ci: enable pipeline publishing

Signed-off-by: Rifa Achrinza <[email protected]>

.github/workflows/cd.yaml

@@ -0,0 +1,66 @@
+name: CD
+
+on:
+  push: {} # Remove me!
+  workflow_dispatch:
+    inputs:
+      branch:
+        description: Branch to publish a release from
+        required: true
+        default: main
+        type: choice
+        options:
+          - main
+          - v9.x
+
+permissions: {}
+
+jobs:
+  test:
+    uses: ./.github/workflows/ci.yaml
+  build:
+    name: Build
+    permissions:
+      id-token: write
+      contents: read
+      actions: read
+    # Do not pin to hash
+    # See: https://github.com/slsa-framework/slsa-verifier/issues/12
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      node-version: 22
+      run-scripts: ci, test
+  publish:
+    name: Publish
+    runs-on: ubuntu-24.04
+    needs: [build]
+    steps:
+      - name: Download Tarball
+        uses: slsa-framework/slsa-github-generator/actions/nodejs/[email protected]
+        with:
+          name: ${{ needs.build.outputs.package-download-name }}
+          path: ${{ needs.build.outputs.package-name }}
+          sha256: ${{ needs.build.outputs.package-download-sha256 }}
+      - name: Download Provenance
+        uses: slsa-framework/slsa-github-generator/actions/nodejs/[email protected]
+        with:
+          name: ${{ needs.build.outputs.provenance-download-name }}
+          path: attestations
+          sha256: ${{ needs.build.outputs.provenance-download-sha256 }}
+      - name: Request for NPM 2FA Code
+        uses: step-security/wait-for-secrets@5809f7d044804a5a1d43217fa8f3e855939fc9ef # v1.2.0
+        with:
+          secrets: |
+            npm-otp:
+              name: NPM Registry OTP
+              description: NPM Registry TOTP code for `achrinza-bot` NPM account
+      - name: Publish Package
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          TARBALL_PATH: ${{ needs.build.outputs.package-name }}
+          PROVENANCE_PATH: ./attestations/${{ needs.build.outputs.provenance-name }}
+        run: |
+          npm publish \
+            --access=public \
+            --provenance-file="$PROVENANCE_PATH" \
+            "$TARBALL_PATH"

.github/workflows/ci.yaml

@@ -2,20 +2,23 @@ name: CI
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
-    branches: [ main ]
+    branches: [main]
+  workflow_call: {}
 
+permissions: {}
+
 jobs:
   test:
     name: Test
     runs-on: ${{ matrix.os }}
     strategy:
       matrix:
         os:
-          - ubuntu-latest
+          - ubuntu-24.04
           - macos-13
-          - windows-latest
+          - windows-2022
         node-version:
           - 14
           - 16
@@ -25,31 +28,36 @@ jobs:
           - 20
           - 21
           - 22
+          - 23
     steps:
-      - uses: actions/checkout@v2
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
           node-version: ${{ matrix.node-version }}
+          cache: npm
       - name: Install Dependencies
-        run: npm ci --ignore-scripts
+        run: npm ci --prefer-offline --ignore-scripts
       - name: Run Tests
-        run: npm test
+        run: npm test --ignore-scripts
   code-lint:
     name: Code Lint
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
-      - name: Use Node.js 16
-        uses: actions/setup-node@v1
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Use Node.js 22
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
-          node-version: 16 # LTS
+          node-version: 22 # LTS
+          cache: npm
       - name: Install Dependencies
-        run: npm ci --ignore-scripts
+        run: npm ci --prefer-offline --ignore-scripts
       - name: Lockfile Lint
         run: |
           npm exec \
-            --no-install \
+            --no \
             --package=lockfile-lint \
             -- \
             lockfile-lint \

.gitignore

@@ -4,3 +4,8 @@
 npm-debug.log
 node-ipc.cjs
 /coverage/
+
+# Code editors
+\#*#
+.#*
+*~

RELEASE.md

@@ -0,0 +1,44 @@
+# Publishing a Release
+
+This project uses a manually-invoked GitHub Actions workflow to publish its packages.
+
+This workflow uses:
+- The SLSA Node.js builder to achieve SLSA v3-level provenance
+- An NPM granular access token for `achrinza-bot`
+
+## Publishing
+
+Before continuing, enusre that you have:
+
+1. A GitHub account with the `Repository Admin` role for the `achrinza/node-ipc` repository
+2. The username and password for the `achrinza-bot` NPM account or any account that has:
+  1. TOTP 2FA enabled
+  2. Write access to the `@achrinza/node-ipc` NPM package
+3. The TOTP generator for said account
+
+### 1. Regenerating the NPM Granular Token
+
+1. Go to [New Granular Access Token](https://www.npmjs.com/settings/achrinza/tokens/granular-access-tokens/new)
+2. Generate a granular access token that:
+  1. expires in 1 day
+  2. has `Read and write` permssions for only the `@achrinza/node-ipc` package.
+3. Click `Generate` and copy the token
+
+### 2. Creating a GitHub "Release"
+
+1. Delete and re-fetch all Git tags
+   This is necessary to prevent accidental tags from being pushed to the GitHub repository
+
+   On Linux or macOS:
+   ```sh
+   $ git branch -l | xargs -I{} git branch -d {}
+   $ git fetch 'refs/tags/*:refs/tags/*'
+   ```
+
+   On Windows ()
+
+### 3. Creating an NPM Release
+
+1. Go to [Update Action secret NPM_TOKEN](https://github.com/achrinza/node-ipc/settings/secrets/actions/NPM_TOKEN)
+2. Paste the token and click `Update secret`
+3. Go to [CD * workflow runs](https://github.com/achrinza/node-ipc/actions/workflows/cd.yaml)