From e24749fa81f394f7ac41ed791e47dacfdb21da28 Mon Sep 17 00:00:00 2001 From: ValeryG Date: Mon, 25 Aug 2025 15:07:58 -0600 Subject: [PATCH 1/5] chore: npmjs trusted publishing [KHCP-17661] --- .../workflows/cleanup-preview-packages.yaml | 12 --- .github/workflows/pr-closed.yaml | 2 - .github/workflows/publish.yaml | 80 ++++++++++++++++--- .github/workflows/test.yaml | 79 +----------------- .nvmrc | 2 +- package.json | 9 ++- 6 files changed, 80 insertions(+), 104 deletions(-) diff --git a/.github/workflows/cleanup-preview-packages.yaml b/.github/workflows/cleanup-preview-packages.yaml index c1a1f9ba5..a66502425 100644 --- a/.github/workflows/cleanup-preview-packages.yaml +++ b/.github/workflows/cleanup-preview-packages.yaml @@ -13,7 +13,6 @@ jobs: name: Cleanup PR Previews runs-on: ubuntu-latest env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }} GITHUB_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }} steps: @@ -24,14 +23,3 @@ jobs: - name: Checkout Source Code uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - - name: Prepare cleanup - id: prepare - run: | - echo "openPRs=$(gh pr list --state open --json number|jq -cM 'map(.number|tostring)')" >> $GITHUB_OUTPUT - echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }}" > .npmrc - - - name: Cleanup PR preview - uses: Kong/public-shared-actions/pr-previews/cleanup@main - with: - package: "@kong/kong-auth-elements" - openPRs: ${{ steps.prepare.outputs.openPRs }} diff --git a/.github/workflows/pr-closed.yaml b/.github/workflows/pr-closed.yaml index 99f2c0574..d7a58d172 100644 --- a/.github/workflows/pr-closed.yaml +++ b/.github/workflows/pr-closed.yaml @@ -7,8 +7,6 @@ jobs: remove-pr-preview-comment: name: Remove PR preview comment from PR runs-on: ubuntu-latest - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }} steps: - name: Harden Runner uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 5f65c3a6b..41ac48c84 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -11,9 +11,7 @@ jobs: run-tests: name: Tests uses: ./.github/workflows/test.yaml - # Must pass in secrets here so that the calling workflow can pass in the NPM_TOKEN needed to install private packages. secrets: - NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }} VITE_AUTH_URL: ${{ secrets.VITE_AUTH_URL }} publish: needs: run-tests @@ -24,6 +22,15 @@ jobs: uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit + + - name: Remove preview consumption comment + if: github.event_name == 'pull_request' + uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 + with: + header: pr_preview_consumption + delete: true + GITHUB_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }} + - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -32,27 +39,82 @@ jobs: - name: Use Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: + registry-url: https://registry.npmjs.org node-version-file: '.nvmrc' - name: Install dependencies run: yarn install --frozen-lockfile - - name: Lint - run: yarn lint - - name: Build run: yarn build - - name: Create .npmrc + - name: Publish package preview + id: package-preview + # Do not run for `alpha` or `beta` branches + if: github.event_name == 'pull_request' && github.actor != 'renovate[bot]' && !contains(github.head_ref || github.ref_name, 'alpha') && !contains(github.head_ref || github.ref_name, 'beta') env: NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }} - # Reference the env variable NPM_TOKEN here, not the secret - run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc + run: | + git config user.email "konnectx-engineers+kongponents-bot@konghq.com" + git config user.name "Kong UI Bot" + + preid="pr.${{ github.event.pull_request.number }}.$(git rev-parse --short ${{ github.event.pull_request.head.sha }})" + tag="pr-${{ github.event.pull_request.number }}" + echo "preid=${preid}" + + git checkout ${{ github.head_ref }} + + yarn version --prerelease --preid ${preid} --allow-branch ${{ github.head_ref }} --no-git-tag-version --yes --amend + + package_version=$(jq -r ".version" package.json) + package=@kong/kong-auth-elements@"${package_version}" + + npm show "${package}" >/dev/null 2>&1 && npm_show_status=0 || npm_show_status=1 + if [ $npm_show_status -eq 0 ]; then + echo "Package ${package} is already published. Skipping publishing." + exit 0 + fi + + npm_instructions="" + + pkg=$(npm publish --no-git-checks --access public --report-summary --tag "${tag}" | grep "+ "| sed 's/+ //') + + if [[ -z "${pkg}" ]]; then + echo "Error publishing package" + exit -1 + fi + + npm_instructions="@$(echo ${pkg}|cut -d'@' -f2)@${tag}" + + echo "npm_instructions<> $GITHUB_OUTPUT + echo -e "$npm_instructions" >> $GITHUB_OUTPUT + echo "EOF" >> $GITHUB_OUTPUT + + - name: Provide preview link info + if: ${{ steps.package-preview.outputs.npm_instructions != '' }} + uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 + with: + header: pr_preview_consumption + message: | + ### Install the preview package from this PR in your consuming application + + In your host project, you may install the preview package version generated by this PR: + + ```sh + ${{ steps.package-preview.outputs.npm_instructions }} + ``` + GITHUB_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }} - name: Semantic Release uses: cycjimmy/semantic-release-action@16ca923e6ccbb50770c415a0ccd43709a8c5f7a4 # v4.2.2 + if: github.event_name == 'push' env: # Since branch protections are on (pushing commits) you need to use a bot PAT GITHUB_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }} + # as of now cycjimmy/semantic-release-action is not publishing to npmjs as + # trusted publishing is not yet supported, so we want to do a publish as separate step + - name: Publish to npm + if: github.event_name == 'push' + run: | + npm publish diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 5d8763459..3ae1473b1 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -9,11 +9,7 @@ on: # Allow workflow to be called by another workflow workflow_call: - # Must define secrets here so that the calling workflow can pass in the NPM_TOKEN needed to install private packages. secrets: - NPM_TOKEN: - description: 'The NPM_TOKEN passed from the caller workflow as it is not available within workflow_call.' - required: true VITE_AUTH_URL: description: 'The base URL of the KAuth backend, e.g. https://global.api.konghq.tech' required: true @@ -36,13 +32,6 @@ jobs: uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit - - name: Remove preview consumption comment - if: github.event_name == 'pull_request' - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 - with: - header: pr_preview_consumption - delete: true - GITHUB_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }} - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -53,6 +42,7 @@ jobs: uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version-file: '.nvmrc' + registry-url: https://registry.npmjs.org - name: Install dependencies run: yarn install --frozen-lockfile @@ -66,73 +56,6 @@ jobs: - name: Typecheck run: yarn typecheck - - name: Build - if: github.event_name == 'pull_request' - run: yarn build - - - name: Create .npmrc - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }} - # Reference the env variable NPM_TOKEN here, not the secret - run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc - - - name: Publish package preview - id: package-preview - # Do not run for `alpha` or `beta` branches - if: github.event_name == 'pull_request' && github.actor != 'renovate[bot]' && !contains(github.head_ref || github.ref_name, 'alpha') && !contains(github.head_ref || github.ref_name, 'beta') - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }} - run: | - git config user.email "konnectx-engineers+kongponents-bot@konghq.com" - git config user.name "Kong UI Bot" - - preid="pr.${{ github.event.pull_request.number }}.$(git rev-parse --short ${{ github.event.pull_request.head.sha }})" - tag="pr-${{ github.event.pull_request.number }}" - echo "preid=${preid}" - - git checkout ${{ github.head_ref }} - - yarn version --prerelease --preid ${preid} --allow-branch ${{ github.head_ref }} --no-git-tag-version --yes --amend - - package_version=$(jq -r ".version" package.json) - package=@kong/kong-auth-elements@"${package_version}" - - npm show "${package}" >/dev/null 2>&1 && npm_show_status=0 || npm_show_status=1 - if [ $npm_show_status -eq 0 ]; then - echo "Package ${package} is already published. Skipping publishing." - exit 0 - fi - - npm_instructions="" - - pkg=$(npm publish --no-git-checks --access public --report-summary --tag "${tag}" | grep "+ "| sed 's/+ //') - - if [[ -z "${pkg}" ]]; then - echo "Error publishing package" - exit -1 - fi - - npm_instructions="@$(echo ${pkg}|cut -d'@' -f2)@${tag}" - - echo "npm_instructions<> $GITHUB_OUTPUT - echo -e "$npm_instructions" >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT - - - name: Provide preview link info - if: ${{ steps.package-preview.outputs.npm_instructions != '' }} - uses: marocchino/sticky-pull-request-comment@773744901bac0e8cbb5a0dc842800d45e9b2b405 # v2.9.4 - with: - header: pr_preview_consumption - message: | - ### Install the preview package from this PR in your consuming application - - In your host project, you may install the preview package version generated by this PR: - - ```sh - ${{ steps.package-preview.outputs.npm_instructions }} - ``` - GITHUB_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }} - - name: Run Cypress component tests uses: cypress-io/github-action@b8ba51a856ba5f4c15cf39007636d4ab04f23e3c # v6.10.2 with: diff --git a/.nvmrc b/.nvmrc index 91d5f6ff8..b5e8f5c1d 100644 --- a/.nvmrc +++ b/.nvmrc @@ -1 +1 @@ -22.18.0 +24.6.0 diff --git a/package.json b/package.json index 618e1d1b7..e6cf21af2 100644 --- a/package.json +++ b/package.json @@ -128,7 +128,12 @@ "changelogFile": "CHANGELOG.md" } ], - "@semantic-release/npm", + [ + "@semantic-release/npm", + { + "npmPublish": false + } + ], [ "@semantic-release/git", { @@ -155,7 +160,7 @@ "node": ">=22.18.0" }, "volta": { - "node": "22.18.0", + "node": "24.6.0", "yarn": "1.22.22" } } From 6af500363a2522c6ecd0d0a2de37605f650b7f8e Mon Sep 17 00:00:00 2001 From: ValeryG Date: Mon, 25 Aug 2025 15:11:57 -0600 Subject: [PATCH 2/5] fix: remove unneeded workflow --- .../workflows/cleanup-preview-packages.yaml | 25 ------------------- 1 file changed, 25 deletions(-) delete mode 100644 .github/workflows/cleanup-preview-packages.yaml diff --git a/.github/workflows/cleanup-preview-packages.yaml b/.github/workflows/cleanup-preview-packages.yaml deleted file mode 100644 index a66502425..000000000 --- a/.github/workflows/cleanup-preview-packages.yaml +++ /dev/null @@ -1,25 +0,0 @@ -name: Cleanup PR preview packages -on: - workflow_dispatch: - schedule: - - cron: '0 0/6 * * 6,0' - -concurrency: - group: ${{ github.ref }}-${{ github.workflow }} - cancel-in-progress: true - -jobs: - cleanup: - name: Cleanup PR Previews - runs-on: ubuntu-latest - env: - GITHUB_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }} - - steps: - - name: Harden Runner - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 - with: - egress-policy: audit - - name: Checkout Source Code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - From 0754c8a3ce2a91295a15d9568bb6ffa9a29091a7 Mon Sep 17 00:00:00 2001 From: ValeryG Date: Mon, 25 Aug 2025 15:14:11 -0600 Subject: [PATCH 3/5] fix: dispatch rules and permissions --- .github/workflows/publish.yaml | 12 ++++++++++++ .github/workflows/test.yaml | 5 ----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 41ac48c84..199b17248 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -7,6 +7,18 @@ on: - alpha - beta + pull_request: + branches: + - main + - alpha + - beta + +permissions: + id-token: write + contents: read + actions: read + + jobs: run-tests: name: Tests diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 3ae1473b1..c3d8e5c49 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -1,11 +1,6 @@ name: Tests on: - pull_request: - branches: - - main - - alpha - - beta # Allow workflow to be called by another workflow workflow_call: From 96c5ecbdeffe15af542c81e8e4f6c0a0f6eed724 Mon Sep 17 00:00:00 2001 From: ValeryG Date: Mon, 25 Aug 2025 15:36:34 -0600 Subject: [PATCH 4/5] fix: token --- .github/workflows/publish.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 199b17248..721429454 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -65,7 +65,7 @@ jobs: # Do not run for `alpha` or `beta` branches if: github.event_name == 'pull_request' && github.actor != 'renovate[bot]' && !contains(github.head_ref || github.ref_name, 'alpha') && !contains(github.head_ref || github.ref_name, 'beta') env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN_PUBLIC_PUBLISH }} + GITHUB_TOKEN: ${{ secrets.KONGPONENTS_BOT_PAT }} run: | git config user.email "konnectx-engineers+kongponents-bot@konghq.com" git config user.name "Kong UI Bot" From 7acbee9d6ab180bf43b2c4e0170a87b9c9892697 Mon Sep 17 00:00:00 2001 From: ValeryG Date: Mon, 25 Aug 2025 16:27:50 -0600 Subject: [PATCH 5/5] fix: fetch-depth --- .github/workflows/publish.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 721429454..6744fbe17 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -47,6 +47,7 @@ jobs: uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: token: ${{ secrets.KONGPONENTS_BOT_PAT }} + fetch-depth: 0 - name: Use Node.js uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0