age=2 | ||||||
|
Member
There was a problem hiding this comment.
Suggested change
I will go for a week, if something is really urgent or critical we will notice and always can manually upgrade. Given the amount of volume in the recent supply chain attacks maybe 2d won't be sustainable long term (specially on large holidays period). One week seems solid IMO |
||||||
| save-exact=false | ||||||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be honest when I publish locally I don't run scripts or install dependencies (unless it is strict requirement like a build process for typescript, etc...). Avoiding that also in the CI we reduce noice and attack surface. We can assume that once a release is created in the repo the source code is stable to ship.
Also audit dependencies is not that relevant as this stage as we don't ship the lockfile, so that audit report won't be idempotent.