Skip to content
Release

build: reset version #13

Sign in to view logs

build: reset version

build: reset version #13

Workflow file for this run

.github/workflows/release.yml at 2ef2809
# Triggered by: python scripts/release.py --push
# (tags vX.Y.Z and pushes, which triggers this workflow)
name: Release
on:
push:
tags:
- 'v*.*.*'
permissions:
contents: write
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/setup-node@v4
with:
node-version: 20
cache: npm
- run: npm ci
- run: npm test
- run: npm run build
- name: Check dist is up to date
run: git diff --exit-code -- dist/ ':!dist/**/*.d.ts.map'
# --- Artifact signing (mirrors auths/auths release workflow) ---
- name: Install auths CLI
run: |
mkdir -p /tmp/auths-install
curl -sL https://github.com/auths-dev/auths/releases/latest/download/auths-linux-x86_64.tar.gz | tar xz -C /tmp/auths-install
sudo cp /tmp/auths-install/auths /usr/local/bin/auths
rm -rf /tmp/auths-install
- name: Sign dist/index.js
env:
AUTHS_CI_TOKEN: ${{ secrets.AUTHS_CI_TOKEN }}
AUTHS_KEYCHAIN_BACKEND: file
AUTHS_KEYCHAIN_FILE: /tmp/auths-ci-keychain
run: |
if [ -z "$AUTHS_CI_TOKEN" ]; then
echo "::warning::Skipping artifact signing: AUTHS_CI_TOKEN not set (run 'auths ci setup' to configure)"
exit 0
fi
# Extract fields from the single CI token
AUTHS_PASSPHRASE=$(echo "$AUTHS_CI_TOKEN" | jq -r '.passphrase')
echo "::add-mask::$AUTHS_PASSPHRASE"
export AUTHS_PASSPHRASE
echo "$AUTHS_CI_TOKEN" | jq -r '.keychain' | base64 -d > /tmp/auths-ci-keychain
mkdir -p /tmp/auths-identity
echo "$AUTHS_CI_TOKEN" | jq -r '.identity_repo' | base64 -d | tar -xz -C /tmp/auths-identity
if ! git -C /tmp/auths-identity rev-parse --git-dir > /dev/null 2>&1; then
echo "::warning::Skipping artifact signing: identity repo in AUTHS_CI_TOKEN is not a valid git repository"
exit 0
fi
auths artifact sign dist/index.js \
--device-key ci-release-device \
--note "GitHub Actions release — ${GITHUB_REF_NAME}" \
--repo /tmp/auths-identity
echo "Signed dist/index.js → dist/index.js.auths.json"
# Write verify bundle for next step
echo "$AUTHS_CI_TOKEN" | jq -r '.verify_bundle' > /tmp/auths-verify-bundle.json
# --- Verify the artifact we just signed (dogfood) ---
- name: Verify dist/index.js attestation
if: hashFiles('dist/index.js.auths.json') != ''
uses: ./
with:
token: /tmp/auths-verify-bundle.json
files: 'dist/index.js'
fail-on-unattested: true
fail-on-unsigned: false
- name: Generate SHA256 checksums
run: |
cd dist
sha256sum index.js > index.js.sha256
if [ -f index.js.auths.json ]; then
sha256sum index.js.auths.json >> index.js.sha256
fi
cat index.js.sha256
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
generate_release_notes: true
make_latest: true
files: |
dist/index.js.auths.json
dist/index.js.sha256
body: |
## Auths Verify GitHub Action
Verify commit signatures and artifact attestations in your CI pipeline using [Auths](https://github.com/auths-dev/auths) identity keys.
### Usage
```yaml
- uses: auths-dev/verify@v1
with:
token: '.auths/allowed_signers'
```
**New: Artifact verification**
```yaml
- uses: auths-dev/verify@v1
with:
token: $\{{ secrets.AUTHS_CI_TOKEN }}
files: 'dist/*.tar.gz'
```
See the [README](https://github.com/auths-dev/verify#readme) for full configuration options.
- name: Update floating major tag
run: |
TAG="${GITHUB_REF_NAME}"
MAJOR="${TAG%%.*}"
git tag -f "$MAJOR" "$TAG"
git push origin "$MAJOR" --force