Skip to content

Latest commit

 

History

History
68 lines (57 loc) · 4.61 KB

README.md

File metadata and controls

68 lines (57 loc) · 4.61 KB

publish

The actions/nodejs/publish action provides a way to publish a Node.js package tarball and attestations generated by the Node.js builder to the official npm registy.

Example

Here is an example of building a Node.js package with the Node.js builder and publishing it using the publish action.

jobs:
  build:
    permissions:
      id-token: write
      contents: read
      actions: read
    if: startsWith(github.ref, 'refs/tags/')
    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@v2.0.0
    with:
      run-scripts: "ci, build"

  publish:
    needs: [build]
    runs-on: ubuntu-latest
    steps:
      - name: Set up Node registry authentication
        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
        with:
          # Use the official npm registry.
          registry-url: "https://registry.npmjs.org"

      - name: publish
        id: publish
        uses: slsa-framework/slsa-github-generator/actions/nodejs/publish@v2.0.0
        with:
          access: public
          node-auth-token: ${{ secrets.NPM_TOKEN }}
          package-name: ${{ needs.build.outputs.package-name }}
          package-download-name: ${{ needs.build.outputs.package-download-name }}
          package-download-sha256: ${{ needs.build.outputs.package-download-sha256 }}
          provenance-name: ${{ needs.build.outputs.provenance-name }}
          provenance-download-name: ${{ needs.build.outputs.provenance-download-name }}
          provenance-download-sha256: ${{ needs.build.outputs.provenance-download-sha256 }}

This will publish the tarball and provenance created built by the Node.js builder to the official registry.

Inputs

Name Required Default Description
access no 'restricted' for scoped packages, 'public' for unscoped packages The package access level. See npm help access for more information.
dist-tag no "latest" The package dist-tag to attach. See npm help dist-tag for more information.
node-auth-token yes The npm registry auth token used to publish the package. See About access tokens for more information.
package-name yes The file name for the package tarball in the artifact.
package-download-name yes The GitHub Actions artifact name for the package tarball.
package-download-sha256 yes The sha256 of the package tarball artifact.
provenance-name yes The file name for the package provenance in the artifact.
provenance-download-name yes The GitHub Actions artifact name for the package provenance.
provenance-download-sha256 yes The sha256 of the package provenance artifact.

Outputs

There are no outputs.