Bump version to 1.2.15 (#238) #72
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Release libhalo.js | |
on: | |
push: | |
tags: | |
- 'libhalo-v*' | |
jobs: | |
create_release: | |
name: Create libhalo release | |
runs-on: ubuntu-latest | |
steps: | |
- name: Prepare version number | |
id: parse_version | |
run: | | |
( echo -n "version=" && ( echo "$GITHUB_REF" | cut -f2 -d- | tr -d '\n' ) ) >> "$GITHUB_OUTPUT" | |
- name: Draft release | |
id: create_release | |
uses: actions/create-release@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
tag_name: ${{ github.ref }} | |
release_name: LibHaLo ${{ steps.parse_version.outputs.version }} | |
draft: true | |
prerelease: false | |
body: | | |
Standalone JavaScript library for usage with classic HTML applications. | |
Release contents: | |
* `libhalo.js` - standalone JavaScript library for inclusion in classic HTML applications; | |
* `libhalo.js.LICENSE` - license information; | |
* `libhalo-npm-hash.txt` - integrity hash of the package released to npmjs.com and GitHub Packages; | |
**Note:** The files `*-keyless.sig` and `*-keyless.pem` constitute a part of [build audit trail](https://github.com/arx-research/libhalo/blob/master/docs/build-audit-trail.md). | |
- name: Store release upload URL | |
run: | | |
echo -n "${{ steps.create_release.outputs.upload_url }}" > release-upload-url.txt | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: release-upload-url | |
path: release-upload-url.txt | |
build_js_lib: | |
name: Build libhalo and release | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
id-token: write | |
needs: create_release | |
steps: | |
- name: Checkout the repository | |
uses: actions/checkout@v3 | |
- name: Install Node.JS | |
uses: actions/setup-node@v3 | |
with: | |
node-version: 16 | |
- name: Install dependencies (root) | |
run: | | |
npm --include=dev ci | |
- name: Run webpack | |
run: | | |
cd web | |
webpack | |
- name: Download release upload URL | |
uses: actions/download-artifact@v3 | |
with: | |
name: release-upload-url | |
- name: Store release upload URL output | |
id: out_store | |
run: | | |
echo "release_upload_url=$(cat release-upload-url.txt)" >> "$GITHUB_OUTPUT" | |
- name: Install cosign | |
uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 | |
- name: Sign libhalo.js with cosign | |
run: | | |
cd ./web/dist | |
echo y | cosign sign-blob ./libhalo.js --output-certificate ./libhalo.js-keyless.pem --output-signature ./libhalo.js-keyless.sig | |
cosign verify-blob --cert ./libhalo.js-keyless.pem --signature ./libhalo.js-keyless.sig --certificate-identity "https://github.com/arx-research/libhalo/.github/workflows/prod_build_lib.yml@${GITHUB_REF}" --certificate-oidc-issuer https://token.actions.githubusercontent.com ./libhalo.js | |
- name: Upload release asset (JS bundle) | |
id: upload-release-asset | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.out_store.outputs.release_upload_url }} | |
asset_path: ./web/dist/libhalo.js | |
asset_name: libhalo.js | |
asset_content_type: text/javascript | |
- name: Upload release asset (LICENSE file) | |
id: upload-release-asset-license | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.out_store.outputs.release_upload_url }} | |
asset_path: ./web/dist/libhalo.js.LICENSE.txt | |
asset_name: libhalo.js.LICENSE.txt | |
asset_content_type: text/plain | |
- name: Upload release asset (cosign pem) | |
id: upload-release-asset-cosign-pem | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.out_store.outputs.release_upload_url }} | |
asset_path: ./web/dist/libhalo.js-keyless.pem | |
asset_name: libhalo.js-keyless.pem | |
asset_content_type: application/octet-stream | |
- name: Upload release asset (cosign sig) | |
id: upload-release-asset-cosign-sig | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.out_store.outputs.release_upload_url }} | |
