forked from eramdam/eslint-plugin-top
-
Notifications
You must be signed in to change notification settings - Fork 4
118 lines (116 loc) · 3.81 KB
/
publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
name: Publish
on:
push:
branches:
- main
- main-v1
permissions: read-all
jobs:
check:
name: Check
runs-on: ubuntu-22.04
outputs:
released: ${{ steps.version.outputs.released }}
version: ${{ steps.version.outputs.version }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- name: Checkout repository
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0 # To obtain all tags
- name: Check if version is released
id: version
run: |
VERSION="v$(jq -r '.version' < package.json)"
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
if [ "$(git tag --list "$VERSION")" ]; then
echo 'released=true' >> "$GITHUB_OUTPUT"
else
echo 'released=false' >> "$GITHUB_OUTPUT"
fi
git:
name: git
runs-on: ubuntu-22.04
if: ${{ needs.check.outputs.released == 'false' }}
needs:
- check
permissions:
contents: write # To push refs
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout repository
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
with:
fetch-depth: 0 # To fetch all major version branches
- name: Get major version
uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
id: major-version
with:
result-encoding: string
script: |
const version = "${{ needs.check.outputs.version }}"
const major = version.replace(/\.\d\.\d$/, "")
return major
- name: Publish git tag
run: |
git tag '${{ needs.check.outputs.version }}'
git push origin '${{ needs.check.outputs.version }}'
- name: Update major version branch
run: |
git push origin 'HEAD:${{ steps.major-version.outputs.result }}'
npm:
name: npm
runs-on: ubuntu-22.04
if: ${{ needs.check.outputs.released == 'false' }}
needs:
- check
permissions:
id-token: write # To attach provenance to the published package
environment:
name: npm
url: https://www.npmjs.com/package/@ericcornelissen/eslint-plugin-top
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
fulcio.sigstore.dev:443
github.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
rekor.sigstore.dev:443
sigstore-tuf-root.storage.googleapis.com:443
- name: Checkout repository
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Install Node.js
uses: actions/setup-node@e33196f7422957bea03ed53f6fbb155025ffc7b8 # v3.7.0
with:
cache: npm
node-version-file: .nvmrc
registry-url: https://registry.npmjs.org
- name: Install dependencies
run: npm clean-install
- name: Publish to npm
run: |
npm publish --provenance
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}