-
Notifications
You must be signed in to change notification settings - Fork 35
202 lines (182 loc) · 7.62 KB
/
provenance.yml
File metadata and controls
202 lines (182 loc) · 7.62 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
name: 📦 Publish Bins
concurrency:
group: publish-${{ github.ref }}
cancel-in-progress: false
on:
workflow_dispatch:
inputs:
force:
description: 'Force rebuild (ignore cache)'
type: boolean
default: false
debug:
description: 'Enable debug output'
required: false
default: '0'
type: string
options:
- '0'
- '1'
publish-socket:
description: 'Publish socket package'
required: false
type: boolean
default: true
publish-cli:
description: 'Publish @socketsecurity/cli package'
required: false
type: boolean
default: true
publish-cli-sentry:
description: 'Publish @socketsecurity/cli-with-sentry package'
required: false
type: boolean
default: true
js-fallback:
description: 'Publish JS-only fallback version (no native binaries)'
required: false
type: boolean
default: false
permissions: {}
jobs:
build:
name: Build and Publish Package with Provenance
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # Required for npm provenance generation (OIDC token)
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
autocrlf: false
persist-credentials: false
- name: Setup Node.js
uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
with:
node-version-file: .node-version
cache: '' # Disable automatic caching to prevent cache poisoning.
- name: Setup pnpm
uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
- name: Install dependencies
run: pnpm install --frozen-lockfile
- uses: SocketDev/socket-registry/.github/actions/setup@67a3db92603c23c58031586611c7cc852244c87c # main
with:
scope: '@socketsecurity'
- name: Cache yoga-layout WASM
id: cache-yoga
uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
with:
path: packages/yoga-layout/build/wasm
key: yoga-wasm-${{ hashFiles('packages/yoga-layout/package.json', 'packages/yoga-layout/yoga/**') }}
# Note: restore-keys removed to prevent cache poisoning attacks.
- name: Verify or build yoga-layout WASM
run: |
if [ ! -f packages/yoga-layout/build/wasm/yoga.wasm ]; then
echo "⚠️ yoga-layout WASM not found in cache - building locally"
pnpm --filter @socketsecurity/yoga-layout run build
echo "✓ yoga-layout WASM built successfully"
else
echo "✓ yoga-layout WASM found in cache"
fi
- run: npm install -g npm@latest
# Build and publish 'socket' package (default).
- name: Update socketbin versions in socket package
if: ${{ inputs.publish-socket != false }}
run: node scripts/update-socketbin-versions.mjs
- name: Prepare socket package for publishing
if: ${{ inputs.publish-socket != false }}
run: |
SOCKET_VERSION=$(node -p "require('./packages/socket/package.json').version")
echo "Socket version: $SOCKET_VERSION"
echo "SOCKET_VERSION=$SOCKET_VERSION" >> $GITHUB_ENV
node scripts/prepare-package-for-publish.mjs packages/socket
- name: Build socket package
if: ${{ inputs.publish-socket != false }}
run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 pnpm run build
- name: Validate socket package
if: ${{ inputs.publish-socket != false }}
run: pnpm --filter socket run verify
- name: Smoke test socket package
if: ${{ inputs.publish-socket != false }}
run: |
echo "Running smoke test on socket package..."
cd packages/socket
# Pack the package locally (doesn't publish).
npm pack
# Install it in a temp directory.
TEMP_DIR=$(mktemp -d)
cd "$TEMP_DIR"
npm install --no-save "$OLDPWD"/socket-*.tgz
# Test basic commands.
echo "Testing: socket --version"
npx socket --version || (echo "✗ socket --version failed" && exit 1)
echo "Testing: socket --help"
npx socket --help || (echo "✗ socket --help failed" && exit 1)
echo "✓ Smoke test passed"
# Cleanup.
if [ -n "$TEMP_DIR" ] && [ -d "$TEMP_DIR" ]; then
rm -rf "$TEMP_DIR"
fi
- name: Publish socket package
if: ${{ inputs.publish-socket != false }}
working-directory: packages/socket
run: npm publish --provenance --access public --no-git-checks
continue-on-error: true
env:
SOCKET_CLI_DEBUG: ${{ inputs.debug }}
# Build and publish '@socketsecurity/cli' package (legacy).
- name: Prepare @socketsecurity/cli package for publishing
if: ${{ inputs.publish-cli != false }}
run: node scripts/prepare-package-for-publish.mjs packages/cli "${SOCKET_VERSION}"
- name: Build @socketsecurity/cli package
if: ${{ inputs.publish-cli != false }}
run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 INLINED_SOCKET_CLI_LEGACY_BUILD=1 pnpm run build
env:
SOCKET_CLI_DEBUG: ${{ inputs.debug }}
- name: Validate @socketsecurity/cli package
if: ${{ inputs.publish-cli != false }}
run: pnpm --filter @socketsecurity/cli run verify
- name: Publish @socketsecurity/cli package
if: ${{ inputs.publish-cli != false }}
working-directory: packages/cli
run: npm publish --provenance --access public --no-git-checks
continue-on-error: true
env:
SOCKET_CLI_DEBUG: ${{ inputs.debug }}
# Build and publish '@socketsecurity/cli-with-sentry' package.
- name: Prepare @socketsecurity/cli-with-sentry package for publishing
if: ${{ inputs.publish-cli-sentry != false }}
run: node scripts/prepare-package-for-publish.mjs packages/cli-with-sentry "${SOCKET_VERSION}"
- name: Build @socketsecurity/cli-with-sentry package
if: ${{ inputs.publish-cli-sentry != false }}
run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 INLINED_SOCKET_CLI_SENTRY_BUILD=1 pnpm run build --target cli-sentry
env:
SOCKET_CLI_DEBUG: ${{ inputs.debug }}
- name: Validate @socketsecurity/cli-with-sentry package
if: ${{ inputs.publish-cli-sentry != false }}
run: pnpm --filter @socketsecurity/cli-with-sentry run verify
- name: Publish @socketsecurity/cli-with-sentry package
if: ${{ inputs.publish-cli-sentry != false }}
working-directory: packages/cli-with-sentry
run: npm publish --provenance --access public --no-git-checks
continue-on-error: true
env:
SOCKET_CLI_DEBUG: ${{ inputs.debug }}
# Build and publish JS-only fallback version (when native binaries fail).
- name: Build JS-only fallback package
if: ${{ inputs.js-fallback }}
working-directory: packages/cli
run: pnpm run build:js
- name: Validate JS-only fallback package
if: ${{ inputs.js-fallback }}
working-directory: packages/cli
run: |
# Verify build artifacts exist
test -f dist/index.js || exit 1
test -f dist/cli.js.bz || exit 1
echo "✓ JS-only fallback package built successfully"
- name: Publish JS-only fallback package
if: ${{ inputs.js-fallback }}
working-directory: packages/cli
run: npm publish --provenance --access public --no-git-checks
continue-on-error: true