Skip to content

Commit

Permalink
build: modfying publish action to use npm cli to include provenance i…
Browse files Browse the repository at this point in the history
…n npm publish (#319)

**Requirements**

- [ ] I have added test coverage for new or changed functionality
- [ ] I have followed the repository's [pull request submission
guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests)
- [ ] I have validated my changes against all supported platform
versions

**Related issues**

**Describe the solution you've provided**

Yarn publish doesn't currently support NPM's publish package with
provenance functionality. As a workaround until this is supported, we'll
pack the workspace with yarn in order to guarantee we get the same
package as before, and then use the npm cli to do the final publish with
provenance. This also involves passing the workspace path as input
parameters to the publish actions/script as npm's workspace
functionality doesn't work exactly the same as yarns.

While npm's generated provenance isn't the most robust provenance
attestation, it results in a verified checkmark on the npm package page,
which brings the provenance closest to the consumer and makes it most
useful.

**Describe alternatives you've considered**

Ideally we'd want yarn to support this natively, but tracking the yarn
repo issues for the past couple months has shown no movement here.

**Additional context**

Add any other context about the pull request here.
  • Loading branch information
rsoberano-ld authored Dec 7, 2023
2 parents d975526 + a8e5337 commit 78aac46
Show file tree
Hide file tree
Showing 6 changed files with 61 additions and 3 deletions.
4 changes: 4 additions & 0 deletions .github/workflows/manual-publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,9 @@ jobs:
with:
node-version: 16.x
registry-url: 'https://registry.npmjs.org'
- uses: ./actions/install-npm-version
with:
npm_version: 9.5.0
- name: 'Setup Redis'
if: ${{ inputs.workspace_path == 'packages/store/node-server-sdk-redis' }}
run: |
Expand Down Expand Up @@ -80,5 +83,6 @@ jobs:
uses: ./actions/publish
with:
workspace_name: ${{ env.WORKSPACE_NAME }}
workspace_path: ${{ inputs.workspace_path }}
prerelease: ${{ inputs.prerelease }}
dry_run: ${{ inputs.dry_run }}
33 changes: 33 additions & 0 deletions .github/workflows/release-please.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,9 @@ jobs:
with:
node-version: 16.x
registry-url: 'https://registry.npmjs.org'
- uses: ./actions/install-npm-version
with:
npm_version: 9.5.0
- id: release-common
name: Full release of packages/shared/common
uses: ./actions/full-release
Expand All @@ -60,6 +63,9 @@ jobs:
with:
node-version: 16.x
registry-url: 'https://registry.npmjs.org'
- uses: ./actions/install-npm-version
with:
npm_version: 9.5.0
- id: release-common
name: Full release of packages/shared/sdk-server
uses: ./actions/full-release
Expand All @@ -80,6 +86,9 @@ jobs:
with:
node-version: 16.x
registry-url: 'https://registry.npmjs.org'
- uses: ./actions/install-npm-version
with:
npm_version: 9.5.0
- id: release-common
name: Full release of packages/shared/sdk-server-edge
uses: ./actions/full-release
Expand All @@ -100,6 +109,9 @@ jobs:
with:
node-version: 16.x
registry-url: 'https://registry.npmjs.org'
- uses: ./actions/install-npm-version
with:
npm_version: 9.5.0
- id: release-common
name: Full release of packages/shared/akamai-edgeworker-sdk
uses: ./actions/full-release
Expand All @@ -120,6 +132,9 @@ jobs:
with:
node-version: 16.x
registry-url: 'https://registry.npmjs.org'
- uses: ./actions/install-npm-version
with:
npm_version: 9.5.0
- id: release-common
name: Full release of packages/sdk/cloudflare
uses: ./actions/full-release
Expand All @@ -140,6 +155,9 @@ jobs:
with:
node-version: 16.x
registry-url: 'https://registry.npmjs.org'
- uses: ./actions/install-npm-version
with:
npm_version: 9.5.0
- id: release-common
name: Full release of packages/sdk/server-node
uses: ./actions/full-release
Expand All @@ -160,6 +178,9 @@ jobs:
with:
node-version: 16.x
registry-url: 'https://registry.npmjs.org'
- uses: ./actions/install-npm-version
with:
npm_version: 9.5.0
- id: release-common
name: Full release of packages/sdk/vercel
uses: ./actions/full-release
Expand All @@ -180,6 +201,9 @@ jobs:
with:
node-version: 16.x
registry-url: 'https://registry.npmjs.org'
- uses: ./actions/install-npm-version
with:
npm_version: 9.5.0
- id: release-common
name: Full release of packages/sdk/akamai-base
uses: ./actions/full-release
Expand All @@ -200,6 +224,9 @@ jobs:
with:
node-version: 16.x
registry-url: 'https://registry.npmjs.org'
- uses: ./actions/install-npm-version
with:
npm_version: 9.5.0
- id: release-common
name: Full release of packages/sdk/akamai-edgekv
uses: ./actions/full-release
Expand All @@ -220,6 +247,9 @@ jobs:
with:
node-version: 16.x
registry-url: 'https://registry.npmjs.org'
- uses: ./actions/install-npm-version
with:
npm_version: 9.5.0
- run: |
sudo apt-get update
sudo apt-get install redis-server
Expand All @@ -244,6 +274,9 @@ jobs:
with:
node-version: 16.x
registry-url: 'https://registry.npmjs.org'
- uses: ./actions/install-npm-version
with:
npm_version: 9.5.0
- run: |
sudo docker run -d -p 8000:8000 amazon/dynamodb-local
- id: release-common
Expand Down
1 change: 1 addition & 0 deletions actions/full-release/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ runs:
- uses: ./actions/publish
with:
workspace_name: ${{ env.WORKSPACE_NAME }}
workspace_path: ${{ inputs.workspace_path }}
prerelease: false
dry_run: false
- uses: ./actions/publish-docs
Expand Down
16 changes: 16 additions & 0 deletions actions/install-npm-version/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: Install npm version
# Used to specify a version of npm that supports --provenance (for node installs < 18.X)
description: Install the latest version of the npm CLI utility.
inputs:
npm_version:
description: 'The version of npm to install'
required: false
default: latest

