chore: publish to npm only from 'trusted publisher' pipeline (#261)

Strum355 · web-flow · commit fefbd250fe09 · 2025-11-14T13:25:34.000Z
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,6 +3,13 @@
 name: Release
 
 on:
+  workflow_call:
+    inputs:
+      version_type:
+        description: 'Type of version bump'
+        required: true
+        type: string
+
   workflow_dispatch:
     inputs:
       version_type:
@@ -15,6 +22,10 @@ on:
           - minor
           - major
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -31,6 +42,7 @@ jobs:
         with:
           node-version: 18
           cache: npm
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Configure git
         run: |
@@ -52,12 +64,16 @@ jobs:
       - name: determine semver component to bump
         id: bump-decision
         run: |
-          echo "bump-part=${{ github.event.inputs.version_type }}" >> "$GITHUB_OUTPUT"
+          echo "bump-part=${{ inputs.version_type }}" >> "$GITHUB_OUTPUT"
 
       - name: Update package with new version
         id: bump
         run: |
-          echo "version=$(npm version ${{ steps.bump-decision.outputs.bump-part }} --no-git-tag-version )" >> "$GITHUB_OUTPUT"
+          if [[ "${{ inputs.version_type }}" == "prerelease" ]]; then
+            echo "version=$(npm version prerelease --no-git-tag-version --preid ea)" >> "$GITHUB_OUTPUT"
+          else
+            echo "version=$(npm version ${{ steps.bump-decision.outputs.bump-part }} --no-git-tag-version )" >> "$GITHUB_OUTPUT"
+          fi
 
       - name: Install project modules
         run: npm ci
@@ -66,8 +82,6 @@ jobs:
         run: npm run compile
 
       - name: Publish package
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm publish
 
       - name: Commit and push package modifications
@@ -83,6 +97,7 @@ jobs:
           git push origin ${{ steps.bump.outputs.version }}
 
       - name: Create release notes for ${{ steps.bump.outputs.version }} release
+        if: inputs.version_type != 'prerelease'
         uses: actions/github-script@v6
         id: release-notes
         with:
@@ -101,11 +116,19 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |
             const repo_name = context.payload.repository.full_name
-            const response = await github.request('POST /repos/' + repo_name + '/releases', {
+            const isPrerelease = '${{ inputs.version_type }}' === 'prerelease';
+            const releaseConfig = {
               tag_name: '${{ steps.bump.outputs.version }}',
               name: '${{ steps.bump.outputs.version }}',
-              draft: false,
-              body: ${{ steps.release-notes.outputs.result }},
-              prerelease: false,
-              make_latest: 'true'
-            })
+              prerelease: isPrerelease
+            };
+
+            if (isPrerelease) {
+              releaseConfig.generate_release_notes = true;
+            } else {
+              releaseConfig.draft = false;
+              releaseConfig.body = ${{ steps.release-notes.outputs.result }};
+              releaseConfig.make_latest = 'true';
+            }
+
+            const response = await github.request('POST /repos/' + repo_name + '/releases', releaseConfig);
diff --git a/.github/workflows/stage.yml b/.github/workflows/stage.yml
@@ -20,13 +20,15 @@ on:
       - ".github/workflows/stage.yml"
       - "docker-image/**"
 
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
-  stage:
+  test:
     runs-on: ubuntu-latest
-    # Branches that starts with `release/` shouldn't trigger this workflow, as these are triggering the release workflow.
     if: github.repository_owner == 'guacsec' && github.event.pull_request.merged == true && !startsWith(github.head_ref, 'release/')
-    environment: staging
-    name: Stage the project
+    name: Test before staging
     steps:
       - name: Checkout sources
         uses: actions/checkout@v4
@@ -38,6 +40,7 @@ jobs:
         with:
           node-version: 18
           cache: npm
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Enable Corepack
         run: corepack enable
@@ -69,21 +72,10 @@ jobs:
           repo: anchore/syft
           platform: linux
           arch: amd64
-          # tag: the latest one, so we can catch changes
 
       - name: Setup skopeo
         run: sudo apt update && sudo apt-get -y install skopeo
 
-      - name: Configure git
-        run: |
-          git config user.name "${{ github.actor }}"
-          git config user.email "${{ github.actor }}@users.noreply.github.com"
-
-      - name: Update package with new version
-        id: bump
-        run: |
-          echo "version=$(npm version prerelease --no-git-tag-version --preid ea)" >> "$GITHUB_OUTPUT"
-
       - name: Install project modules
         run: npm ci
 
@@ -104,6 +96,7 @@ jobs:
         with:
           python-version: '3.9'
           cache: 'pip'
+
       - name: get Python location
         id: python-location
         run: |
@@ -122,32 +115,8 @@ jobs:
           echo "Running Again Integration tests =>"
           npm run integration-tests
 
-      - name: Publish package
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: npm publish
-
-      - name: Commit and push package modifications
-        run: |
-          git add package.json
-          git add package-lock.json
-          git commit -m "build: updated package with ${{ steps.bump.outputs.version }} [skip ci]"
-          git push
-
-      - name: Create and push new tag
-        run: |
-          git tag ${{ steps.bump.outputs.version }} -m "${{ steps.bump.outputs.version }}"
-          git push origin ${{ steps.bump.outputs.version }}
-
-      - name: Create a release
-        uses: actions/github-script@v6.4.1
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const repo_name = context.payload.repository.full_name
-            const response = await github.request('POST /repos/' + repo_name + '/releases', {
-              tag_name: '${{ steps.bump.outputs.version }}',
-              name: '${{ steps.bump.outputs.version }}',
-              prerelease: true,
-              generate_release_notes: true
-            })
+  publish-prerelease:
+    needs: test
+    uses: ./.github/workflows/release.yml
+    with:
+      version_type: prerelease
