-
Notifications
You must be signed in to change notification settings - Fork 0
99 lines (89 loc) · 4.06 KB
/
Copy pathpublish.yml
File metadata and controls
99 lines (89 loc) · 4.06 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
name: Publish to npm
# Publishes @startvest/integrity-cli to npm with cryptographic provenance
# via GitHub OIDC.
#
# STATUS (2026-05): NPM PUBLISH IS NOT ACTIVE.
# Consumers install via git tag instead:
# npx github:Startvest-LLC/startvest-integrity-cli#v1.4.0
# The integrity-md-action wraps that install. No npm consumer exists today.
#
# Reason for the hold: post-Shai-Hulud, npm requires interactive OTP for
# all token-based publishes regardless of token type (classic Automation,
# granular). The account uses a hardware security key (WebAuthn-only) which
# cannot generate OTP codes, so token-based publish is mechanically closed.
# Trusted publishing via OIDC is the only remaining viable path; revisit
# when a concrete npm consumer materializes or when npm policy stabilizes.
#
# To re-enable when ready:
# 1. Configure trusted publishing on npmjs.com for @startvest/integrity-cli
# (Repository: Startvest-LLC/startvest-integrity-cli, Workflow: publish.yml).
# 2. Remove the `NODE_AUTH_TOKEN` line below — pure OIDC, no secret needed.
# 3. Restore the `push: tags:` trigger below.
# 4. Push a tag to trigger the first publish; the workflow will claim the
# package name via OIDC.
#
# Current trigger: workflow_dispatch only. Tags do NOT trigger publish so
# tagging a release does not produce an automatic failed run.
on:
workflow_dispatch:
inputs:
dry_run:
description: 'Dry run (npm pack only, no publish)'
type: boolean
default: true
permissions:
# OIDC token for npm provenance. Without this, --provenance fails.
id-token: write
contents: read
jobs:
publish:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Set up Node
uses: actions/setup-node@v4
with:
node-version: '20'
registry-url: 'https://registry.npmjs.org'
# Cache disabled — this package has no dependencies, and caching
# node_modules during the Shai-Hulud window is exactly the kind of
# supply-chain footgun we are trying to avoid.
- name: Verify package shape
run: |
echo "=== package.json (sanity) ==="
node -e "const p=require('./package.json'); console.log(JSON.stringify({name:p.name,version:p.version,license:p.license,deps:Object.keys(p.dependencies||{}).length,devDeps:Object.keys(p.devDependencies||{}).length},null,2))"
echo ""
echo "=== npm pack --dry-run (what will ship) ==="
npm pack --dry-run
echo ""
echo "=== Scripts (publish-time risk surface) ==="
node -e "const s=require('./package.json').scripts||{}; for (const k of Object.keys(s)) console.log(' '+k+': '+s[k]);"
echo ""
# Fail loud if any preinstall / postinstall / prepublish appeared.
# Those are the install-time code-execution hooks Shai-Hulud abuses.
node -e "const s=require('./package.json').scripts||{}; const bad=['preinstall','install','postinstall','prepublish'].filter(k=>s[k]); if(bad.length){console.error('FAIL: dangerous lifecycle scripts:',bad);process.exit(1)}"
- name: Run tests
run: npm test
- name: Dry run only
if: ${{ inputs.dry_run == true }}
run: |
echo "Dry run requested — skipping publish."
npm pack
ls -la *.tgz
- name: Publish
if: ${{ inputs.dry_run != true }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
# --provenance attaches a Sigstore attestation linking this tarball
# to this repo + commit + workflow run. --access public is needed
# because @startvest/* is a scoped package (default is private for
# scoped packages on free npm plans).
npm publish --provenance --access public
- name: Print published version
if: ${{ inputs.dry_run != true }}
run: |
v=$(node -p "require('./package.json').version")
echo "Published @startvest/integrity-cli@$v"
echo "https://www.npmjs.com/package/@startvest/integrity-cli/v/$v"