add repository URL to Cargo.toml for npm OIDC provenance #36
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: NPM Packages Release | |
| on: | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| release: | |
| if: ${{ github.ref == 'refs/heads/main' && !startsWith(github.event.head_commit.message, 'NPM Package Release') }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| id-token: write | |
| contents: write | |
| outputs: | |
| version: ${{ env.NEW_VERSION }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| ssh-key: ${{ secrets.PUBLISH_PRIVATE_KEY }} | |
| submodules: recursive | |
| fetch-depth: 0 | |
| - uses: DeterminateSystems/nix-installer-action@main | |
| with: | |
| determinate: true | |
| - uses: DeterminateSystems/flakehub-cache-action@main | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: "24.x" | |
| registry-url: "https://registry.npmjs.org" | |
| - name: Upgrade npm for OIDC | |
| run: | | |
| npm install -g npm@latest | |
| npm --version | |
| - name: Verify OIDC availability | |
| run: | | |
| if [ -n "${ACTIONS_ID_TOKEN_REQUEST_URL}" ] && [ -n "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" ]; then | |
| echo "OIDC token available" | |
| echo "Endpoint: ${ACTIONS_ID_TOKEN_REQUEST_URL}" | |
| else | |
| echo "OIDC token NOT available" | |
| echo "Check workflow permissions include 'id-token: write'" | |
| exit 1 | |
| fi | |
| - name: Verify repository configuration | |
| run: | | |
| echo "Checking repository consistency..." | |
| GIT_REPO=$(git remote get-url origin | sed 's/.*github.com[/:]//; s/.git$//') | |
| PKG_REPO=$(node -e "console.log(require('./pkg/package.json').repository?.url || '')" | sed 's|https://github.com/||; s|git+||; s|.git$||') | |
| echo "Git remote: $GIT_REPO" | |
| echo "package.json: $PKG_REPO" | |
| if [ "$GIT_REPO" != "$PKG_REPO" ]; then | |
| echo "Repository mismatch!" | |
| echo "This will cause 422 error during publish" | |
| exit 1 | |
| fi | |
| echo "Repositories match" | |
| - run: nix develop -c build-submodules | |
| - run: nix develop -c local-bundle | |
| - name: Install Playwright browsers with dependencies | |
| run: | | |
| cd svelte-test | |
| npx playwright install --with-deps | |
| - name: Test full integration | |
| run: nix develop -c test-full-integration | |
| - name: Git Config | |
| run: | | |
| git config --global user.email "${{ secrets.CI_GIT_EMAIL }}" | |
| git config --global user.name "${{ secrets.CI_GIT_USER }}" | |
| # get hash of latest published pkgs from npm and concat them | |
| - name: Get Old Hash | |
| run: | | |
| OLD_HASH=$(npm view @rainlanguage/sqlite-web@alpha dist.shasum 2>/dev/null || echo "none") | |
| echo "OLD_HASH=$OLD_HASH" >> $GITHUB_ENV | |
| echo "old hash: $OLD_HASH" | |
| # Build the package and calc hash | |
| - name: Build and Get New Hash | |
| run: | | |
| nix develop -c local-bundle | |
| NEW_HASH=$(cd pkg && npm pack --silent | xargs shasum | cut -c1-40) | |
| echo "NEW_HASH=$NEW_HASH" >> $GITHUB_ENV | |
| echo "new hash: $NEW_HASH" | |
| rm -f pkg/*.tgz | |
| # from here on, we'll skip if OLD_HASH and NEW_HASH are the same (ie no publish) | |
| # this means we need to skip every step by using an if statement. | |
| # set npm version in pkg directory | |
| - name: Set Version | |
| if: ${{ env.OLD_HASH != env.NEW_HASH }} | |
| run: | | |
| NEW_NPM_VERSION=$(npm --prefix pkg version prerelease --preid alpha --no-git-tag-version) | |
| NEW_VERSION=${NEW_NPM_VERSION#v} | |
| echo "NEW_VERSION=$NEW_VERSION" >> $GITHUB_ENV | |
| for manifest in packages/sqlite-web/Cargo.toml packages/sqlite-web-core/Cargo.toml; do | |
| sed -i.bak "s/^version = \".*\"/version = \"$NEW_VERSION\"/" "$manifest" | |
| rm "$manifest".bak | |
| done | |
| # Create sqlite-web npm package tarball | |
| - name: Create sqlite-web NPM Package Tarball | |
| if: ${{ env.OLD_HASH != env.NEW_HASH }} | |
| run: | | |
| cd pkg | |
| echo "NPM_PACKAGE=$(npm pack --silent)" >> $GITHUB_ENV | |
| - name: Rename sqlite-web NPM Package Tarball | |
| if: ${{ env.OLD_HASH != env.NEW_HASH }} | |
| run: mv pkg/${{ env.NPM_PACKAGE }} sqlite_web_npm_package_${{ env.NEW_VERSION }}.tgz | |
| # publish sqlite-web pkg to npm | |
| - name: Publish sqlite-web pkg To NPM | |
| if: ${{ env.OLD_HASH != env.NEW_HASH }} | |
| run: | | |
| npm publish sqlite_web_npm_package_${{ env.NEW_VERSION }}.tgz \ | |
| --access public \ | |
| --tag alpha \ | |
| --verbose | |
| # Commit changes and tag | |
| - name: Commit And Tag | |
| if: ${{ env.OLD_HASH != env.NEW_HASH }} | |
| run: | | |
| git add pkg/package.json packages/sqlite-web/Cargo.toml packages/sqlite-web-core/Cargo.toml | |
| git commit -m "NPM Package Release v${{ env.NEW_VERSION }}" | |
| git tag npm-v${{ env.NEW_VERSION }} | |
| # Push the commit to remote | |
| - name: Push Changes To Remote | |
| if: ${{ env.OLD_HASH != env.NEW_HASH }} | |
| run: | | |
| git push origin | |
| git push -u origin npm-v${{ env.NEW_VERSION }} | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # Create gitHub release with tarballs | |
| - name: Create GitHub Release with sqlite-web pkg | |
| if: ${{ env.OLD_HASH != env.NEW_HASH }} | |
| id: gh_release | |
| uses: softprops/action-gh-release@v2 | |
| with: | |
| tag_name: npm-v${{ env.NEW_VERSION }} | |
| name: NPM Package Release v${{ env.NEW_VERSION }} | |
| files: | | |
| sqlite_web_npm_package_${{ env.NEW_VERSION }}.tgz | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |