From 45765c31e05857310c3e2a0a7d0a31210595c5f0 Mon Sep 17 00:00:00 2001 From: Aviv Keller Date: Mon, 26 May 2025 12:37:27 -0400 Subject: [PATCH 1/7] chore(publish): test publishing Signed-off-by: Aviv Keller --- .github/workflows/publish-packages.yml | 48 +++++++++++++------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/.github/workflows/publish-packages.yml b/.github/workflows/publish-packages.yml index d16686d63d995..703ac03e54121 100644 --- a/.github/workflows/publish-packages.yml +++ b/.github/workflows/publish-packages.yml @@ -41,29 +41,29 @@ jobs: with: egress-policy: audit - - name: Verify commit authenticity - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: | - # Get commit data from GitHub API to verify its authenticity - COMMIT_DATA=$(gh api repos/${{ github.repository }}/commits/$COMMIT_SHA) - # Check if commit signature is verified (GPG signed) - VERIFIED=$(echo "$COMMIT_DATA" | jq -r '.commit.verification.verified') - # Check if commit was made through GitHub's web interface (merge queue) - COMMITTER=$(echo "$COMMIT_DATA" | jq -r '.commit.committer.email') - - # Security checks to ensure we only publish from verified and trusted sources - if [[ "$VERIFIED" != "true" ]]; then - echo "❌ Unverified commit! Aborting." - exit 1 - fi - - if [[ "$COMMITTER" != "noreply@github.com" ]]; then - echo "❌ Not merged with the merge queue! Aborting." - exit 1 - fi - - echo "✅ Commit is verified and trusted." + # - name: Verify commit authenticity + # env: + # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + # run: | + # # Get commit data from GitHub API to verify its authenticity + # COMMIT_DATA=$(gh api repos/${{ github.repository }}/commits/$COMMIT_SHA) + # # Check if commit signature is verified (GPG signed) + # VERIFIED=$(echo "$COMMIT_DATA" | jq -r '.commit.verification.verified') + # # Check if commit was made through GitHub's web interface (merge queue) + # COMMITTER=$(echo "$COMMIT_DATA" | jq -r '.commit.committer.email') + + # # Security checks to ensure we only publish from verified and trusted sources + # if [[ "$VERIFIED" != "true" ]]; then + # echo "❌ Unverified commit! Aborting." + # exit 1 + # fi + + # if [[ "$COMMITTER" != "noreply@github.com" ]]; then + # echo "❌ Not merged with the merge queue! Aborting." + # exit 1 + # fi + + # echo "✅ Commit is verified and trusted." - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 @@ -132,7 +132,7 @@ jobs: # This ensures we can publish multiple times from the same codebase with unique versions npm version --no-git-tag-version 0.0.0-$COMMIT_SHA # Publish the package to the npm registry with public access flag - pnpm publish --access public + pnpm publish --access public --no-git-checks - name: Notify on Manual Release if: ${{ github.event_name == 'workflow_dispatch' }} From e0ad12a2b25b43d09b1fcdc1a185efb99360a5b2 Mon Sep 17 00:00:00 2001 From: avivkeller Date: Mon, 26 May 2025 12:40:53 -0400 Subject: [PATCH 2/7] testing --- .github/workflows/publish-packages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-packages.yml b/.github/workflows/publish-packages.yml index 703ac03e54121..9ca1e6d02ddfe 100644 --- a/.github/workflows/publish-packages.yml +++ b/.github/workflows/publish-packages.yml @@ -130,7 +130,7 @@ jobs: run: | # Create a unique version using the commit SHA as a prerelease identifier # This ensures we can publish multiple times from the same codebase with unique versions - npm version --no-git-tag-version 0.0.0-$COMMIT_SHA + npm version --no-git-tag-version 1.0.0-$COMMIT_SHA # Publish the package to the npm registry with public access flag pnpm publish --access public --no-git-checks From 1bd9d355cc69f05238c122ce8c6c8807019a5424 Mon Sep 17 00:00:00 2001 From: avivkeller Date: Mon, 26 May 2025 12:44:43 -0400 Subject: [PATCH 3/7] testing --- .github/workflows/publish-packages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-packages.yml b/.github/workflows/publish-packages.yml index 9ca1e6d02ddfe..71baec45d8fa4 100644 --- a/.github/workflows/publish-packages.yml +++ b/.github/workflows/publish-packages.yml @@ -130,7 +130,7 @@ jobs: run: | # Create a unique version using the commit SHA as a prerelease identifier # This ensures we can publish multiple times from the same codebase with unique versions - npm version --no-git-tag-version 1.0.0-$COMMIT_SHA + npm version --no-git-tag-version 1.0.1-$COMMIT_SHA # Publish the package to the npm registry with public access flag pnpm publish --access public --no-git-checks From f948ce8a25da149fc61135f90a43e189c4909f5d Mon Sep 17 00:00:00 2001 From: avivkeller Date: Mon, 26 May 2025 12:47:43 -0400 