-
Notifications
You must be signed in to change notification settings - Fork 23
113 lines (92 loc) · 4.31 KB
/
nodejs.yml
File metadata and controls
113 lines (92 loc) · 4.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node
# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
name: CI
on:
push:
branches: [master, alpha, beta]
pull_request:
branches: [master]
permissions:
id-token: write # Required for OIDC
jobs:
lint-build-test:
name: Lint, Build, Test - Node ${{ matrix.node-version }} on ${{ matrix.os }}
runs-on: ${{ matrix.os }}
strategy:
matrix:
node-version:
- 20.x
- 22.x
- 24.x
os:
- ubuntu-latest
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: ${{ matrix.node-version }}
cache: 'yarn'
- run: yarn install --frozen-lockfile
- run: yarn build:ci
- run: yarn test:ci
- uses: codecov/codecov-action@b9fd7d16f6d7d1b5d2bec1a2887e65ceed900238 # v4.6.0
release:
name: Release
needs: lint-build-test # previous job MUST pass to make a release!
runs-on: ubuntu-latest
# Skip running release workflow on forks
if: github.repository_owner == 'salesforce' && github.event_name == 'push'
permissions:
contents: write # to be able to publish a GitHub release
issues: write # to be able to comment on released issues
pull-requests: write # to be able to comment on released pull requests
id-token: write # Required for npm provenance
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0 # Need all git history & tags to determine next release version.
persist-credentials: false
- name: Use Node.js 20.x
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: 20.x
cache: 'yarn'
registry-url: 'https://registry.npmjs.org'
- run: yarn install --frozen-lockfile
- run: yarn build
- name: Get npm token via OIDC
id: npm-oidc
run: |
set -e
# Get GitHub OIDC token
echo "Requesting GitHub OIDC token..."
OIDC_RESPONSE=$(curl -sS -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
"${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=npm:registry.npmjs.org")
OIDC_TOKEN=$(echo "$OIDC_RESPONSE" | jq -r '.value')
if [ -z "$OIDC_TOKEN" ] || [ "$OIDC_TOKEN" = "null" ]; then
echo "::error::Failed to get GitHub OIDC token"
echo "Response: $OIDC_RESPONSE"
exit 1
fi
echo "✓ Got GitHub OIDC token"
# Exchange for npm token
echo "Exchanging for npm token..."
NPM_RESPONSE=$(curl -sS -X POST "https://registry.npmjs.org/-/npm/v1/oidc/token" \
-H "Content-Type: application/json" \
-d "{\"oidcToken\": \"${OIDC_TOKEN}\"}")
NPM_TOKEN=$(echo "$NPM_RESPONSE" | jq -r '.token')
if [ -z "$NPM_TOKEN" ] || [ "$NPM_TOKEN" = "null" ]; then
echo "::error::Failed to get npm token"
echo "Response: $NPM_RESPONSE"
exit 1
fi
echo "✓ Got npm token via OIDC"
# Configure authentication
echo "::add-mask::${NPM_TOKEN}"
echo "NODE_AUTH_TOKEN=${NPM_TOKEN}" >> $GITHUB_ENV
# Verify
npm whoami --registry https://registry.npmjs.org && echo "✓ Authenticated to npm"
- run: yarn run semantic-release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}