chore: update NPM publishing #13
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright the Hyperledger Fabric contributors. All rights reserved. | ||
|
Check failure on line 1 in .github/workflows/release.yaml
|
||
| # SPDX-License-Identifier: Apache-2.0 | ||
| name: Release | ||
| on: | ||
| push: | ||
| tags: | ||
| - "v[0-9]+.[0-9]+.[0-9]+" | ||
| - "v[0-9]+.[0-9]+.[0-9]+-*" | ||
| # ---- Global permissions for Trusted Publishing & attestations ---- | ||
| # id-token:write is required for OIDC (npm trusted publishing, keyless attestations) | ||
| # packages:write for GHCR; attestations:write for GitHub artifact attestations (optional but recommended) | ||
| permissions: | ||
| contents: read | ||
| env: | ||
| IMAGE_NAME: ${{ github.repository_owner }}/fabric-nodeenv | ||
| jobs: | ||
| test: | ||
| uses: ./.github/workflows/test.yaml | ||
| publishnpm: | ||
| runs-on: ubuntu-24.04 | ||
| needs: test | ||
| permissions: | ||
| contents: read | ||
| id-token: write | ||
| steps: | ||
| - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 | ||
| with: | ||
| node-version: "18.x" | ||
| registry-url: "https://registry.npmjs.org" | ||
| # Ensure npm 11.5.1 or later for trusted publishing support | ||
| - name: Update npm | ||
| run: npm install -g npm@latest | ||
| - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 | ||
| with: | ||
| name: node-tgzs | ||
| path: build/ | ||
| - name: Publish packages with provenance (OIDC) | ||
| # No NODE_AUTH_TOKEN needed when Trusted Publishing is enabled. | ||
| # --provenance tells npm to attach SLSA provenance to the package. [oai_citation:1‡The GitHub Blog](https://github.blog/security/supply-chain-security/introducing-npm-package-provenance/?utm_source=chatgpt.com) | ||
| run: | | ||
| set -xev | ||
| ls -lart build/ | ||
| cd build | ||
| find . -type f -name 'fabric-*.tgz' -exec npm publish {} \; | ||
| # ========= Build & push per-arch images (with provenance/SBOM) ========= | ||
| docker-build-push: | ||
| name: Build & Push Docker image (per-arch) | ||
| needs: test | ||
| runs-on: ${{ matrix.arch.runner }} | ||
| permissions: | ||
| contents: read | ||
| packages: write # for ghcr.io | ||
| id-token: write # for provenance/attestations | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| arch: | ||
| - platform: linux-amd64 | ||
| runner: ubuntu-24.04 | ||
| - platform: linux-arm64 | ||
| runner: ubuntu-24.04-arm | ||
| steps: | ||
| - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | ||
| - name: Get commit timestamp | ||
| run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "${GITHUB_ENV}" | ||
| # ---- GHCR login via GITHUB_TOKEN (already short-lived/trusted) ---- | ||
| - name: Login to GitHub Container Registry (ghcr.io) | ||
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.actor }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
| # ---- Optional: Docker Hub login (kept for now) ---- | ||
| # If your Docker Hub org enables its own trusted/OIDC flow later, you can | ||
| # replace this with that method; until then PAT is required. [oai_citation:2‡Docker Documentation](https://docs.docker.com/docker-hub/image-library/trusted-content/?utm_source=chatgpt.com) | ||
| - name: Login to Docker Hub | ||
| if: ${{ secrets.DOCKERHUB_USERNAME && secrets.DOCKERHUB_TOKEN }} | ||
| uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0 | ||
| with: | ||
| registry: docker.io | ||
| username: ${{ secrets.DOCKERHUB_USERNAME }} | ||
| password: ${{ secrets.DOCKERHUB_TOKEN }} | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | ||
| - name: Build image (per-arch) with provenance + SBOM | ||
| id: build | ||
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | ||
| with: | ||
| file: docker/fabric-nodeenv/Dockerfile | ||
| context: docker/fabric-nodeenv | ||
| platforms: ${{ matrix.arch.platform }} | ||
| # Generate and attach provenance/SBOM at build time. [oai_citation:3‡Docker Documentation](https://docs.docker.com/build/metadata/attestations/slsa-provenance/?utm_source=chatgpt.com) | ||
| provenance: true | ||
| sbom: true | ||
| outputs: type=registry,"name=${{ format('ghcr.io/{0},docker.io/{0}', env.IMAGE_NAME) }}",push-by-digest=true,name-canonical=true | ||
| env: | ||
| SOURCE_DATE_EPOCH: ${{ env.SOURCE_DATE_EPOCH }} | ||
| - name: Export digest | ||
| run: | | ||
| mkdir -p ${{ runner.temp }}/digests | ||
| digest="${{ steps.build.outputs.digest }}" | ||
| touch "${{ runner.temp }}/digests/${digest#sha256:}" | ||
| - name: Upload digest | ||
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | ||
| with: | ||
| name: digest-${{ matrix.arch.platform }} | ||
| path: ${{ runner.temp }}/digests/* | ||
| if-no-files-found: error | ||
| # =============== Manifest + tags publishing ================== | ||
| docker-meta: | ||
| needs: docker-build-push | ||
| name: Publish Docker metadata | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| id-token: write | ||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| registry: | ||
| - docker.io | ||
| - ghcr.io | ||
| steps: | ||
| - name: Download digests | ||
| uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 | ||
| with: | ||
| path: ${{ runner.temp }}/digests | ||
| pattern: digest-* | ||
| merge-multiple: true | ||
| - name: Login to ${{ matrix.registry }} | ||
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | ||
| with: | ||
| registry: ${{ matrix.registry }} | ||
| username: ${{ matrix.registry == 'docker.io' && secrets.DOCKERHUB_USERNAME || github.actor }} | ||
| password: ${{ matrix.registry == 'docker.io' && secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
| - name: Docker metadata | ||
| id: meta | ||
| uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0 | ||
| with: | ||
| images: ${{ matrix.registry }}/${{ env.IMAGE_NAME }} | ||
| tags: | | ||
| type=semver,pattern={{version}} | ||
| type=semver,pattern={{major}}.{{minor}} | ||
| type=semver,pattern={{major}}.{{minor}}.{{patch}} | ||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 | ||
| - name: Create and push manifest list | ||
| working-directory: ${{ runner.temp }}/digests | ||
| run: | | ||
| docker buildx imagetools create $(jq -cr '.tags | map("--tag " + .) | join(" ")' <<< "${DOCKER_METADATA_OUTPUT_JSON}") \ | ||
| $(printf '${{ matrix.registry }}/${{ env.IMAGE_NAME }}@sha256:%s ' *) | ||
| - name: Inspect image | ||
| run: docker buildx imagetools inspect '${{ matrix.registry }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}' | ||
