Bump @google-cloud/storage to 7.19.0 to fix fast-xml-parser vulnerability #6195
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright 2020 Google LLC | |
| # | |
| # Licensed under the Apache License, Version 2.0 (the "License"); | |
| # you may not use this file except in compliance with the License. | |
| # You may obtain a copy of the License at | |
| # | |
| # http://www.apache.org/licenses/LICENSE-2.0 | |
| # | |
| # Unless required by applicable law or agreed to in writing, software | |
| # distributed under the License is distributed on an "AS IS" BASIS, | |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | |
| # See the License for the specific language governing permissions and | |
| # limitations under the License. | |
| name: Release Candidate | |
| on: | |
| # Run the workflow when: | |
| # 1. A PR is created or updated (staging checks). | |
| # 2. A commit is pushed to main (release publication). | |
| # 3. A developer explicitly requests a build via 'firebase_build' event. | |
| pull_request: | |
| types: [opened, synchronize] | |
| push: | |
| branches: | |
| - main | |
| paths: | |
| - 'package.json' | |
| repository_dispatch: | |
| types: | |
| - firebase_build | |
| jobs: | |
| stage_release: | |
| # To publish a release, merge a PR with the title prefix '[chore] Release ' to main | |
| # and ensure the squashed commit message also has the prefix. | |
| # To stage a release without publishing it, send a 'firebase_build' event or apply | |
| # the 'release:stage' label to a PR. | |
| if: github.event.action == 'firebase_build' || | |
| contains(github.event.pull_request.labels.*.name, 'release:stage') || | |
| (github.event_name == 'push' && startsWith(github.event.head_commit.message, '[chore] Release ')) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout source for staging | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: Set up Node.js | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 18.x | |
| - name: Install and build | |
| run: | | |
| npm ci | |
| npm run build | |
| npm run build:tests | |
| - name: Run unit tests | |
| run: npm test | |
| - name: Verify public API | |
| run: npm run api-extractor | |
| - name: Run integration tests | |
| run: ./.github/scripts/run_integration_tests.sh | |
| env: | |
| FIREBASE_SERVICE_ACCT_KEY: ${{ secrets.FIREBASE_SERVICE_ACCT_KEY }} | |
| FIREBASE_API_KEY: ${{ secrets.FIREBASE_API_KEY }} | |
| FIREBASE_APP_ID: ${{ secrets.FIREBASE_APP_ID }} | |
| - name: Package release artifacts | |
| run: | | |
| npm pack | |
| mkdir -p dist | |
| cp *.tgz dist/ | |
| # Attach the packaged artifacts to the workflow output. These can be manually | |
| # downloaded for later inspection if necessary. | |
| - name: Archive artifacts | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: dist | |
| path: dist | |
| - name: Verify tarball | |
| run: | | |
| PACKAGE_TARBALL=`ls firebase-admin-*.tgz` | |
| ./.github/scripts/verify_package.sh $PACKAGE_TARBALL | |
| publish_release: | |
| needs: stage_release | |
| # Check whether the release should be published. We publish only when the trigger is | |
| # 1. a push (merge) | |
| # 2. to the main branch | |
| # 3. and the commit message has the title prefix '[chore] Release '. | |
| if: github.event_name == 'push' && | |
| github.ref == 'refs/heads/main' && | |
| startsWith(github.event.head_commit.message, '[chore] Release ') | |
| runs-on: ubuntu-latest | |
| environment: Release | |
| permissions: | |
| contents: write | |
| steps: | |
| - name: Checkout source for publish | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| # Download the artifacts created by the stage_release job. | |
| - name: Download release candidates | |
| uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0 | |
| with: | |
| name: dist | |
| path: dist | |
| # Node.js and NPM are needed to complete the publish. | |
| - name: Set up Node.js | |
| uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: 18.x | |
| - name: Publish preflight check | |
| id: preflight | |
| run: ./.github/scripts/publish_preflight_check.sh | |
| # See: https://cli.github.com/manual/gh_release_create | |
| - name: Create release tag | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| RELEASE_VER: ${{ steps.preflight.outputs.version }} | |
| RELEASE_BODY: ${{ steps.preflight.outputs.changelog }} | |
| run: | | |
| gh release create "$RELEASE_VER" \ | |
| --title "Firebase Admin Node.js SDK $RELEASE_VER" \ | |
| --notes "$RELEASE_BODY" | |
| - name: Publish to NPM | |
| run: ./.github/scripts/publish_package.sh | |
| env: | |
| NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }} | |
| VERSION: ${{ steps.preflight.outputs.version }} |