Skip to content

Commit dd2c1a9

Browse files
alanscodelogalanscodelog
committed
build: added trusted publishing
1 parent 740b7b7 commit dd2c1a9

2 files changed

Lines changed: 14 additions & 21 deletions

File tree

.github/actions/composite-build/action.yml

Lines changed: 4 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1,31 +1,18 @@
11
name: Build
2-
inputs:
3-
build_script:
4-
required: false
5-
type: boolean
6-
default: "pnpm build"
7-
lint_script:
8-
required: false
9-
type: boolean
10-
default: "pnpm lint"
11-
test_script:
12-
required: false
13-
type: boolean
14-
default: "pnpm test"
152

163
# note it cannot contain the checkout, the must be checked out in the calling workflow or it will not be able to find the composite action
174
runs:
185
using: "composite"
196
steps:
20-
- run: ${{ inputs.build_script }}
7+
- run: pnpm build
218
shell: bash
229

23-
- run: ${{ inputs.lint_script }}
10+
- run: pnpm lint
2411
shell: bash
2512

26-
- run: ${{ inputs.test_script }}
13+
- run: pnpm test
2714
shell: bash
28-
15+
2916
- name: Coverage
3017
if: ${{ github.event_name == 'pull_request' }}
3118
uses: romeovs/lcov-reporter-action@v0.3.1

.github/workflows/release.yml

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,13 +10,20 @@ on:
1010
repository_dispatch:
1111
types: [ release ]
1212

13+
permissions:
14+
id-token: write
15+
1316
jobs:
1417
release:
1518
runs-on: ubuntu-latest
1619
strategy:
1720
matrix:
1821
node-version: ["lts/*"]
19-
22+
permissions:
23+
contents: write # to be able to publish a GitHub release
24+
issues: write # to be able to comment on released issues
25+
pull-requests: write # to be able to comment on released pull requests
26+
id-token: write # to enable use of OIDC for trusted publishing and npm provenance
2027
steps:
2128
- uses: actions/checkout@v6
2229

@@ -31,19 +38,18 @@ jobs:
3138
- name: Build
3239
uses: ./.github/actions/composite-build
3340

41+
3442
- name: Release
3543
if: "env.ENABLE_RELEASE == 'true' && ! contains('refs/heads/build ', github.ref)"
3644
env:
3745
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
38-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
3946
run: pnpm semantic-release
4047

4148
- name: Release Dry Run
4249
if: "env.ENABLE_RELEASE != 'true' || contains('refs/heads/build ', github.ref)"
4350
env:
4451
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
45-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
46-
run: pnpm semantic-release --dry-run
52+
run: pnpm semantic-release --dry-run
4753

4854
- run: echo "env.ENABLE_RELEASE is ${{ env.ENABLE_RELEASE == 'true' }} and branch is ${{ github.ref }}, no release can be published." && exit 1
4955
if: "env.ENABLE_RELEASE != 'true' || contains('refs/heads/build ', github.ref)"

0 commit comments

Comments
 (0)