(ci): Update to granular NPM tokens (#202) #93
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish to latest Tag | |
| on: | |
| push: | |
| branches: | |
| - main | |
| permissions: | |
| contents: read | |
| jobs: | |
| run-publish: | |
| name: Run publish | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| actions: write | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - name: Check out git repository | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4 | |
| with: | |
| node-version: lts/* | |
| registry-url: 'https://registry.npmjs.org' | |
| - name: Install pnpm | |
| uses: pnpm/action-setup@eae0cfeb286e66ffb5155f1a79b90583a127a68b # v2 | |
| with: | |
| version: latest | |
| - name: Get pnpm store directory | |
| shell: bash | |
| run: | | |
| echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV | |
| - name: Setup pnpm cache | |
| uses: actions/cache@2f8e54208210a422b2efd51efaa6bd6d7ca8920f # v3 | |
| with: | |
| path: ${{ env.STORE_PATH }} | |
| key: ${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }} | |
| restore-keys: | | |
| ${{ runner.os }}-pnpm-store- | |
| - name: Install dependencies | |
| run: pnpm install | |
| - name: Build | |
| run: pnpm build | |
| - name: Test | |
| run: pnpm test | |
| - name: Configure NPM authentication | |
| run: pnpm config set '//registry.npmjs.org/:_authToken' "${NODE_AUTH_TOKEN}" | |
| env: | |
| NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN_PADDLE_NODE_SDK}} | |
| - name: Check version and publish | |
| run: | | |
| PACKAGE_NAME=$(node -p "require('./package.json').name") | |
| CURRENT_VERSION=$(node -p "require('./package.json').version") | |
| # Check if version exists in npm registry | |
| if npm view "${PACKAGE_NAME}@${CURRENT_VERSION}" version &>/dev/null; then | |
| echo "Version $CURRENT_VERSION already published, skipping" | |
| exit 0 | |
| fi | |
| if [[ "$CURRENT_VERSION" =~ (rc) ]]; then | |
| pnpm publish --tag rc --access public | |
| else | |
| pnpm publish --access public | |
| fi |