Subject: [PATCH 4/7] testing --- .github/workflows/publish-packages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-packages.yml b/.github/workflows/publish-packages.yml index 71baec45d8fa4..5165d92fd5c1f 100644 --- a/.github/workflows/publish-packages.yml +++ b/.github/workflows/publish-packages.yml @@ -126,7 +126,7 @@ jobs: - name: Publish working-directory: packages/${{ matrix.package }} env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} run: | # Create a unique version using the commit SHA as a prerelease identifier # This ensures we can publish multiple times from the same codebase with unique versions From fbc0baeb2751cdd9f12b80ad5a642706846731e7 Mon Sep 17 00:00:00 2001 From: avivkeller Date: Mon, 26 May 2025 12:49:17 -0400 Subject: [PATCH 5/7] fixup --- .github/workflows/publish-packages.yml | 46 +++++++++++++------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/.github/workflows/publish-packages.yml b/.github/workflows/publish-packages.yml index 5165d92fd5c1f..b2276f3d6f526 100644 --- a/.github/workflows/publish-packages.yml +++ b/.github/workflows/publish-packages.yml @@ -41,29 +41,29 @@ jobs: with: egress-policy: audit - # - name: Verify commit authenticity - # env: - # GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - # run: | - # # Get commit data from GitHub API to verify its authenticity - # COMMIT_DATA=$(gh api repos/${{ github.repository }}/commits/$COMMIT_SHA) - # # Check if commit signature is verified (GPG signed) - # VERIFIED=$(echo "$COMMIT_DATA" | jq -r '.commit.verification.verified') - # # Check if commit was made through GitHub's web interface (merge queue) - # COMMITTER=$(echo "$COMMIT_DATA" | jq -r '.commit.committer.email') - - # # Security checks to ensure we only publish from verified and trusted sources - # if [[ "$VERIFIED" != "true" ]]; then - # echo "❌ Unverified commit! Aborting." - # exit 1 - # fi - - # if [[ "$COMMITTER" != "noreply@github.com" ]]; then - # echo "❌ Not merged with the merge queue! Aborting." - # exit 1 - # fi - - # echo "✅ Commit is verified and trusted." + - name: Verify commit authenticity + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + # Get commit data from GitHub API to verify its authenticity + COMMIT_DATA=$(gh api repos/${{ github.repository }}/commits/$COMMIT_SHA) + # Check if commit signature is verified (GPG signed) + VERIFIED=$(echo "$COMMIT_DATA" | jq -r '.commit.verification.verified') + # Check if commit was made through GitHub's web interface (merge queue) + COMMITTER=$(echo "$COMMIT_DATA" | jq -r '.commit.committer.email') + + # Security checks to ensure we only publish from verified and trusted sources + if [[ "$VERIFIED" != "true" ]]; then + echo "❌ Unverified commit! Aborting." + exit 1 + fi + + if [[ "$COMMITTER" != "noreply@github.com" ]]; then + echo "❌ Not merged with the merge queue! Aborting." + exit 1 + fi + + echo "✅ Commit is verified and trusted." - name: Checkout repository uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 From 0ddc9d71af87c038feb00c34b8374f3f93b55355 Mon Sep 17 00:00:00 2001 From: avivkeller Date: Mon, 26 May 2025 12:50:43 -0400 Subject: [PATCH 6/7] fixup! --- .github/workflows/publish-packages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-packages.yml b/.github/workflows/publish-packages.yml index b2276f3d6f526..c4b85422dacae 100644 --- a/.github/workflows/publish-packages.yml +++ b/.github/workflows/publish-packages.yml @@ -142,7 +142,7 @@ jobs: SLACK_ICON: https://github.com/nodejs.png?size=48 SLACK_TITLE: ':rocket: Package Published: ${{ matrix.package }}' SLACK_MESSAGE: | - :package: *Package*: `${{ matrix.package }}` () + :package: *Package*: `${{ matrix.package }}` () :bust_in_silhouette: *Published by*: ${{ github.triggering_actor }} :octocat: *Commit*: SLACK_USERNAME: nodejs-bot From 091dd21f46b435607197a74a6f778268269e0340 Mon Sep 17 00:00:00 2001 From: avivkeller Date: Mon, 26 May 2025 12:52:35 -0400 Subject: [PATCH 7/7] fixup! --- .github/workflows/publish-packages.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish-packages.yml b/.github/workflows/publish-packages.yml index c4b85422dacae..1ec60e60c6af9 100644 --- a/.github/workflows/publish-packages.yml +++ b/.github/workflows/publish-packages.yml @@ -142,7 +142,7 @@ jobs: SLACK_ICON: https://github.com/nodejs.png?size=48 SLACK_TITLE: ':rocket: Package Published: ${{ matrix.package }}' SLACK_MESSAGE: | - :package: *Package*: `${{ matrix.package }}` () + :package: *Package*: `${{ matrix.package }}` () :bust_in_silhouette: *Published by*: ${{ github.triggering_actor }} :octocat: *Commit*: SLACK_USERNAME: nodejs-bot