.github/workflows/release-and-publish.yml
name: Release and publish
on:
push:
branches:
- master
permissions: {}
jobs:
release-please:
runs-on: ubuntu-latest
permissions:
contents: write # to create release commit
pull-requests: write # to create release PR
outputs:
release_created: ${{ steps.release.outputs.release_created }}
steps:
- name: 🔐 Harden Runner
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
egress-policy: audit
- name: 🆕 Create or update release
uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
id: release
with:
token: ${{ secrets.GITHUB_TOKEN }}
npm-publish:
needs: [release-please]
runs-on: ubuntu-latest
permissions:
id-token: write # to allow npm publish provenance generation
# this if statements ensure that a publication only occurs when a new release is created:
if: ${{ needs.release-please.outputs.release_created }}
steps:
- name: 🔐 Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
fulcio.sigstore.dev:443
github.com:443
registry.npmjs.org:443
rekor.sigstore.dev:443
api.github.com:443
nodejs.org:443
- name: 🔔 Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: ⚙️ Setup Node.js
uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # 4.0.2
with:
node-version: 14
registry-url: 'https://registry.npmjs.org'
- name: 📦 Install dependencies
run: npm ci
- name: 🚀 Publish to npm
run: npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_GUIDESMITHS }}