ci: enable pipeline publishing

achrinza · achrinza · commit 78a95641d3ab · 2024-11-06T17:45:40.000+08:00
Signed-off-by: Rifa Achrinza &lt;25147899+achrinza@users.noreply.github.com&gt;
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,11 @@
+# SPDX-License-Identifier: FSFAP
+# SPDX-FileCopyrightText: Copyright (c) 2024 Rifa Achrinza
+root = true
+
+[*]
+end_of_line = lf
+insert_final_newline = true
+charset = utf-8
+indent_style = space
+indent_size = 2
+max_line_length = 80
diff --git a/.github/workflows/cd.yaml b/.github/workflows/cd.yaml
@@ -0,0 +1,70 @@
+name: CD
+
+on:
+  push:
+  workflow_dispatch:
+  
+permissions: {}
+
+jobs:
+  test:
+    name: Test
+    uses: ./.github/workflows/ci.yaml
+  build:
+    name: Build
+    needs: test
+    permissions:
+      id-token: write
+      contents: read
+      actions: read
+    # Do not pin to hash
+    # See: https://github.com/slsa-framework/slsa-verifier/issues/12
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@v2.0.0
+    with:
+      node-version: 22
+      run-scripts: ci, test
+  publish:
+    name: Publish
+    runs-on: ubuntu-24.04
+    needs: [build]
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          egress-policy: audit
+      - name: Download Tarball
+        uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-package-download@v2.0.0
+        with:
+          name: ${{ needs.build.outputs.package-download-name }}
+          path: ${{ needs.build.outputs.package-name }}
+          sha256: ${{ needs.build.outputs.package-download-sha256 }}
+      - name: Download Provenance
+        uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@v2.0.0
+        with:
+          name: ${{ needs.build.outputs.provenance-download-name }}
+          path: attestations
+          sha256: ${{ needs.build.outputs.provenance-download-sha256 }}
+      - name: Publish Dry-Run
+        env:
+          TARBALL_PATH: ${{ needs.build.outputs.package-name }}
+        run: npm publish --dry-run "$TARBALL_PATH"
+      - name: Request for NPM 2FA Code
+        uses: step-security/wait-for-secrets@5809f7d044804a5a1d43217fa8f3e855939fc9ef # v1.2.0
+        with:
+          secrets: |
+            npm-otp:
+              name: NPM Registry OTP
+              description: NPM Registry TOTP code for `achrinza-bot` NPM account
+      - name: Publish Package
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          TARBALL_PATH: ${{ needs.build.outputs.package-name }}
+          PROVENANCE_PATH: ./attestations/${{ needs.build.outputs.provenance-name }}
+        run: |
+          npm publish \
+            --access=public \
+            --provenance-file="$PROVENANCE_PATH" \
+            "$TARBALL_PATH"
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -2,9 +2,10 @@ name: CI
 
 on:
   push:
-    branches: [ v9 ]
+    branches: [v9]
   pull_request:
-    branches: [ v9 ]
+    branches: [v9]
+  workflow_call:
 
 jobs:
   test:
@@ -15,9 +16,9 @@ jobs:
       fail-fast: false
       matrix:
         os:
-          - ubuntu-latest
+          - ubuntu-24.04
           - macos-13
-          - windows-latest
+          - windows-2022
         node-version:
           - 8
           - 9
@@ -34,38 +35,76 @@ jobs:
           - 20
           - 21
           - 22
+          - 23
     steps:
-    - uses: actions/checkout@v2
-    - name: Use Node.js ${{ matrix.node-version }}
-      uses: actions/setup-node@v1
-      with:
-        node-version: ${{ matrix.node-version }}
-    - name: Install Dependencies
-      if: matrix.node-version != 9
-      run: npm ci --ignore-scripts
-    - name: Install Dependencies (Node.js v9)
-      if: matrix.node-version == 9
-      run: npm install
-    - name: Run Tests
-      if: matrix.os != 'windows-latest'
-      run: npm test
-    - name: Run Tests (Windows)
-      if: matrix.os == 'windows-latest'
-      run: npm run-script test-windows
-    - name: Publish Coverage
-      if: matrix.os == 'ubuntu-latest' && matrix.node-version == 16 # LTS
-      uses: coverallsapp/github-action@9ba913c152ae4be1327bfb9085dc806cedb44057
-      with:
-        github-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            coveralls.io:443
+            github.com:443
+            nodejs.org:443
+            objects.githubusercontent.com:443
+            registry.npmjs.org:443
+      - name: Checkout Repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+        with:
+          node-version: ${{ matrix.node-version }}
+      - name: Install Dependencies
+        if: matrix.node-version != 9
+        run: npm ci --ignore-scripts
+      - name: Install Dependencies (Node.js v9)
+        if: matrix.node-version == 9
+        run: npm install
+      - name: Run Tests
+        if: ${{ ! startsWith(matrix.os, 'windows-') }}
+        run: npm test
+      - name: Run Tests (Windows)
+        if: startsWith(matrix.os, 'windows-')
+        shell: cmd
+        run: npm run test-windows
+      - name: Publish Coverage
+        if: github.event != 'workflow_dispatch'
+        uses: coverallsapp/github-action@cfd0633edbd2411b532b808ba7a8b5e04f76d2c8 # v2.3.4
+        with:
+          flag-name: run-${{ matrix.os }}-node@${{ matrix.node-version }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          parallel: true
+  post-test:
+    name: Post-Test
+    needs: test
+    if: ${{ (github.event != 'workflow_dispatch') && success() }}
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Coveralls Finished
+        uses: coverallsapp/github-action@cfd0633edbd2411b532b808ba7a8b5e04f76d2c8 # v2.3.4
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          parallel-finished: true
   code-lint:
     name: Code Lint
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
-      - uses: actions/checkout@v2
+      - name: Harden Runner
+        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            registry.npmjs.org:443
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Use Node.js 16
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
-          node-version: 16 # LTS
+          node-version: 22 # LTS
       - name: Install Dependencies
         run: npm ci --ignore-scripts
       - name: Lockfile Lint
diff --git a/.gitignore b/.gitignore
@@ -3,4 +3,9 @@
 /nbproject
 npm-debug.log
 node-ipc.cjs
-/spec/coverage/
+/coverage/
+
+# Code editors
+\#*#
+.#*
+*~
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
