kaitai_struct_javascript_runtime/.github/workflows/publish.yml at master · kaitai-io/kaitai_struct_javascript_runtime · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
name: Publish to npm

on:
  push:
    tags:
      - 'v0.[0-9]+.[0-9]+-SNAPSHOT.[0-9]+'
      - 'v0.[0-9]+.[0-9]+'

permissions: {}

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    permissions:
      contents: read
    outputs:
      tarball-artifact-id: ${{ steps.upload-tarball.outputs.artifact-id }}
    steps:
      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
        with:
          persist-credentials: false
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          package-manager-cache: false  # IMPORTANT: prevents potential [cache poisoning](https://docs.zizmor.sh/audits/#cache-poisoning) attacks
          node-version: '24'
      - run: npm ci
      - name: Pack the package into a tarball
        run: |
          mkdir -vp pkg-outdir
          npm pack --pack-destination pkg-outdir --json | tee pkg-outdir/npm-pack-output.json
      - name: Check that KaitaiStream.js is included
        run: |
          jq --exit-status '.[0].files | map(.path) | any(. == "KaitaiStream.js")' pkg-outdir/npm-pack-output.json
      - name: Upload the package tarball as artifact
        id: upload-tarball
        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
        with:
          path: pkg-outdir/*.tgz
          archive: false
          if-no-files-found: error

  publish:
    name: Publish
    runs-on: ubuntu-latest
    needs:
      - build
    environment:
      name: npm
      url: https://www.npmjs.com/package/kaitai-struct
    permissions:
      id-token: write  # Required for OIDC (see https://docs.npmjs.com/trusted-publishers)
    steps:
      - name: Download the package tarball
        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          artifact-ids: ${{ needs.build.outputs.tarball-artifact-id }}
          path: pkg-outdir/
      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
        with:
          package-manager-cache: false  # IMPORTANT: prevents potential [cache poisoning](https://docs.zizmor.sh/audits/#cache-poisoning) attacks
          node-version: '24'
          registry-url: 'https://registry.npmjs.org'
      - name: Select dist-tag
        id: select-tag
        run: |
          GIT_TAG=${GITHUB_REF#refs/tags/}
          if [[ "$GIT_TAG" == v0.+([0-9]).+([0-9])-SNAPSHOT.+([0-9]) ]]; then
            DIST_TAG=next
          elif [[ "$GIT_TAG" == v0.+([0-9]).+([0-9]) ]]; then
            DIST_TAG=latest
          else
            echo "Error: the tag name '$GIT_TAG' does not match any of the patterns"
            exit 1
          fi
          echo "dist-tag=$DIST_TAG" >> "$GITHUB_OUTPUT"
      - name: Verify that the tag name matches the version
        env:
          DIST_TAG: ${{ steps.select-tag.outputs.dist-tag }}
        run: |
          GIT_TAG=${GITHUB_REF#refs/tags/}
          VERSION_FROM_TAG=${GIT_TAG#v}
          NPM_OUTPUT=$(npm publish ./pkg-outdir/*.tgz --tag "$DIST_TAG" --dry-run)
          printf '%s\n' "$NPM_OUTPUT"
          if [[ "$NPM_OUTPUT" != "+ kaitai-struct@${VERSION_FROM_TAG}" ]]; then
            echo "Error: the tag name '$GIT_TAG' does not match npm output '$NPM_OUTPUT'"
            exit 1
          fi
      - name: Publish to npm
        env:
          DIST_TAG: ${{ steps.select-tag.outputs.dist-tag }}
        run: npm publish ./pkg-outdir/*.tgz --tag "$DIST_TAG" --json