Merge pull request #25 from FusionAuth/mooreds/update-publish-workflow #19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Publish the node CLI to NPM | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| inputs: | |
| command: | |
| type: choice | |
| options: | |
| - test # build only | |
| - publish # build & publish to npmjs | |
| default: test | |
| version: | |
| required: true | |
| type: string | |
| permissions: | |
| contents: read | |
| id-token: write | |
| jobs: | |
| deploy: | |
| runs-on: ubuntu-latest | |
| defaults: | |
| run: | |
| shell: /usr/bin/bash -l -e -o pipefail {0} | |
| steps: | |
| - name: checkout | |
| uses: actions/checkout@v4 | |
| - name: set aws credentials | |
| uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| role-to-assume: arn:aws:iam::752443094709:role/gha-fusionauth-node-cli | |
| role-session-name: aws-auth-action | |
| aws-region: us-west-2 | |
| - name: get secret | |
| if: inputs.command == 'publish' | |
| run: | | |
| while IFS=$'\t' read -r key value; do | |
| echo "::add-mask::${value}" | |
| echo "${key}=${value}" >> $GITHUB_ENV | |
| done < <(aws secretsmanager get-secret-value \ | |
| --region us-west-2 \ | |
| --secret-id platform/npmjs \ | |
| --query SecretString \ | |
| --output text | \ | |
| jq -r 'to_entries[] | [.key, .value] | @tsv') | |
| - name: setup node for publishing | |
| if: inputs.command == 'publish' | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '20' | |
| registry-url: 'https://registry.npmjs.org' # This generates the necessary .npmrc | |
| - name: set version | |
| run: npm version ${{ inputs.version }} | |
| - name: commit version changes (only on main branch) | |
| if: inputs.command == 'publish' && github.ref == 'refs/heads/main' | |
| run: | | |
| git push | |
| git push --tags | |
| - name: install dependencies | |
| run: npm install | |
| - name: build the package | |
| run: npm run build | |
| - name: test publish to npmjs | |
| if: inputs.command == 'test' | |
| run: npm publish --dry-run | |
| - name: publish to npmjs | |
| if: inputs.command == 'publish' | |
| run: | | |
| npm install -g npm@latest | |
| npm publish --provenance --access public | |
| env: | |
| NODE_AUTH_TOKEN: "sigstore" # npm uses OIDC when this is any non-empty string |