|
| 1 | +# GitHub Actions Workflows |
| 2 | + |
| 3 | +This directory contains GitHub Actions workflows for the add-in project. |
| 4 | + |
| 5 | +## Workflows |
| 6 | + |
| 7 | +### CI (`ci.yml`) |
| 8 | + |
| 9 | +Runs on every push to `main` and on all pull requests. |
| 10 | + |
| 11 | +**What it does:** |
| 12 | +- Tests the package on multiple Node.js versions (14, 16, 18, 20) |
| 13 | +- Runs the test suite (`npm test`) |
| 14 | +- Verifies the CLI script is executable |
| 15 | + |
| 16 | +### Publish to npm (`publish.yml`) |
| 17 | + |
| 18 | +Runs automatically when a new GitHub release is created. |
| 19 | + |
| 20 | +**What it does:** |
| 21 | +- Installs dependencies |
| 22 | +- Runs tests to ensure quality |
| 23 | +- Publishes the package to npm with provenance using OIDC authentication |
| 24 | + |
| 25 | +**Features:** |
| 26 | +- Uses OpenID Connect (OIDC) for secure authentication |
| 27 | +- Publishes with `--provenance` flag for supply chain security |
| 28 | +- Automatically makes the package public with `--access public` |
| 29 | + |
| 30 | +## Publishing to npm |
| 31 | + |
| 32 | +To publish a new version: |
| 33 | + |
| 34 | +1. Update the version in `package.json`: |
| 35 | + ```bash |
| 36 | + npm version patch # for bug fixes |
| 37 | + npm version minor # for new features |
| 38 | + npm version major # for breaking changes |
| 39 | + ``` |
| 40 | + |
| 41 | +2. Push the changes and tags: |
| 42 | + ```bash |
| 43 | + git push && git push --tags |
| 44 | + ``` |
| 45 | + |
| 46 | +3. Create a GitHub release: |
| 47 | + - Go to https://github.com/ServiceStack/add-in/releases/new |
| 48 | + - Select the version tag you just pushed |
| 49 | + - Add release notes describing the changes |
| 50 | + - Click "Publish release" |
| 51 | + |
| 52 | +4. The `publish.yml` workflow will automatically: |
| 53 | + - Run tests |
| 54 | + - Publish to npm if tests pass |
| 55 | + |
| 56 | +## Required Setup |
| 57 | + |
| 58 | +### NPM Authentication |
| 59 | + |
| 60 | +The workflow uses OIDC (OpenID Connect) authentication with provenance for enhanced security. You still need to configure an `NPM_TOKEN` secret: |
| 61 | + |
| 62 | +1. Generate an npm Automation token: |
| 63 | + - Log in to https://www.npmjs.com |
| 64 | + - Go to Account Settings → Access Tokens |
| 65 | + - Click "Generate New Token" → Choose "Automation" |
| 66 | + - Copy the generated token |
| 67 | + |
| 68 | +2. Add the token to GitHub: |
| 69 | + - Go to repository Settings → Secrets and variables → Actions |
| 70 | + - Click "New repository secret" |
| 71 | + - Name: `NPM_TOKEN` |
| 72 | + - Value: Your npm automation token |
| 73 | + - Click "Add secret" |
| 74 | + |
| 75 | +### OIDC Permissions |
| 76 | + |
| 77 | +The workflow includes the required permissions: |
| 78 | +```yaml |
| 79 | +permissions: |
| 80 | + id-token: write # Required for OIDC authentication |
| 81 | + contents: read |
| 82 | +``` |
| 83 | +
|
| 84 | +These permissions allow the workflow to: |
| 85 | +- Authenticate with npm using OIDC |
| 86 | +- Generate provenance attestations for supply chain security |
| 87 | +- Read repository contents for publishing |
| 88 | +
|
| 89 | +## Manual Publishing |
| 90 | +
|
| 91 | +If you prefer to publish manually: |
| 92 | +
|
| 93 | +```bash |
| 94 | +npm login |
| 95 | +npm publish --access public |
| 96 | +``` |
| 97 | + |
| 98 | +To publish with provenance locally (requires npm 9.5.0+): |
| 99 | + |
| 100 | +```bash |
| 101 | +npm publish --provenance --access public |
| 102 | +``` |
| 103 | + |
| 104 | +**Note:** Provenance generation may not work from all environments. GitHub Actions is the recommended way to publish with provenance. |
0 commit comments