Skip to content

Bump step-security/harden-runner from 2.5.1 to 2.6.1 (#1296) #626

Bump step-security/harden-runner from 2.5.1 to 2.6.1 (#1296)

Bump step-security/harden-runner from 2.5.1 to 2.6.1 (#1296) #626

Workflow file for this run

name: Publish
on:
push:
branches:
- main
- main-v1
permissions: read-all
jobs:
check:
name: Check
runs-on: ubuntu-22.04
outputs:
released: ${{ steps.version.outputs.released }}
release_notes: ${{ steps.version.outputs.release_notes }}
version: ${{ steps.version.outputs.version }}
steps:
- name: Harden runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
actions-results-receiver-production.githubapp.com:443
api.github.com:443
github.com:443
gitlab.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
- name: Checkout repository
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0 # To fetch all tags
- name: Install Node.js
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
with:
cache: npm
node-version-file: .nvmrc
- name: Install dependencies
run: npm clean-install
- name: Check if the current version is already released
id: version
run: |
VERSION="v$(jq -r '.version' < package.json)"
echo "version=$VERSION" >> "$GITHUB_OUTPUT"
if [ "$(git tag --list "$VERSION")" ]; then
echo 'released=true' >> "$GITHUB_OUTPUT"
else
echo 'released=false' >> "$GITHUB_OUTPUT"
{
echo 'release_notes<<EOF'
node script/release/get-release-notes.js
echo 'EOF'
} >> "$GITHUB_OUTPUT"
fi
git:
name: git
runs-on: ubuntu-22.04
if: ${{ needs.check.outputs.released == 'false' }}
needs:
- check
permissions:
contents: write # To push a ref
steps:
- name: Harden runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
actions-results-receiver-production.githubapp.com:443
github.com:443
- name: Checkout repository
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
with:
fetch-depth: 0 # To fetch all major version branches
- name: Get release version
uses: actions/github-script@e69ef5462fd455e02edcaf4dd7708eda96b9eda0 # v7.0.0
id: major_version
env:
VERSION: ${{ needs.check.outputs.version }}
with:
result-encoding: string
script: |
const version = `${process.env.VERSION}`
const major = version.replace(/\.\d\.\d$/, "")
return major
- name: Create release tag
env:
VERSION: ${{ needs.check.outputs.version }}
run: |
git tag "${VERSION}"
git push origin "${VERSION}"
- name: Update major version branch
env:
MAJOR_VERSION: ${{ steps.major_version.outputs.result }}
run: |
git push origin "HEAD:${MAJOR_VERSION}"
github:
name: GitHub
runs-on: ubuntu-22.04
if: ${{ needs.check.outputs.released == 'false' }}
needs:
- check
- git
permissions:
contents: write # To create a GitHub Release
steps:
- name: Harden runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
actions-results-receiver-production.githubapp.com:443
api.github.com:443
github.com:443
- name: Create GitHub release
uses: ncipollo/release-action@6c75be85e571768fa31b40abf38de58ba0397db5 # v1.13.0
with:
tag: ${{ needs.check.outputs.version }}
name: Release ${{ needs.check.outputs.version }}
body: ${{ needs.check.outputs.release_notes }}
draft: false
prerelease: false
npm:
name: npm
runs-on: ubuntu-22.04
if: ${{ needs.check.outputs.released == 'false' }}
permissions:
id-token: write # To attach provenance to the published package
environment:
name: npm
url: https://www.npmjs.com/package/shescape
needs:
- check
steps:
- name: Harden runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
actions-results-receiver-production.githubapp.com:443
api.github.com:443
fulcio.sigstore.dev:443
github.com:443
gitlab.com:443
nodejs.org:443
objects.githubusercontent.com:443
registry.npmjs.org:443
rekor.sigstore.dev:443
sigstore-tuf-root.storage.googleapis.com:443
- name: Checkout repository
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 # v4.1.0
- name: Install Node.js
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0
with:
cache: npm
node-version-file: .nvmrc
registry-url: https://registry.npmjs.org
- name: Install dependencies
run: npm clean-install
- name: Publish to npm
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm publish --provenance