Skip to content

Commit 88cbcde

Browse files
varunsh-coderljharb
varunsh-coder
authored and
ljharb
committed
[actions] Add npm publish workflow
Signed-off-by: Varun Sharma <[email protected]>
1 parent f17395e commit 88cbcde

File tree

1 file changed

+125
-0
lines changed

1 file changed

+125
-0
lines changed

.github/workflows/npm-publish.yml

+125
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,125 @@
1+
name: Publish Package to npm
2+
on:
3+
workflow_dispatch:
4+
inputs:
5+
tag:
6+
description: "Tag to publish"
7+
required: true
8+
9+
permissions:
10+
contents: read
11+
12+
jobs:
13+
check-version:
14+
runs-on: ubuntu-latest
15+
outputs:
16+
is-new-version: ${{ steps.cpv.outputs.is-new-version }}
17+
steps:
18+
- uses: actions/checkout@v3
19+
with:
20+
ref: ${{ github.event.inputs.tag }}
21+
22+
- name: Validate semver pattern
23+
run: npx semver ${{ inputs.tag }}
24+
25+
- name: Check package version
26+
id: cpv
27+
uses: PostHog/check-package-version@v2
28+
29+
- name: Validate package version
30+
uses: actions/github-script@v6
31+
with:
32+
script: |
33+
const isNewVersion = `${{ steps.cpv.outputs.is-new-version }}`;
34+
if (isNewVersion === 'true') {
35+
console.log(`Version ${context.payload.inputs.tag} has not been published yet`);
36+
} else {
37+
core.setFailed(`Version ${context.payload.inputs.tag} is already published`);
38+
}
39+
40+
check-status:
41+
needs: check-version
42+
if: needs.check-version.outputs.is-new-version == 'true'
43+
runs-on: ubuntu-latest
44+
steps:
45+
- name: Verify checks passed
46+
uses: actions/github-script@v6
47+
with:
48+
result-encoding: string
49+
retries: 3
50+
script: |
51+
const ref = context.payload.inputs.tag;
52+
53+
console.log(`Checking status checks for ${ref}`);
54+
55+
const { owner, repo } = context.repo;
56+
const { default_branch: branch } = context.payload.repository;
57+
58+
const branch = github.rest.repos.getBranch({ owner, repo, branch });
59+
60+
const checkSuites = await github.rest.checks.listSuitesForRef({ owner, repo, ref });
61+
62+
if (checkSuites.some(({ status }) => 'completed')) {
63+
core.setFailed(`Some workflows for ${context.payload.inputs.tag} are still in-progress`);
64+
}
65+
66+
const { data: { check_runs: checkRuns } } = await Promise.all(
67+
(await branch).data.protection.required_status_checks.checks.map(({ context }) => (
68+
github.rest.checks.listForRef({
69+
owner,
70+
repo,
71+
ref,
72+
check_name: context
73+
})
74+
)
75+
)
76+
77+
checkRuns.forEach(({ name, status, conclusion }) => {
78+
if (status !== 'completed' || conclusion !== 'success') {
79+
console.log(`${name} check failed`);
80+
core.setFailed(`Required status check ${name} did not succeed`);
81+
}
82+
console.log(`${name} check passed`);
83+
});
84+
85+
publish:
86+
needs: [check-status]
87+
runs-on: ubuntu-latest
88+
permissions:
89+
contents: read
90+
id-token: write
91+
steps:
92+
- uses: step-security/harden-runner@v1
93+
with:
94+
egress-policy: block
95+
allowed-endpoints: >
96+
github.com:443
97+
nodejs.org:443
98+
prod.api.stepsecurity.io:443
99+
registry.npmjs.org:443
100+
101+
- uses: actions/checkout@v3
102+
with:
103+
ref: ${{ github.event.inputs.tag }}
104+
105+
- uses: ljharb/actions/node/install@main
106+
name: "nvm install lts/* && npm install"
107+
with:
108+
node-version: "lts/*"
109+
env:
110+
NPM_CONFIG_LEGACY_PEER_DEPS: true
111+
112+
- run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NODE_AUTH_TOKEN }}" >> .npmrc
113+
114+
- run: npm publish --dry-run
115+
116+
- uses: step-security/wait-for-secrets@v1
117+
id: wait-for-secrets
118+
with:
119+
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
120+
secrets: |
121+
OTP:
122+
name: 'OTP to publish package'
123+
description: 'OTP from authenticator app'
124+
125+
- run: npm publish --access public --otp ${{ steps.wait-for-secrets.outputs.OTP }}

0 commit comments

Comments
 (0)