Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: slsa publishing flow for npm #34

Merged
merged 14 commits into from
Mar 19, 2024
Merged

chore: slsa publishing flow for npm #34

merged 14 commits into from
Mar 19, 2024

Conversation

sgammon
Copy link
Member

@sgammon sgammon commented Mar 18, 2024
edited
Loading

Summary

Adds SLSA publishing for the NPM libraries, with two reusable publishing flows; one for a single library, and one to publish all libraries. Both can be triggered from other workflows or from the GitHub repo UI. There is also a new release flow which triggers a production release of the libraries when a GitHub release is created.

Changelog

  • chore: slsa publishing flow for npm
  • chore: build fixes, buildbuddy, faster bazel builds
  • fix: file structure for js packages

@sgammon
chore: slsa publishing flow for npm
0d9a02c 
Signed-off-by: Sam Gammon <sam@elide.ventures>
@sgammon sgammon added enhancement New feature or request ✋ embargoed Waiting for further action labels Mar 18, 2024
@sgammon sgammon self-assigned this Mar 18, 2024
@codecov Codecov
Copy link

codecov bot commented Mar 18, 2024
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 62.70%. Comparing base (915930b) to head (12474bc).

Additional details and impacted files

Impacted file tree graph

@@             Coverage Diff             @@
##             main      #34       +/-   ##
===========================================
+ Coverage   44.80%   62.70%   +17.89%     
===========================================
  Files          10       16        +6     
  Lines        1636     2429      +793     
  Branches       55       86       +31     
===========================================
+ Hits          733     1523      +790     
- Misses        903      906        +3
Flag Coverage Δ
packages 62.70% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files Coverage Δ
packages/gradle/gradle-constants.ts 100.00% <ø> (ø)
packages/gradle/gradle-facade.ts 98.70% <100.00%> (ø)
packages/gradle/gradle-model.ts 100.00% <ø> (ø)
packages/gradle/gradle-schema.ts 100.00% <100.00%> (ø)
packages/gradle/gradle-util.ts 100.00% <100.00%> (ø)
packages/maven/maven-model.ts 99.62% <ø> (ø)
packages/maven/maven-parser.ts 99.02% <ø> (ø)

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 915930b...12474bc. Read the comment docs.

@sgammon sgammon force-pushed the feat/publishing-flow-slsa branch 6 times, most recently from 3f76d81 to 888c8fe Compare March 18, 2024 23:30
@sgammon
chore: build fixes, buildbuddy, faster bazel builds
e1df68e 
Signed-off-by: Sam Gammon <sam@elide.ventures>
@sgammon sgammon force-pushed the feat/publishing-flow-slsa branch 2 times, most recently from fea640f to 187537f Compare March 19, 2024 00:11
@sgammon
fix: file structure for js packages
c31d86d 
Signed-off-by: Sam Gammon <sam@elide.ventures>
@sgammon sgammon force-pushed the feat/publishing-flow-slsa branch from 187537f to c31d86d Compare March 19, 2024 00:12
sgammon added 2 commits March 18, 2024 17:17
@sgammon
fix: download built artifacts
5c930de 
Signed-off-by: Sam Gammon <sam@elide.ventures>
@sgammon
fix: provide publish token
479b6da 
Signed-off-by: Sam Gammon <sam@elide.ventures>
@sgammon sgammon force-pushed the feat/publishing-flow-slsa branch from 133b6d1 to b606251 Compare March 19, 2024 00:23
@sgammon
fix: publishing workflows
12474bc 
Signed-off-by: Sam Gammon <sam@elide.ventures>
@sgammon sgammon force-pushed the feat/publishing-flow-slsa branch from b606251 to 12474bc Compare March 19, 2024 00:26
@sgammon sgammon removed the ✋ embargoed Waiting for further action label Mar 19, 2024
@sgammon
chore: ability to override registry for npm publish
62016a2 
Signed-off-by: Sam Gammon <sam@elide.ventures>
@sgammon sgammon force-pushed the feat/publishing-flow-slsa branch from ec399dd to 62016a2 Compare March 19, 2024 00:50
dependabot bot added 4 commits March 18, 2024 17:51
@dependabot @sgammon
build(deps-dev): bump @types/node from 20.11.28 to 20.11.29
61fcc49 
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.28 to 20.11.29.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @sgammon
build(deps): bump actions/deploy-pages from 4.0.4 to 4.0.5
f998ce0 
Bumps [actions/deploy-pages](https://github.com/actions/deploy-pages) from 4.0.4 to 4.0.5.
- [Release notes](https://github.com/actions/deploy-pages/releases)
- [Commits](actions/deploy-pages@decdde0...d6db901)

---
updated-dependencies:
- dependency-name: actions/deploy-pages
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @sgammon
build(deps): bump actions/checkout from 3.6.0 to 4.1.2
f6f75f0 
Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.1.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v3.6.0...9bb5618)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @sgammon
build(deps): bump ruby/setup-ruby from 1.161.0 to 1.172.0
5c50c98 
Bumps [ruby/setup-ruby](https://github.com/ruby/setup-ruby) from 1.161.0 to 1.172.0.
- [Release notes](https://github.com/ruby/setup-ruby/releases)
- [Commits](ruby/setup-ruby@8575951...d4526a5)

---
updated-dependencies:
- dependency-name: ruby/setup-ruby
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
This was referenced Mar 19, 2024
Closed
Closed
This was referenced Mar 19, 2024
Closed
Closed
@dependabot @sgammon
fix: publishing upload condition
55aae49 
Signed-off-by: Sam Gammon <sam@elide.ventures>
@socket-security Socket Security
Copy link

socket-security bot commented Mar 19, 2024
edited
Loading

Removed dependencies detected. Learn more about Socket for GitHub ↗︎

🚮 Removed packages: npm/@types/node@20.11.28

View full report↗︎

sgammon added 2 commits March 18, 2024 17:56
@sgammon
chore: update lockfiles
23e464c 
Signed-off-by: Sam Gammon <sam@elide.ventures>
@sgammon
fix: unconditionally upload assets for release
dae4325 
Signed-off-by: Sam Gammon <sam@elide.ventures>
@sgammon sgammon merged commit 162f120 into main Mar 19, 2024
24 of 28 checks passed
@sgammon sgammon deleted the feat/publishing-flow-slsa branch March 19, 2024 01:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@sgammon sgammon

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@sgammon