github.com/yogeshkumararora/slsa-github-generator@v1.10.1-0.20240520161934-11278bd5afb4/actions/nodejs/publish/action.yml

github.com/yogeshkumararora/slsa-github-generator@v1.10.1-0.20240520161934-11278bd5afb4/actions/nodejs/publish/action.yml (about)

     1  # Copyright 2023 SLSA Authors
     2  #
     3  # Licensed under the Apache License, Version 2.0 (the "License");
     4  # you may not use this file except in compliance with the License.
     5  # You may obtain a copy of the License at
     6  #
     7  #      http://www.apache.org/licenses/LICENSE-2.0
     8  #
     9  # Unless required by applicable law or agreed to in writing, software
    10  # distributed under the License is distributed on an "AS IS" BASIS,
    11  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  # See the License for the specific language governing permissions and
    13  # limitations under the License.
    14  
    15  name: "npm-publish"
    16  description: "Publish package and provenance to npm"
    17  inputs:
    18    access:
    19      description: "The package access level. Defaults to 'restricted' for scoped packages, 'public' for unscoped packages"
    20      required: false
    21      default: ""
    22    dist-tag:
    23      description: "The package dist-tag to attach. See `npm help dist-tag` for more information."
    24      required: false
    25      default: "latest"
    26    node-auth-token:
    27      description: "The npm registry auth token used to publish the package."
    28      required: true
    29    package-name:
    30      description: "The file name for the package tarball in the artifact."
    31      required: true
    32    package-download-name:
    33      description: "The artifact name for the package tarball."
    34      required: true
    35    package-download-sha256:
    36      description: "The sha256 of the package tarball artifact."
    37      required: true
    38    provenance-name:
    39      description: "The file name for the package provenance in the artifact."
    40      required: true
    41    provenance-download-name:
    42      description: "The artifact name for the package provenance."
    43      required: true
    44    provenance-download-sha256:
    45      description: "The sha256 of the package provenance artifact."
    46      required: false
    47  runs:
    48    using: "composite"
    49    steps:
    50      - name: Create temp dir
    51        id: temp-dir
    52        shell: bash
    53        run: |
    54          set -euo pipefail
    55          temp_dir=$(mktemp -d)
    56          echo "path=${temp_dir}" >>"${GITHUB_OUTPUT}"
    57  
    58      - name: Download tarball
    59        uses: yogeshkumararora/slsa-github-generator/.github/actions/secure-download-artifact@main
    60        with:
    61          name: ${{ inputs.package-download-name }}
    62          path: "${{ steps.temp-dir.outputs.path }}/${{ inputs.package-name }}"
    63          sha256: ${{ inputs.package-download-sha256 }}
    64  
    65      - name: Download provenance
    66        uses: yogeshkumararora/slsa-github-generator/actions/nodejs/secure-attestations-download@main
    67        with:
    68          name: ${{ inputs.provenance-download-name }}
    69          path: "${{ steps.temp-dir.outputs.path }}"
    70          sha256: ${{ inputs.provenance-download-sha256 }}
    71  
    72      - name: Publish the package
    73        id: publish
    74        shell: bash
    75        env:
    76          ACCESS: ${{ inputs.access }}
    77          PACKAGE_PATH: "${{ steps.temp-dir.outputs.path }}/${{ inputs.package-name }}"
    78          ATTESTATION_PATH: "${{ steps.temp-dir.outputs.path }}/${{ inputs.provenance-download-name }}/${{ inputs.provenance-name }}"
    79          DIST_TAG: ${{ inputs.dist-tag }}
    80          NODE_AUTH_TOKEN: ${{ inputs.node-auth-token }}
    81        run: |
    82          set -euo pipefail
    83  
    84          temp_dir=$(mktemp -d)
    85          cd "${temp_dir}"
    86  
    87          # Install npm 9.8.1 which includes support for --provenance-file (added in 9.7.0).
    88          # This installs locally in the temp directory.
    89          npm install npm@9.8.1
    90  
    91          # Print the npm version.
    92          echo "** Installed local version of npm**"
    93          ./node_modules/.bin/npm version
    94  
    95          # Return to the working directory.
    96          cd -
    97  
    98          publish_flags=("--provenance-file=${ATTESTATION_PATH}")
    99          if [[ "${ACCESS}" != "" ]]; then
   100            publish_flags+=("--access=${ACCESS}")
   101          fi
   102          if [[ "${DIST_TAG}" != "" ]]; then
   103            publish_flags+=("--tag=${DIST_TAG}")
   104          fi
   105  
   106          # NOTE: Use the absolute path to the tarball because npm tries to check
   107          # a remote github.com repository if the "package spec" looks like it
   108          # could be a "<owner>/<repo-name>" resulting in git errors.
   109          package_abs_path=$(readlink -m "${PACKAGE_PATH}")
   110  
   111          "${temp_dir}/node_modules/.bin/npm" publish --loglevel verbose "${package_abs_path}" "${publish_flags[@]}"