Skip to content

Commit

Permalink
ci: enable pipeline publishing
Browse files Browse the repository at this point in the history
Signed-off-by: Rifa Achrinza <[email protected]>
  • Loading branch information
achrinza committed Nov 6, 2024
1 parent f935f15 commit 9b50181
Show file tree
Hide file tree
Showing 6 changed files with 1,196 additions and 545 deletions.
11 changes: 11 additions & 0 deletions .editorconfig
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# SPDX-License-Identifier: FSFAP
# SPDX-FileCopyrightText: Copyright (c) 2024 Rifa Achrinza
root = true

[*]
end_of_line = lf
insert_final_newline = true
charset = utf-8
indent_style = space
indent_size = 2
max_line_length = 80
70 changes: 70 additions & 0 deletions .github/workflows/cd.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
name: CD

on:
push:
workflow_dispatch:

permissions: {}

jobs:
test:
name: Test
uses: ./.github/workflows/ci.yaml
build:
name: Build
needs: [test]
permissions:
id-token: write
contents: read
actions: read
# Do not pin to hash
# See: https://github.com/slsa-framework/slsa-verifier/issues/12
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
node-version: 22
run-scripts: ci, test
publish:
name: Publish
runs-on: ubuntu-24.04
needs: [build]
permissions:
contents: read
id-token: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
egress-policy: audit
- name: Download Tarball
uses: slsa-framework/slsa-github-generator/actions/nodejs/[email protected]
with:
name: ${{ needs.build.outputs.package-download-name }}
path: ${{ needs.build.outputs.package-name }}
sha256: ${{ needs.build.outputs.package-download-sha256 }}
- name: Download Provenance
uses: slsa-framework/slsa-github-generator/actions/nodejs/[email protected]
with:
name: ${{ needs.build.outputs.provenance-download-name }}
path: attestations
sha256: ${{ needs.build.outputs.provenance-download-sha256 }}
- name: Publish Dry-Run
env:
TARBALL_PATH: ${{ needs.build.outputs.package-name }}
run: npm publish --dry-run "$TARBALL_PATH"
- name: Request for NPM 2FA Code
uses: step-security/wait-for-secrets@5809f7d044804a5a1d43217fa8f3e855939fc9ef # v1.2.0
with:
secrets: |
npm-otp:
name: NPM Registry OTP
description: NPM Registry TOTP code for `achrinza-bot` NPM account
- name: Publish Package
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
TARBALL_PATH: ${{ needs.build.outputs.package-name }}
PROVENANCE_PATH: ./attestations/${{ needs.build.outputs.provenance-name }}
run: |
npm publish \
--access=public \
--provenance-file="$PROVENANCE_PATH" \
"$TARBALL_PATH"
84 changes: 54 additions & 30 deletions .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,10 @@ name: CI

on:
push:
branches: [ v9 ]
branches: [v9]
pull_request:
branches: [ v9 ]
branches: [v9]
workflow_call:

jobs:
test:
Expand All @@ -15,9 +16,9 @@ jobs:
fail-fast: false
matrix:
os:
- ubuntu-latest
- ubuntu-24.04
- macos-13
- windows-latest
- windows-2022
node-version:
- 8
- 9
Expand All @@ -34,38 +35,61 @@ jobs:
- 20
- 21
- 22
- 23
steps:
- uses: actions/checkout@v2
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v1
with:
node-version: ${{ matrix.node-version }}
- name: Install Dependencies
if: matrix.node-version != 9
run: npm ci --ignore-scripts
- name: Install Dependencies (Node.js v9)
if: matrix.node-version == 9
run: npm install
- name: Run Tests
if: matrix.os != 'windows-latest'
run: npm test
- name: Run Tests (Windows)
if: matrix.os == 'windows-latest'
run: npm run-script test-windows
- name: Publish Coverage
if: matrix.os == 'ubuntu-latest' && matrix.node-version == 16 # LTS
uses: coverallsapp/github-action@9ba913c152ae4be1327bfb9085dc806cedb44057
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: ${{ matrix.node-version }}
- name: Install Dependencies
if: matrix.node-version != 9
run: npm ci --ignore-scripts
- name: Install Dependencies (Node.js v9)
if: matrix.node-version == 9
run: npm install
- name: Run Tests
if: startsWith(matrix.os, 'windows-')
run: npm test --ignore-scripts
- name: Run Tests (Windows)
if: startsWith(matrix.os, 'windows-')
shell: cmd
run: npm run --ignore-scripts test-windows
- name: Publish Coverage
if: startsWith(matrix.os, 'ubuntu-') && matrix.node-version == 22 # LTS
uses: coverallsapp/github-action@9ba913c152ae4be1327bfb9085dc806cedb44057
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
code-lint:
name: Code Lint
runs-on: ubuntu-latest
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@v2
- name: Harden Runner
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Use Node.js 16
uses: actions/setup-node@v1
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: 16 # LTS
node-version: 22 # LTS
- name: Install Dependencies
run: npm ci --ignore-scripts
- name: Lockfile Lint
Expand Down
7 changes: 6 additions & 1 deletion .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,9 @@
/nbproject
npm-debug.log
node-ipc.cjs
/spec/coverage/
/coverage/

# Code editors
\#*#
.#*
*~
Loading

0 comments on commit 9b50181

Please sign in to comment.