dkg-hello-world/.github/workflows/publish.yml at main · OriginTrail/dkg-hello-world · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
# Publish @origintrail-official/dkg-hello-world to npm on version-tag push.
#
# Trigger: push of a `v*.*.*` tag whose version string matches package.json's
# "version" field exactly. The workflow refuses to publish otherwise — this
# prevents a mistyped tag from publishing a wrong version or an unrelated
# commit.
#
# Provenance: we publish with --provenance, so npm records a sigstore
# attestation binding this package version to this repo + this workflow
# run. The @origintrail-official/dkg CLI's `dkg integration install` step
# verifies that attestation at install time; without it, installs for
# cli-kind integrations are refused. See:
# https://docs.npmjs.com/generating-provenance-statements
#
# Setup required once:
#   - NPM_TOKEN secret: npm "Granular Access Token" scoped narrowly to the
#     single package `@origintrail-official/dkg-hello-world`, Automation type,
#     "Read and write" permission. Package-scoped (rather than scope-wide) so
#     a leak here cannot overwrite other @origintrail-official packages.
#   - Repo must be public at publish time, otherwise consumers cannot verify
#     the provenance attestation end-to-end.

name: Publish to npm

on:
  push:
    tags:
      - 'v*.*.*'

permissions:
  contents: read
  id-token: write

jobs:
  publish:
    name: Publish @origintrail-official/dkg-hello-world
    runs-on: ubuntu-latest
    timeout-minutes: 10
    environment: npm-publish

    steps:
      - name: Checkout
        uses: actions/checkout@v6
        with:
          fetch-depth: 0

      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: 24
          registry-url: https://registry.npmjs.org

      - name: Verify tag matches package.json version
        run: |
          TAG="${GITHUB_REF#refs/tags/v}"
          PKG_VERSION="$(node -p "require('./package.json').version")"
          if [ "$TAG" != "$PKG_VERSION" ]; then
            echo "::error::Tag v$TAG does not match package.json version $PKG_VERSION"
            echo "Bump package.json first, then re-tag."
            exit 1
          fi
          echo "Publishing version $PKG_VERSION"

      - name: Sanity check the entry point parses
        run: node --check src/index.mjs

      - name: Publish to npm (with provenance)
        run: npm publish --provenance --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}