runs:
using: composite
steps:
- name: 'Install specified npm version'
shell: bash
run: |
npm install -g npm@${{ inputs.npm_version }}
4 changes: 4 additions & 0 deletions actions/publish/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,9 @@ inputs:
workspace_name:
description: 'The workspace to publish'
required: true
workspace_path:
description: 'Path to the workspace (for npm publish)'
required: true
prerelease:
description: 'Is this a prerelease. If so, then the latest tag will not be updated in npm.'
required: true
Expand All @@ -21,5 +24,6 @@ runs:
./scripts/publish.sh
env:
WORKSPACE: ${{ inputs.workspace_name }}
WORKSPACE_PATH: ${{ inputs.workspace_path }}
LD_RELEASE_IS_PRERELEASE: ${{ inputs.prerelease }}
LD_RELEASE_IS_DRYRUN: ${{ inputs.dry_run }}
6 changes: 3 additions & 3 deletions scripts/publish.sh
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
#!/usr/bin/env bash
yarn workspace $WORKSPACE pack
if $LD_RELEASE_IS_DRYRUN ; then
# Dry run just pack the workspace.
echo "Doing a dry run of publishing."
yarn workspace $WORKSPACE pack
else
if $LD_RELEASE_IS_PRERELEASE ; then
echo "Publishing with prerelease tag."
yarn workspace $WORKSPACE npm publish --tag prerelease || { echo "npm publish failed" >&2; exit 1; }
npm publish --tag prerelease --provenance --access public "./$WORKSPACE_PATH/package.tgz" || { echo "npm publish failed" >&2; exit 1; }
else
yarn workspace $WORKSPACE npm publish || { echo "npm publish failed" >&2; exit 1; }
npm publish --provenance --access public "./$WORKSPACE_PATH/package.tgz" || { echo "npm publish failed" >&2; exit 1; }
fi
fi

0 comments on commit 78aac46

Please sign in to comment.