-
Notifications
You must be signed in to change notification settings - Fork 7
164 lines (158 loc) · 5.95 KB
/
prod_build_lib.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
name: Release libhalo.js
on:
push:
tags:
- 'libhalo-v*'
jobs:
create_release:
name: Create libhalo release
runs-on: ubuntu-22.04
steps:
- name: Prepare version number
id: parse_version
run: |
( echo -n "version=" && ( echo "$GITHUB_REF" | cut -f2 -d- | tr -d '\n' ) ) >> "$GITHUB_OUTPUT"
- name: Draft release
id: create_release
uses: softprops/action-gh-release@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
tag_name: ${{ github.ref }}
name: LibHaLo ${{ steps.parse_version.outputs.version }}
draft: true
prerelease: false
body: |
Standalone JavaScript library for usage with classic HTML applications.
Release contents:
* `libhalo.js` - standalone JavaScript library for inclusion in classic HTML applications;
* `libhalo.js.LICENSE` - license information;
**Note:** The files `*-keyless.sig` and `*-keyless.pem` constitute a part of [build audit trail](https://github.com/arx-research/libhalo/blob/master/docs/build-audit-trail.md).
- name: Store release upload URL
run: |
echo -n "${{ steps.create_release.outputs.upload_url }}" > release-upload-url.txt
- uses: actions/upload-artifact@v4
with:
name: release-upload-url
path: release-upload-url.txt
build_js_lib:
name: Build libhalo and release
runs-on: ubuntu-22.04
permissions:
contents: write
id-token: write
needs: create_release
steps:
- name: Checkout the repository
uses: actions/checkout@v4
- name: Install Node.JS
uses: actions/setup-node@v4
with:
node-version: 20
- name: Install dependencies (root)
run: |
cd core
yarn install --frozen-lockfile --production=false
- name: Run webpack
run: |
cd core
webpack
- name: Download release upload URL
uses: actions/download-artifact@v4
with:
name: release-upload-url
- name: Store release upload URL output
id: out_store
run: |
echo "release_upload_url=$(cat release-upload-url.txt)" >> "$GITHUB_OUTPUT"
- name: Install cosign
uses: sigstore/cosign-installer@v3.5.0
- name: Sign libhalo.js with cosign
run: |
cd ./core/dist
echo y | cosign sign-blob ./libhalo.js --output-certificate ./libhalo.js-keyless.pem --output-signature ./libhalo.js-keyless.sig
cosign verify-blob --cert ./libhalo.js-keyless.pem --signature ./libhalo.js-keyless.sig --certificate-identity "https://github.com/arx-research/libhalo/.github/workflows/prod_build_lib.yml@${GITHUB_REF}" --certificate-oidc-issuer https://token.actions.githubusercontent.com ./libhalo.js
- name: Upload release asset (JS bundle)
id: upload-release-asset
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.out_store.outputs.release_upload_url }}
asset_path: ./core/dist/libhalo.js
asset_name: libhalo.js
asset_content_type: text/javascript
- name: Upload release asset (LICENSE file)
id: upload-release-asset-license
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.out_store.outputs.release_upload_url }}
asset_path: ./core/dist/libhalo.js.LICENSE.txt
asset_name: libhalo.js.LICENSE.txt
asset_content_type: text/plain
- name: Upload release asset (cosign pem)
id: upload-release-asset-cosign-pem
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.out_store.outputs.release_upload_url }}
asset_path: ./core/dist/libhalo.js-keyless.pem
asset_name: libhalo.js-keyless.pem
asset_content_type: application/octet-stream
- name: Upload release asset (cosign sig)
id: upload-release-asset-cosign-sig
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.out_store.outputs.release_upload_url }}
asset_path: ./core/dist/libhalo.js-keyless.sig
asset_name: libhalo.js-keyless.sig
asset_content_type: application/octet-stream
publish_npm:
name: Publish libhalo package
environment: prod-npm
runs-on: ubuntu-22.04
permissions:
contents: write
packages: write
id-token: write
needs: create_release
steps:
- name: Download release upload URL
uses: actions/download-artifact@v4
with:
name: release-upload-url
- name: Store release upload URL output
id: out_store
run: |
echo "release_upload_url=$(cat release-upload-url.txt)" >> "$GITHUB_OUTPUT"
- name: Checkout the repository
uses: actions/checkout@v4
- name: Setup Node.JS
uses: actions/setup-node@v4
with:
node-version: 20
registry-url: 'https://registry.npmjs.org'
- name: Run npm ci
run: |
cd core
yarn install --frozen-lockfile --production=false
./node_modules/.bin/tsc
./node_modules/.bin/tsc -p tsconfig.commonjs.json
- name: Publish package to npmjs
run: cd core && yarn publish
env:
NODE_AUTH_TOKEN: ${{ secrets.RELEASE_NPM_TOKEN }}
- name: Re-setup Node.JS with GitHub pkg
uses: actions/setup-node@v4
with:
node-version: 20
registry-url: https://npm.pkg.github.com/
- name: Publish package to GitHub
run: cd core && yarn publish
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}