Skip to content

Commit 4a07e7a

Browse files
adaptive-shield-matrixadaptive-shield-matrix
committed
ci(security): setup trusted publishing using oidc authentication
1 parent bc39af2 commit 4a07e7a

File tree

2 files changed

+16
-10
lines changed

2 files changed

+16
-10
lines changed

.github/workflows/publish.yml

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,18 +8,30 @@ on:
88
permissions:
99
id-token: write # Required for OIDC
1010
contents: read
11-
1211
jobs:
1312
publish:
1413
runs-on: ubuntu-latest
1514
steps:
1615
- uses: actions/checkout@v4
1716

17+
# Setup Bun for installation, building, and testing
1818
- uses: oven-sh/setup-bun@v1
1919
with:
2020
bun-version: latest
2121

22+
# Setup Node.js only for npm publishing with OIDC until Bun adds support for it - https://github.com/oven-sh/bun/issues/15601
23+
- uses: actions/setup-node@v4
24+
with:
25+
node-version: '20'
26+
registry-url: 'https://registry.npmjs.org'
27+
28+
# Use Bun for everything except publishing
2229
- run: bun install
2330
- run: bun run build
2431
- run: bun test
25-
- run: bun publish --access public
32+
33+
# Ensure npm 11.5.1 or later is installed
34+
- name: Update npm
35+
run: npm install -g npm@latest
36+
# Use npm only for publishing with OIDC support
37+
- run: npm publish --access public --provenance

ops/release.sh

Lines changed: 2 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -24,10 +24,9 @@ echo "📄 Preview of release notes:"
2424
echo "----------------------------------------"
2525
echo "$CHANGELOG_BODY"
2626
echo "----------------------------------------"
27-
echo "📦 Current version: $CURRENT_VERSION"
2827

2928
# --- Step 2: Prompt for new version ---
30-
read -p "🔖 Enter new version (e.g., 0.2.1): " NEW_VERSION
29+
read -p "🔖 Enter new version (previous: $CURRENT_VERSION): " NEW_VERSION
3130

3231
if [[ -z "$NEW_VERSION" ]]; then
3332
echo "❌ Version is required. Aborting."
@@ -66,7 +65,7 @@ TAG="v$NEW_VERSION"
6665

6766
# --- Step 6: Git Commit and push ---
6867
git add "$CHANGELOG_FILE" "$PACKAGE_JSON"
69-
git commit -m "build(release): v$NEW_VERSION"
68+
git commit -m "chore(release): v$NEW_VERSION"
7069
git tag -a "$TAG" -m "Release v$NEW_VERSION"
7170
git push origin main
7271
git push origin --tags
@@ -80,11 +79,6 @@ gh release create "$TAG" \
8079
--notes-file "$CHANGELOG_FILE" \
8180
--repo "$REPO_NAME"
8281

83-
# --- Step 8: Publish to npm ---
84-
echo "📦 Publishing to npm..."
85-
#bunx npm publish --access public
86-
bun publish --access public
87-
8882
echo "✅ Release v$NEW_VERSION complete!"
8983
echo "📄 Changelog: $CHANGELOG_FILE"
9084
echo "🔗 GitHub: https://github.com$(echo "$REPO_URL" | sed 's/.*github.com//')/releases/tag/$TAG"

0 commit comments

Comments
 (0)