ci: set persist-credentials to false for checkout action #166
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Node CI | |
on: | |
push: | |
branches: | |
- '**' | |
tags: | |
- 'v[0-9]+.[0-9]+.[0-9]+*' | |
pull_request: | |
jobs: | |
release: | |
name: Release | |
runs-on: ubuntu-latest | |
timeout-minutes: 15 | |
# only run for tags | |
if: contains(github.ref, 'refs/tags/') | |
needs: | |
- validate-dependencies | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
persist-credentials: false | |
- name: Use Node.js 14.x | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 14.x | |
- name: Check release is desired | |
id: do-publish | |
run: | | |
if [ -z "${{ secrets.NPM_TOKEN }}" ]; then | |
echo "No Token" | |
else | |
PUBLISHED_VERSION=$(yarn npm info --json . | jq -c '.version' -r) | |
THIS_VERSION=$(node -p "require('./package.json').version") | |
# Simple bash helper to comapre version numbers | |
verlte() { | |
[ "$1" = "`echo -e "$1\n$2" | sort -V | head -n1`" ] | |
} | |
verlt() { | |
[ "$1" = "$2" ] && return 1 || verlte $1 $2 | |
} | |
if verlt $PUBLISHED_VERSION $THIS_VERSION | |
then | |
echo "Publishing latest" | |
echo "tag=latest" >> $GITHUB_OUTPUT | |
else | |
echo "Publishing hotfix" | |
echo "tag=hotfix" >> $GITHUB_OUTPUT | |
fi | |
fi | |
- name: Prepare build | |
if: ${{ steps.do-publish.outputs.tag }} | |
run: | | |
yarn install | |
env: | |
CI: true | |
- name: Publish to NPM | |
if: ${{ steps.do-publish.outputs.tag }} | |
run: | | |
yarn config set npmAuthToken $NPM_AUTH_TOKEN | |
NEW_VERSION=$(node -p "require('./package.json').version") | |
yarn npm publish --access=public --tag ${{ steps.do-publish.outputs.tag }} | |
echo "**Published:** $NEW_VERSION" >> $GITHUB_STEP_SUMMARY | |
env: | |
NPM_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
CI: true | |
validate-dependencies: | |
name: Validate production dependencies | |
runs-on: ubuntu-latest | |
continue-on-error: true | |
timeout-minutes: 15 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Use Node.js 14.x | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 14.x | |
- name: Prepare Environment | |
run: | | |
yarn install | |
env: | |
CI: true | |
- name: Validate production dependencies | |
run: | | |
if ! git log --format=oneline -n 1 | grep -q "\[ignore-audit\]"; then | |
yarn validate:dependencies | |
else | |
echo "Skipping audit" | |
fi | |
env: | |
CI: true | |
validate-all-dependencies: | |
name: Validate all dependencies | |
runs-on: ubuntu-latest | |
continue-on-error: true | |
timeout-minutes: 15 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
persist-credentials: false | |
- name: Use Node.js 14.x | |
uses: actions/setup-node@v4 | |
with: | |
node-version: 14.x | |
- name: Prepare Environment | |
run: | | |
yarn install | |
env: | |
CI: true | |
- name: Validate production dependencies | |
run: | | |
yarn validate:dependencies | |
env: | |
CI: true | |
- name: Validate dev dependencies | |
run: | | |
yarn validate:dev-dependencies | |
env: | |
CI: true |