Skip to content
.github/workflows/provenance.yml

Update @socketsecurity/lib to v5.10.0 and adapt to new API #583

Sign in to view logs

Update @socketsecurity/lib to v5.10.0 and adapt to new API

Update @socketsecurity/lib to v5.10.0 and adapt to new API #583

Workflow file for this run

.github/workflows/provenance.yml at 99e4921
name: 📦 Publish

Check failure on line 1 in .github/workflows/provenance.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/provenance.yml

Invalid workflow file 

(Line: 30, Col: 3): Unexpected value 'BUILD_MODE'
concurrency:
group: publish-${{ github.ref }}
cancel-in-progress: false
on:
workflow_dispatch:
inputs:
dry-run:
description: 'Dry run (build only)'
type: boolean
default: true
cli:
description: '@socketsecurity/cli'
type: boolean
default: true
cli-sentry:
description: '@socketsecurity/cli-with-sentry'
type: boolean
default: true
socket:
description: 'socket (+ 8 bins)'
type: boolean
default: true
permissions:
contents: read
BUILD_MODE: prod
jobs:
# Build CLI bundle once (platform-agnostic JS) and generate platform matrix.
build-cli:
if: ${{ inputs.socket }}
name: Build CLI bundle
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
matrix: ${{ steps.matrix.outputs.matrix }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-node@v4
with:
node-version-file: .node-version
- uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
- run: pnpm install --frozen-lockfile
- name: Build CLI
run: pnpm --filter @socketsecurity/cli run build
- name: Generate platform matrix
id: matrix
run: |
MATRIX=$(node scripts/get-platform-matrix.mjs)
echo "matrix=$MATRIX" >> $GITHUB_OUTPUT
- name: Upload CLI bundle
uses: actions/upload-artifact@v4
with:
name: cli-bundle
path: packages/cli/build/cli.js
retention-days: 1
# Build SEA binaries for all platforms (only if publishing binaries).
build-binaries:
if: ${{ inputs.socket }}
needs: [build-cli]
name: Build ${{ matrix.releasePlatform }}-${{ matrix.arch }}${{ matrix.libc && '-musl' || '' }}
runs-on: ${{ matrix.runner }}
permissions:
contents: read
strategy:
fail-fast: false
matrix: ${{ fromJson(needs.build-cli.outputs.matrix) }}
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-node@v4
with:
node-version-file: .node-version
registry-url: 'https://registry.npmjs.org'
- uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
- run: pnpm install --frozen-lockfile
- name: Download CLI bundle
uses: actions/download-artifact@v4
with:
name: cli-bundle
path: packages/cli/build
- name: Build SEA binary
shell: bash
run: |
LIBC_FLAG=""
if [ "${{ matrix.libc }}" = "musl" ]; then
LIBC_FLAG="--libc=musl"
fi
pnpm --filter @socketsecurity/cli run build:sea -- \
--platform=${{ matrix.platform }} \
--arch=${{ matrix.arch }} \
${LIBC_FLAG}
- name: Upload binary
uses: actions/upload-artifact@v4
with:
name: binary-${{ matrix.releasePlatform }}-${{ matrix.arch }}${{ matrix.libc && '-musl' || '' }}
path: packages/package-builder/build/prod/out/socketbin-cli-${{ matrix.releasePlatform }}-${{ matrix.arch }}${{ matrix.libc && '-musl' || '' }}/socket${{ matrix.platform == 'win32' && '.exe' || '' }}
retention-days: 1
# Publish all packages.
publish:
name: Publish packages
needs: [build-cli, build-binaries]
if: ${{ always() && (needs.build-cli.result == 'success' || needs.build-cli.result == 'skipped') && (needs.build-binaries.result == 'success' || needs.build-binaries.result == 'skipped') }}
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- uses: actions/setup-node@v4
with:
node-version-file: .node-version
registry-url: 'https://registry.npmjs.org'
- uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
- run: pnpm install --frozen-lockfile
- run: npm install -g npm@latest
