Harden publish #1227
Harden publish #1227
Conversation
|
|
||
| runs: | ||
| using: composite | ||
| steps: |
There was a problem hiding this comment.
these steps are required in all of our jobs, this makes it easier to update and reduced code duplication
| with: | ||
| # This expects you to have a script called release which does a build for your packages and calls changeset publish | ||
| publish: pnpm release | ||
| publish: pnpm exec changeset tag #only create git tag, publish to registry happens later |
There was a problem hiding this comment.
this is a bit of a trick. Instead of calling changeset publish we only call changeset tag.
That leads to the action creating the git tag and github release
It still outputs them as "publishedPackages" but they are tagged only and publish is going to happen in the next job
| github.com:443 | ||
| release-assets.githubusercontent.com:443 | ||
| registry.npmjs.org:443 | ||
| *.sigstore.dev:443 |
There was a problem hiding this comment.
this extra endpoint is required for oidc publish
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| environment: release |
There was a problem hiding this comment.
this is a github environment that has to be set up in the repo settings. It must have at least a branch restriction to all branches that allow publishing, in vite-plugin-sveltes case that is main and v5.
| TAG=latest | ||
| fi | ||
| if [[ "$GIT_STATUS" != "" ]]; then |
There was a problem hiding this comment.
ensure that git state is still clean.This would only fail if an action used by this job or the runner itself was compromised, but better safe than sorry.
dominikg
force-pushed
the
harden-publish
branch
from
e102191 to
fa6eb8c
Compare
releasethat prevents this job from executing on other branches