-
Notifications
You must be signed in to change notification settings - Fork 132
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use SLSA publish action to include verified build information #211
base: main
Are you sure you want to change the base?
Changes from 1 commit
f858242
b6cb2d2
eb4e7d6
04d5d66
3cf5427
0f7429f
51e946d
8ed2bbe
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -5,16 +5,33 @@ on: | |
types: [created] | ||
|
||
jobs: | ||
publish-npm: | ||
build: | ||
permissions: | ||
id-token: write # For signing | ||
contents: read # For repo checkout. | ||
actions: read # For getting workflow run info. | ||
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | ||
with: | ||
run-scripts: "i, test" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Running In general though I think we are actually going to lean towards projects running tests outside the builder since that way they can support multiple-node versions, different runners etc. The tests also can't interfere with the build that way. In that case you probably could get away without any There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Aye, we run the full matrix on normal CI every commit, we just like to make sure an obviously broken build isn't published when we cut a release :) |
||
publish: | ||
needs: [build] | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v2 | ||
- uses: actions/setup-node@v1 | ||
- name: Set up Node registry authentication | ||
uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0 | ||
with: | ||
node-version: 14 | ||
registry-url: https://registry.npmjs.org/ | ||
- run: npm i | ||
- run: node test/validateModuleExportsMatchCommonJS/index.js | ||
- run: npm publish | ||
env: | ||
NODE_AUTH_TOKEN: ${{secrets.npm_token}} | ||
node-version: 18 | ||
registry-url: "https://registry.npmjs.org" | ||
|
||
- name: publish | ||
id: publish | ||
uses: slsa-framework/slsa-github-generator/actions/nodejs/publish@4314fec3d06bb217f163b89466dcd34be65b9bf1 # v1.6.0 | ||
weswigham marked this conversation as resolved.
Show resolved
Hide resolved
|
||
with: | ||
access: public | ||
node-auth-token: ${{ secrets.npm_token }} | ||
package-name: ${{ needs.build.outputs.package-name }} | ||
package-download-name: ${{ needs.build.outputs.package-download-name }} | ||
package-download-sha256: ${{ needs.build.outputs.package-download-sha256 }} | ||
provenance-name: ${{ needs.build.outputs.provenance-name }} | ||
provenance-download-name: ${{ needs.build.outputs.provenance-download-name }} | ||
provenance-download-sha256: ${{ needs.build.outputs.provenance-download-sha256 }} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -43,5 +43,8 @@ | |
}, | ||
"./*": "./*", | ||
"./": "./" | ||
}, | ||
"scripts": { | ||
"test": "node ./test/runTests.js && node test/validateModuleExportsMatchCommonJS/index.js" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Previously the publish skipped the
weswigham marked this conversation as resolved.
Show resolved
Hide resolved
|
||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -14,7 +14,14 @@ const tests = filesInTest | |
// Support setting up the test node modules | ||
if (!filesInTest.includes("node_modules")) { | ||
console.log("Installing Deps..."); | ||
spawnSync("npm", ["install"], { cwd: __dirname }); | ||
const res = spawnSync("npm", ["install"], { cwd: __dirname, shell: true }); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. At least on my machine, you can't actually find |
||
if (res.error) { | ||
console.error(res.error); | ||
process.exit(res.error.errno || -1); | ||
} | ||
if (res.output) { | ||
console.log(res.output.toString()); | ||
} | ||
console.log("Installed"); | ||
} | ||
|
||
|
@@ -37,13 +44,13 @@ for (const test of tests) { | |
if (pgkJSON.dependencies || pgkJSON.devDependencies) { | ||
const nodeModsInstalled = fs.existsSync(path.join(__dirname, test, "node_modules")); | ||
if (!nodeModsInstalled) { | ||
spawnSync("npm", ["install"], { cwd: path.join(__dirname, test) }); | ||
spawnSync("npm", ["install"], { cwd: path.join(__dirname, test), shell: true }); | ||
} | ||
} | ||
|
||
// Run the test command | ||
const results = spawnSync("npm", ["test"], { cwd: path.join(__dirname, test) }); | ||
console.log(results.stdout.toString()) | ||
console.log((results.stdout || "").toString()) | ||
if (results.status) { | ||
console.log(chalk.bold.red("Error running test: ") + chalk.bold(test)) | ||
console.log(results.stderr.toString()) | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
v1.8.0 fixes some issues with unscoped packages.