From 94f101fa3babd9a7219dbc619cf1256d9b0c2968 Mon Sep 17 00:00:00 2001 From: Rifa Achrinza <25147899+achrinza@users.noreply.github.com> Date: Tue, 5 Nov 2024 18:29:46 +0800 Subject: [PATCH] ci: enable pipeline publishing Signed-off-by: Rifa Achrinza <25147899+achrinza@users.noreply.github.com> --- .github/workflows/cd.yaml | 78 +++++++++++++++++++++++++++++++++++++++ .github/workflows/ci.yaml | 69 +++++++++++++++++++--------------- .gitignore | 7 +++- 3 files changed, 123 insertions(+), 31 deletions(-) create mode 100644 .github/workflows/cd.yaml diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml new file mode 100644 index 0000000..bd33c38 --- /dev/null +++ b/.github/workflows/cd.yaml @@ -0,0 +1,78 @@ +name: CD + +on: + push: {} # Remove me! + workflow_dispatch: + inputs: + branch: + description: Branch to publish a release from + required: true + default: main + type: choice + options: + - main + - v9.x + +permissions: {} + +jobs: + test: + name: Test + uses: ./.github/workflows/ci.yaml + build: + name: Build + permissions: + id-token: write + contents: read + actions: read + # Do not pin to hash + # See: https://github.com/slsa-framework/slsa-verifier/issues/12 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@v2.0.0 + with: + node-version: 22 + run-scripts: ci, test + publish: + name: Publish + runs-on: ubuntu-24.04 + needs: [build] + permissions: + contents: read + id-token: write + steps: + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - name: Download Tarball + uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-package-download@v2.0.0 + with: + name: ${{ needs.build.outputs.package-download-name }} + path: ${{ needs.build.outputs.package-name }} + sha256: ${{ needs.build.outputs.package-download-sha256 }} + - name: Download Provenance + uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@v2.0.0 + with: + name: ${{ needs.build.outputs.provenance-download-name }} + path: attestations + sha256: ${{ needs.build.outputs.provenance-download-sha256 }} + - name: Publish Dry-Run + env: + TARBALL_PATH: ${{ needs.build.outputs.package-name }} + run: npm publish --dry-run "$TARBALL_PATH" + - name: Request for NPM 2FA Code + uses: step-security/wait-for-secrets@5809f7d044804a5a1d43217fa8f3e855939fc9ef # v1.2.0 + with: + secrets: | + npm-otp: + name: NPM Registry OTP + description: NPM Registry TOTP code for `achrinza-bot` NPM account + - name: Publish Package + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + TARBALL_PATH: ${{ needs.build.outputs.package-name }} + PROVENANCE_PATH: ./attestations/${{ needs.build.outputs.provenance-name }} + run: | + npm publish \ + --access=public \ + --provenance-file="$PROVENANCE_PATH" \ + "$TARBALL_PATH" diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2da5938..9243afd 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -2,9 +2,9 @@ name: CI on: push: - branches: [ v9 ] + branches: [v9] pull_request: - branches: [ v9 ] + branches: [v9] jobs: test: @@ -15,9 +15,9 @@ jobs: fail-fast: false matrix: os: - - ubuntu-latest + - ubuntu-24.04 - macos-13 - - windows-latest + - windows-2022 node-version: - 8 - 9 @@ -34,38 +34,47 @@ jobs: - 20 - 21 - 22 + - 23 steps: - - uses: actions/checkout@v2 - - name: Use Node.js ${{ matrix.node-version }} - uses: actions/setup-node@v1 - with: - node-version: ${{ matrix.node-version }} - - name: Install Dependencies - if: matrix.node-version != 9 - run: npm ci --ignore-scripts - - name: Install Dependencies (Node.js v9) - if: matrix.node-version == 9 - run: npm install - - name: Run Tests - if: matrix.os != 'windows-latest' - run: npm test - - name: Run Tests (Windows) - if: matrix.os == 'windows-latest' - run: npm run-script test-windows - - name: Publish Coverage - if: matrix.os == 'ubuntu-latest' && matrix.node-version == 16 # LTS - uses: coverallsapp/github-action@9ba913c152ae4be1327bfb9085dc806cedb44057 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - name: Use Node.js ${{ matrix.node-version }} + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 + with: + node-version: ${{ matrix.node-version }} + - name: Install Dependencies + if: matrix.node-version != 9 + run: npm ci --ignore-scripts + - name: Install Dependencies (Node.js v9) + if: matrix.node-version == 9 + run: npm install + - name: Run Tests + if: startsWith(matrix.os, 'windows-') + run: npm test + - name: Run Tests (Windows) + if: startsWith(matrix.os, 'windows-') + run: npm run-script test-windows + - name: Publish Coverage + if: startsWith(matrix.os, 'ubuntu-') && matrix.node-version == 22 # LTS + uses: coverallsapp/github-action@9ba913c152ae4be1327bfb9085dc806cedb44057 + with: + github-token: ${{ secrets.GITHUB_TOKEN }} code-lint: name: Code Lint - runs-on: ubuntu-latest + runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v2 + - name: Harden Runner + uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 + with: + egress-policy: audit + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Use Node.js 16 - uses: actions/setup-node@v1 + uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 with: - node-version: 16 # LTS + node-version: 22 # LTS - name: Install Dependencies run: npm ci --ignore-scripts - name: Lockfile Lint diff --git a/.gitignore b/.gitignore index c618470..592fbe2 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,9 @@ /nbproject npm-debug.log node-ipc.cjs -/spec/coverage/ +/coverage/ + +# Code editors +\#*# +.#* +*~