add support to auth caching (#575) #16

Workflow file for this run

.github/workflows/stable-publish.yml at 0fc43da

	name: Publish stable

	on:
	push:
	branches:
	- master

	# Declare default permissions as read only.
	permissions: read-all

	jobs:
	check_author:
	runs-on: ubuntu-22.04
	outputs:
	latest_commit_author: ${{ steps.commit.outputs.author }}
	get_version: ${{ steps.get_version.outputs.version }}
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
	with:
	egress-policy: audit

	- name: Checkout Repo
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

	- name: Install yq
	run: \|
	sudo apt-get update &&\
	sudo apt-get install wget -y &&\
	sudo wget https://github.com/mikefarah/yq/releases/download/v4.34.1/yq_linux_amd64 -O /usr/bin/yq &&\
	sudo chmod +x /usr/bin/yq

	- name: Get last commit details
	id: commit
	run: \|
	COMMIT_SHA=$(git rev-parse HEAD)
	COMMIT_DETAILS=$(curl -s -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" \
	"https://api.github.com/repos/${{ github.repository }}/commits/$COMMIT_SHA")
	echo "author=$(echo $COMMIT_DETAILS \| yq '.author.login')" >> $GITHUB_OUTPUT

	- name: Use node@16
	uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
	with:
	node-version: 16.20.0

	- name: Get version
	id: get_version
	run: \|
	echo "version=$(node -p "require('./lerna.json').version")" >> $GITHUB_OUTPUT

	prepare:
	needs: check_author
	runs-on: ubuntu-22.04
	if: ${{ needs.check_author.outputs.latest_commit_author == 'github-actions[bot]' && !contains(needs.check_author.outputs.get_version, 'rc') }}
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
	with:
	egress-policy: audit

	- name: Checkout Repo
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

	- name: Prepare pre-requisites
	uses: ./.github/actions/prepare

	# Deterministic Build & tests
	provenance:
	permissions:
	id-token: write
	contents: read
	actions: read
	needs: prepare
	uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
	with:
	run-scripts: "install-deps, style, nx-build-skip-cache, nx-test-skip-cache"
	node-version: "16.20.0"

	# Git tag the commit for publishing
	tag:
	name: Tag stable version for all packages
	permissions:
	id-token: write
	contents: write
	actions: read
	runs-on: ubuntu-22.04
	needs: provenance
	outputs:
	stable_version: ${{ steps.get_version.outputs.stable_version }}
	steps:
	- name: Harden Runner
	uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 # v2.5.1
	with:
	egress-policy: audit

	- name: Checkout
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	with:
	token: ${{ secrets.SAI_PAT }}

	- name: Import GPG key
	uses: crazy-max/ghaction-import-gpg@82a020f1f7f605c65dd2449b392a52c3fcfef7ef # v6.0.0
	with:
	gpg_private_key: ${{ secrets.SVC_GPG_KEY }}
	passphrase: ${{ secrets.SVC_GPG_PASSPHRASE }}
	git_config_global: true
	git_tag_gpgsign: true
	git_user_signingkey: true
	git_commit_gpgsign: true

	- name: Use node@16
	uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
	with:
	node-version: 16.20.0

	- name: Create temp dir
	id: temp-dir
	run: \|
	set -euo pipefail

	temp_dir=$(mktemp -d)
	echo "path=${temp_dir}" >>"${GITHUB_OUTPUT}"

	- name: Download tarball
	uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@934435652996c02a6317092984312602dfaf2a21 # main
	with:
	name: ${{ needs.provenance.outputs.package-download-name }}
	path: "${{ steps.temp-dir.outputs.path }}/${{ needs.provenance.outputs.package-name }}"
	sha256: ${{ needs.provenance.outputs.package-download-sha256 }}

	- name: Download provenance
	uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@0779f7bec68e2bf54a7b0a32bf4763f25ab29702 # v1.6.0
	with:
	name: ${{ needs.provenance.outputs.provenance-download-name }}
	path: "${{ steps.temp-dir.outputs.path }}"
	sha256: ${{ needs.provenance.outputs.provenance-download-sha256 }}

	- name: Authenticate NPM
	run: \|
	echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
	echo "@openzeppelin:registry https://registry.npmjs.org" >> ~/.npmrc

	- name: Enable NPM PROVENANCE
	run: echo "NPM_CONFIG_PROVENANCE=true" >> $GITHUB_ENV

	- name: Get version info
	id: get_version
	run: \|
	TAG_NAME=$(node -p "require('./lerna.json').version")
	echo "stable_version=v$TAG_NAME" >> $GITHUB_OUTPUT

	- name: Unpack the zipped artifact and publish
	run: \|
	set -euo pipefail
	cd "${{ steps.temp-dir.outputs.path }}"
	tar -xzvf "${{ needs.provenance.outputs.package-name }}"
	cd package/; git init
	git add .
	git commit -m "Add the untracked files"
	tag_ref=${{ steps.get_version.outputs.stable_version }}
	tag_version=${tag_ref#refs/tags/v}
	lerna_options="--no-git-tag-version --no-push --ignore-scripts --yes --exact --no-changelog"
	lerna publish $tag_version $lerna_options
	cd ../../

	- name: Create and push tag
	run: \|
	git tag -a ${{ steps.get_version.outputs.stable_version }} -m "${{ steps.get_version.outputs.stable_version }}"
	git push origin ${{ steps.get_version.outputs.stable_version }}

	create-release:
	name: Create Release
	needs: tag
	permissions:
	contents: write
	uses: ./.github/workflows/release.yml
	with:
	tag: ${{ needs.tag.outputs.stable_version }}
	prerelease: false

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add support to auth caching (#575) #16

Workflow file

add support to auth caching (#575) #16

Jobs

Run details

Workflow file for this run