Reusable action for publish and test #1
Conversation
sheplu
force-pushed
the
release-reusable-action
branch
5 times, most recently
from
d15e2f9 to
b29aecb
Compare
sheplu
force-pushed
the
release-reusable-action
branch
from
b29aecb to
dda3ea9
Compare
| - Use a **granular npm token** scoped only to the package(s) being published | ||
| - The token must have **publish-only permissions** | ||
| - The token should be **added shortly before each publish** | ||
| - The token must be **revoked immediately after the deployment completes** |
There was a problem hiding this comment.
Ideally this needs to be automated (high chances we forget as local logout) but the CLI requires the ID: npm token revoke <token-id> so in that case we need to add an additional secret 🤔
There was a problem hiding this comment.
This would be great to not need a specific PAT token for that :) I am still hoping that we can have tokens that are deleted automatically after a short time or after a number of usage (1 would be perfect).
For this workflows, I am not sure about the case to have a token to delete a token, and then delete the token used to delete the token 😅
|
|
||
| Only workflows explicitly targeting `environment: publish` will be able to access these secrets. | ||
|
|
||
| ## Behavior |
There was a problem hiding this comment.
There are some repos (probably more in the future) that might not work with this approach as they require a build step before release like codemod: (https://github.com/expressjs/codemod/blob/35e5d273b5530b4a1e2352cc849612ee39d929b6/package.json#L29)
There was a problem hiding this comment.
I was thinking of allowing the call of the action with a specific npm script to run for that. Would you have anything against ? Or do you see a specific way?
There was a problem hiding this comment.
We don’t need to worry about codemod, because it has a different setup for publishing (see https://github.com/expressjs/codemod/blob/main/.github/workflows/publish.yml and expressjs/codemod#100), which we’re going to start using soon.
| id-token: write | ||
| contents: read | ||
|
|
||
| jobs: |
There was a problem hiding this comment.
I definitely will like to pin dependencies here as our tokens are used in this workflow.
There was a problem hiding this comment.
Fixing that in a couple minutes !
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@v6 |
Obviously we need to use egress-policy: block once the allowedlist is clear.
There was a problem hiding this comment.
Absolutely! Nothing against that - in the contrary it will be way better.
As this is not yet setup, I only included the base workflow
3 participants
Create one reusable action for release purpose