.github/workflows/publish.yml

name: publish

on:
  push:
    tags:
      - 'v*.*.*'
  workflow_dispatch: {}


# Declare default permissions as read only.
permissions: read-all

jobs:
  provenance:
    permissions:
      id-token: write
      contents: read
      actions: read
    if: |
      (github.event_name == 'workflow_dispatch' && startsWith(github.ref, 'refs/tags/v')) ||
      (startsWith(github.ref, 'refs/tags/v') && !contains(github.ref, '-rc.'))
    # Deterministic Build & tests
    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@v1.6.0
    with:
      run-scripts: "install-deps, style, nx-build-skip-cache, nx-test-skip-cache, skip-lib-ignore"
      node-version: "16.20.0"

  publish:
    needs: provenance
    runs-on: ubuntu-22.04
    permissions:
      contents: write
      checks: write
      id-token: write # For signing
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@128a63446a954579617e875aaab7d2978154e969 # v2.4.0
        with:
          egress-policy: audit

      - name: Use node@16
        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
        with:
          node-version: 16.20.0

      - name: Create temp dir
        id: temp-dir
        run: |
          set -euo pipefail

          temp_dir=$(mktemp -d)
          echo "path=${temp_dir}" >>"${GITHUB_OUTPUT}"

      - name: Download tarball
        uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@934435652996c02a6317092984312602dfaf2a21 # main
        with:
          name: ${{ needs.provenance.outputs.package-download-name }}
          path: "${{ steps.temp-dir.outputs.path }}/${{ needs.provenance.outputs.package-name }}"
          sha256: ${{ needs.provenance.outputs.package-download-sha256 }}

      - name: Download provenance
        uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@0779f7bec68e2bf54a7b0a32bf4763f25ab29702 # v1.6.0
        with:
          name: ${{ needs.provenance.outputs.provenance-download-name }}
          path: "${{ steps.temp-dir.outputs.path }}"
          sha256: ${{ needs.provenance.outputs.provenance-download-sha256 }}

      - name: Authenticate NPM
        run: |
          echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
          echo "@openzeppelin:registry https://registry.npmjs.org" >> ~/.npmrc
          echo "provenance=true" >> ~/.npmrc

      - name: Unpack the zipped artifact
        run: |
          set -euo pipefail

          cd "${{ steps.temp-dir.outputs.path }}"
          tar -xzvf "${{ needs.provenance.outputs.package-name }}"
          cd package/; git init
          tag_ref=${{ github.ref }}
          tag_version=${tag_ref#refs/tags/v}
          lerna_options="--no-git-tag-version --no-push --ignore-scripts --yes --exact --no-changelog --force-publish"
          if [[ $tag_version != *rc* ]]; then
            lerna publish $tag_version $lerna_options
          else
            lerna publish $tag_version $lerna_options --dist-tag rc --pre-dist-tag rc
          fi
        env:
          NPM_CONFIG_PROVENANCE: true