# All packages use the same version from cli-package template.
- name: Get version
id: version
run: |
VERSION=$(node -p "require('./packages/package-builder/templates/cli-package/package.json').version")
echo "version=$VERSION" >> $GITHUB_OUTPUT
echo "Publishing version: $VERSION"
# Download and publish binary packages.
- name: Download binaries
if: ${{ inputs.socket }}
uses: actions/download-artifact@v4
with:
path: artifacts
pattern: binary-*
- name: Publish binary packages
if: ${{ inputs.socket && !inputs.dry-run }}
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
set -euo pipefail
# Get platform targets from single source of truth.
PLATFORMS_STR=$(node scripts/get-platform-targets.mjs)
read -ra PLATFORMS <<< "$PLATFORMS_STR"
for target in "${PLATFORMS[@]}"; do
echo "::group::Publishing @socketbin/cli-${target}"
# Parse platform/arch/libc from target.
IFS='-' read -ra PARTS <<< "$target"
PLATFORM="${PARTS[0]}"
ARCH="${PARTS[1]}"
LIBC=""
if [ "${PARTS[2]}" = "musl" ]; then
LIBC="musl"
fi
# Setup package directory.
PKG_DIR="packages/package-builder/build/prod/out/socketbin-cli-${target}"
mkdir -p "$PKG_DIR"
# Copy binary from artifact.
# Check for 'win' (release naming, not win32).
if [ "$PLATFORM" = "win" ]; then
cp "artifacts/binary-${target}/socket.exe" "$PKG_DIR/"
else
cp "artifacts/binary-${target}/socket" "$PKG_DIR/"
fi
# Prepare package.
LIBC_FLAG=""
if [ -n "$LIBC" ]; then
LIBC_FLAG="--libc=$LIBC"
fi
node scripts/prepublish-socketbin.mjs \
--platform="$PLATFORM" --arch="$ARCH" $LIBC_FLAG --prod \
--version="$VERSION" --method=sea
# Publish.
cd "$PKG_DIR"
npm publish --provenance --access public --tag latest
cd -
echo "::endgroup::"
done
# Build and publish JS packages.
# Order: cli/cli-with-sentry first (independent), then socket (depends on @socketbin/*).
- name: Build CLI
run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 pnpm run build
- name: Publish @socketsecurity/cli
if: ${{ inputs.cli && !inputs.dry-run }}
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
PKG_DIR="packages/package-builder/build/prod/out/cli"
node scripts/prepare-package-for-publish.mjs "$PKG_DIR" "$VERSION"
cd "$PKG_DIR"
npm publish --provenance --access public --no-git-checks
- name: Publish @socketsecurity/cli-with-sentry
if: ${{ inputs.cli-sentry && !inputs.dry-run }}
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
PKG_DIR="packages/package-builder/build/prod/out/cli-with-sentry"
node scripts/prepare-package-for-publish.mjs "$PKG_DIR" "$VERSION"
cd "$PKG_DIR"
npm publish --provenance --access public --no-git-checks
# socket published last - depends on @socketbin/* being published first.
- name: Publish socket
if: ${{ inputs.socket && !inputs.dry-run }}
env:
VERSION: ${{ steps.version.outputs.version }}
run: |
PKG_DIR="packages/package-builder/build/prod/out/socket"
node scripts/prepare-package-for-publish.mjs "$PKG_DIR" "$VERSION"
cd "$PKG_DIR"
npm publish --provenance --access public --no-git-checks
- name: Summary
run: |
echo "## Publish Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Version: \`${{ steps.version.outputs.version }}\`" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
if [ "${{ inputs.dry-run }}" = "true" ]; then
echo "**Dry run - nothing was published**" >> $GITHUB_STEP_SUMMARY
else
echo "### Published packages:" >> $GITHUB_STEP_SUMMARY
if [ "${{ inputs.socket }}" = "true" ]; then
echo "- @socketbin/cli-* (8 platforms)" >> $GITHUB_STEP_SUMMARY
fi
if [ "${{ inputs.socket }}" = "true" ]; then
echo "- socket" >> $GITHUB_STEP_SUMMARY
fi
if [ "${{ inputs.cli }}" = "true" ]; then
echo "- @socketsecurity/cli" >> $GITHUB_STEP_SUMMARY
fi
if [ "${{ inputs.cli-sentry }}" = "true" ]; then
echo "- @socketsecurity/cli-with-sentry" >> $GITHUB_STEP_SUMMARY
fi
fi