asset_path: ./web/dist/libhalo.js-keyless.sig | |
asset_name: libhalo.js-keyless.sig | |
asset_content_type: application/octet-stream | |
publish_npm: | |
name: Publish libhalo package | |
environment: prod-npm | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
packages: write | |
id-token: write | |
needs: create_release | |
steps: | |
- name: Download release upload URL | |
uses: actions/download-artifact@v3 | |
with: | |
name: release-upload-url | |
- name: Store release upload URL output | |
id: out_store | |
run: | | |
echo "release_upload_url=$(cat release-upload-url.txt)" >> "$GITHUB_OUTPUT" | |
- name: Checkout the repository | |
uses: actions/checkout@v3 | |
- name: Setup Node.JS | |
uses: actions/setup-node@v3 | |
with: | |
node-version: '16.x' | |
registry-url: 'https://registry.npmjs.org' | |
- name: Install cosign | |
uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65 | |
- name: Run npm ci | |
run: npm ci | |
- name: Get package integrity hash | |
run: | | |
PKG_HASH=$(npm publish --dry-run --json 2>/dev/null | jq --raw-output '.integrity' | tr -d '\n') | |
echo "Package hash: ${PKG_HASH}" | |
echo -n "${PKG_HASH}" > "${RUNNER_TEMP}/libhalo-npm-hash.txt" | |
echo y | cosign sign-blob "${RUNNER_TEMP}/libhalo-npm-hash.txt" --output-certificate "${RUNNER_TEMP}/libhalo-npm-hash.txt-keyless.pem" --output-signature "${RUNNER_TEMP}/libhalo-npm-hash.txt-keyless.sig" | |
cosign verify-blob --cert "${RUNNER_TEMP}/libhalo-npm-hash.txt-keyless.pem" --signature "${RUNNER_TEMP}/libhalo-npm-hash.txt-keyless.sig" --certificate-identity "https://github.com/arx-research/libhalo/.github/workflows/prod_build_lib.yml@${GITHUB_REF}" --certificate-oidc-issuer https://token.actions.githubusercontent.com "${RUNNER_TEMP}/libhalo-npm-hash.txt" | |
- name: Publish package to npmjs | |
run: npm publish --json | tee "${RUNNER_TEMP}/npmjs-publish.json" | |
env: | |
NODE_AUTH_TOKEN: ${{ secrets.RELEASE_NPM_TOKEN }} | |
- name: Re-setup Node.JS with GitHub pkg | |
uses: actions/setup-node@v3 | |
with: | |
node-version: '16.x' | |
registry-url: https://npm.pkg.github.com/ | |
- name: Publish package to GitHub | |
run: npm publish --json | tee "${RUNNER_TEMP}/gh-publish.json" | |
env: | |
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Compare released hashes | |
run: | | |
( cat "${RUNNER_TEMP}/npmjs-publish.json" | jq --raw-output '.integrity' | tr -d '\n' ) > "${RUNNER_TEMP}/npmjs-hash.txt" | |
( cat "${RUNNER_TEMP}/gh-publish.json" | jq --raw-output '.integrity' | tr -d '\n' ) > "${RUNNER_TEMP}/gh-hash.txt" | |
cmp -s "${RUNNER_TEMP}/libhalo-npm-hash.txt" "${RUNNER_TEMP}/npmjs-hash.txt" | |
cmp -s "${RUNNER_TEMP}/libhalo-npm-hash.txt" "${RUNNER_TEMP}/gh-hash.txt" | |
- name: Upload release asset (npm hash) | |
id: upload-release-asset-license | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.out_store.outputs.release_upload_url }} | |
asset_path: ${{ runner.temp }}/libhalo-npm-hash.txt | |
asset_name: libhalo-npm-hash.txt | |
asset_content_type: text/plain | |
- name: Upload release asset (npm hash cosign pem) | |
id: upload-release-asset-cosign-pem | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.out_store.outputs.release_upload_url }} | |
asset_path: ${{ runner.temp }}/libhalo-npm-hash.txt-keyless.pem | |
asset_name: libhalo-npm-hash.txt-keyless.pem | |
asset_content_type: application/octet-stream | |
- name: Upload release asset (npm hash cosign sig) | |
id: upload-release-asset-cosign-sig | |
uses: actions/upload-release-asset@v1 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
upload_url: ${{ steps.out_store.outputs.release_upload_url }} | |
asset_path: ${{ runner.temp }}/libhalo-npm-hash.txt-keyless.sig | |
asset_name: libhalo-npm-hash.txt-keyless.sig | |
asset_content_type: application/octet-stream |