chore(ci): npm-publish via reusable workflows#75
Conversation
sheplu
force-pushed
the
ci-workflows
branch
2 times, most recently
from
aeaa8de to
c8689b6
Compare
sheplu
force-pushed
the
ci-workflows
branch
5 times, most recently
from
5ff0a3c to
ee4ddf0
Compare
UlisesGascon
left a comment
UlisesGascon
left a comment
There was a problem hiding this comment.
I am happy with the idea, just let's remove all the npm install and run scripts as are not critical for the publication step 👍
| audit: | ||
| name: Audit production dependencies | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||
| with: | ||
| node-version: "lts/*" | ||
|
|
||
| - name: Audit production dependencies | ||
| run: npm audit --omit=dev | ||
|
|
||
| lint: | ||
| name: Lint | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||
| with: | ||
| node-version: "lts/*" | ||
|
|
||
| - name: Install dependencies | ||
| run: npm install --ignore-scripts --include=dev | ||
|
|
||
| - name: Run lint | ||
| run: node --run lint | ||
|
|
||
| test: | ||
| name: Test | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | ||
| with: | ||
| persist-credentials: false | ||
|
|
||
| - name: Setup Node.js | ||
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | ||
| with: | ||
| node-version: "lts/*" | ||
|
|
||
| - name: Install dependencies | ||
| run: npm install | ||
|
|
||
| - name: Run tests | ||
| run: npm test |
There was a problem hiding this comment.
| audit: | |
| name: Audit production dependencies | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Node.js | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: "lts/*" | |
| - name: Audit production dependencies | |
| run: npm audit --omit=dev | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Node.js | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: "lts/*" | |
| - name: Install dependencies | |
| run: npm install --ignore-scripts --include=dev | |
| - name: Run lint | |
| run: node --run lint | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Node.js | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: "lts/*" | |
| - name: Install dependencies | |
| run: npm install | |
| - name: Run tests | |
| run: npm test |
To be honest when I publish locally I don't run scripts or install dependencies (unless it is strict requirement like a build process for typescript, etc...). Avoiding that also in the CI we reduce noice and attack surface. We can assume that once a release is created in the repo the source code is stable to ship.
Also audit dependencies is not that relevant as this stage as we don't ship the lockfile, so that audit report won't be idempotent.
There was a problem hiding this comment.
there is pro and con at this here - on my side by having the publish job separe and not using any specific install would prevent any issues while still ensuring that something is not breaking. wdyt?
| - name: Install dependencies | ||
| run: npm install --ignore-scripts |
There was a problem hiding this comment.
| - name: Install dependencies | |
| run: npm install --ignore-scripts |
We can skip this :)
| allow-git=none | ||
| allow-directory=none | ||
|
|
||
| min-release-age=2 |
There was a problem hiding this comment.
| min-release-age=2 | |
| min-release-age=7 |
I will go for a week, if something is really urgent or critical we will notice and always can manually upgrade. Given the amount of volume in the recent supply chain attacks maybe 2d won't be sustainable long term (specially on large holidays period). One week seems solid IMO
2 participants
Publish workflow based on the new staged published - with additional security from npmrc