From 3602660ae703daadcb7bc2f87bf601241665f3f8 Mon Sep 17 00:00:00 2001
From: Jeffrey Rennie <rennie@google.com>
Date: Thu, 16 Mar 2023 11:08:41 -0700
Subject: [PATCH] chore: store nodejs build artifacts in placer (#1773)

---
 .../gcp/templates/node_library/.kokoro/publish.sh  | 14 +++++++++++++-
 .../node_library/.kokoro/release/publish.cfg       | 12 ++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)

diff --git a/synthtool/gcp/templates/node_library/.kokoro/publish.sh b/synthtool/gcp/templates/node_library/.kokoro/publish.sh
index 949e3e1d0..ca1d47af3 100755
--- a/synthtool/gcp/templates/node_library/.kokoro/publish.sh
+++ b/synthtool/gcp/templates/node_library/.kokoro/publish.sh
@@ -27,4 +27,16 @@ NPM_TOKEN=$(cat $KOKORO_KEYSTORE_DIR/73713_google-cloud-npm-token-1)
 echo "//wombat-dressing-room.appspot.com/:_authToken=${NPM_TOKEN}" > ~/.npmrc
 
 npm install
-npm publish --access=public --registry=https://wombat-dressing-room.appspot.com
+npm pack .
+# npm provides no way to specify, observe, or predict the name of the tarball
+# file it generates.  We have to look in the current directory for the freshest
+# .tgz file.
+TARBALL=$(ls -1 -t *.tgz | head -1)
+
+npm publish --access=public --registry=https://wombat-dressing-room.appspot.com "$TARBALL"
+
+# Kokoro collects *.tgz and package-lock.json files and stores them in Placer
+# so we can generate SBOMs and attestations.
+# However, we *don't* want Kokoro to collect package-lock.json and *.tgz files
+# that happened to be installed with dependencies.
+find node_modules -name package-lock.json -o -name "*.tgz" | xargs rm -f
\ No newline at end of file
diff --git a/synthtool/gcp/templates/node_library/.kokoro/release/publish.cfg b/synthtool/gcp/templates/node_library/.kokoro/release/publish.cfg
index 6869c922b..c63092f99 100644
--- a/synthtool/gcp/templates/node_library/.kokoro/release/publish.cfg
+++ b/synthtool/gcp/templates/node_library/.kokoro/release/publish.cfg
@@ -37,3 +37,15 @@ env_vars: {
     key: "TRAMPOLINE_BUILD_FILE"
     value: "github/{{ metadata['repository_name'] }}/.kokoro/publish.sh"
 }
+
+# Store the packages we uploaded to npmjs.org and their corresponding
+# package-lock.jsons in Placer.  That way, we have a record of exactly
+# what we published, and which version of which tools we used to publish
+# it, which we can use to generate SBOMs and attestations.
+action {
+  define_artifacts {
+    regex: "github/**/*.tgz"
+    regex: "github/**/package-lock.json"
+    strip_prefix: "github"
+  }
+}