feat: add semantic-release automation

SamuelSSalazar · SamuelSSalazar · commit 0b2a04be134e · 2026-03-04T12:42:06.000-05:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -32,8 +32,29 @@ jobs:
       - name: Install dependencies
         run: npm install
 
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+        with:
+          python-version: "3.10"
+
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+        with:
+          role-to-assume: ${{ secrets.PRODSEC_TOOLS_ARN }}
+          aws-region: us-east-1
+          mask-aws-account-id: true
+
+      - name: Install rl-wrapper
+        env:
+          WRAPPER_INDEX_URL: "https://${{ secrets.PRODSEC_TOOLS_USER }}:${{ secrets.PRODSEC_TOOLS_TOKEN }}@a0us.jfrog.io/artifactory/api/pypi/python-local/simple"
+        run: pip install "rl-wrapper>=1.0.0" --index-url $WRAPPER_INDEX_URL
+
       - name: Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_CONFIG_PROVENANCE: true
+          RLSECURE_LICENSE: ${{ secrets.RLSECURE_LICENSE }}
+          RLSECURE_SITE_KEY: ${{ secrets.RLSECURE_SITE_KEY }}
+          SIGNAL_HANDLER_TOKEN: ${{ secrets.SIGNAL_HANDLER_TOKEN }}
+          PYTHONUNBUFFERED: 1
         run: npx semantic-release
diff --git a/.github/workflows/sca-scan.yml b/.github/workflows/sca-scan.yml
@@ -0,0 +1,10 @@
+name: Snyk Scan
+
+on:
+  push:
+    branches: ["master"]
+
+jobs:
+  snyk-cli:
+    uses: auth0/devsecops-tooling/.github/workflows/sca-scan.yml@5246a8b59100e3eea284ce4f2e2a51b51e237380
+    secrets: inherit
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
diff --git a/.releaserc.json b/.releaserc.json
@@ -15,7 +15,8 @@
     [
       "@semantic-release/exec",
       {
-        "prepareCmd": "git diff --exit-code -- package.json"
+        "verifyReleaseCmd": "ARTIFACT=$(npm pack --ignore-scripts | tail -1) && rl-wrapper --artifact \"$ARTIFACT\" --name node-saml --version ${nextRelease.version} --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --build-env github_actions --suppress_output",
+        "prepareCmd": "git diff --exit-code"
       }
     ],
     "@semantic-release/github"

Original file line number	Diff line number	Diff line change
`@@ -15,7 +15,8 @@`
`15`	`15`	`[`
`16`	`16`	`"@semantic-release/exec",`
`17`	`17`	`{`
`18`		`- "prepareCmd": "git diff --exit-code -- package.json"`
	`18`	`+ "verifyReleaseCmd": "ARTIFACT=$(npm pack --ignore-scripts \| tail -1) && rl-wrapper --artifact \"$ARTIFACT\" --name node-saml --version ${nextRelease.version} --repository $GITHUB_REPOSITORY --commit $GITHUB_SHA --build-env github_actions --suppress_output",`
	`19`	`+ "prepareCmd": "git diff --exit-code"`
`19`	`20`	`}`
`20`	`21`	`],`
`21`	`22`	`"@semantic-release/github"`