π¦ Publish to npm #163
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: π¦ Publish to npm | |
| # Dependencies: | |
| # - SocketDev/socket-registry/.github/actions/setup-and-install | |
| # Publishing is INLINED here (not delegated to socket-registry's reusable | |
| # provenance.yml) on purpose. npm's OIDC trusted-publisher matcher keys on the | |
| # workflow that contains the publish step. When the publish step lives in a | |
| # reusable workflow, the OIDC `job_workflow_ref` claim carries the reusable's | |
| # SHA-pinned ref β which changes every time we cascade a new socket-registry | |
| # SHA, so no stable npm trusted-publisher config can match it (the token | |
| # exchange 404s β publish runs unauthenticated β PUT 404 / stage 403). | |
| # | |
| # Inlining keeps `job_workflow_ref` = SocketDev/socket-lib/.github/workflows/ | |
| # provenance.yml@<ref>, a stable identity the trusted publisher matches. | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| dry-run: | |
| description: 'Dry run (default: true)' | |
| required: false | |
| default: true | |
| type: boolean | |
| mode: | |
| description: 'Publish mode (staged is recommended; direct is the escape hatch)' | |
| required: false | |
| default: staged | |
| type: choice | |
| options: | |
| - staged | |
| - direct | |
| permissions: | |
| contents: read | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: false # Don't cancel publishing. | |
| jobs: | |
| publish: | |
| name: Build and Publish | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| # Needed for npm provenance via OIDC trusted publishing. | |
| id-token: write | |
| steps: | |
| - uses: SocketDev/socket-registry/.github/actions/setup-and-install@5298430fdc1c6a31d1301379e86c46b9c8343853 # main (2026-05-28) | |
| with: | |
| socket-api-token: ${{ secrets.SOCKET_API_TOKEN || secrets.SOCKET_API_KEY }} | |
| - name: Build | |
| run: pnpm run build | |
| - name: Publish to npm | |
| # Default mode: --staged. Socket Firewall v1.12+ allowlists the | |
| # /-/stage/* endpoints, so `pnpm stage publish` works end-to-end. | |
| # The mode input is a `choice` of staged|direct; --direct is the | |
| # escape hatch for environments where the stage path can't reach | |
| # npm. publish.mts refuses --direct if prior package versions | |
| # used staging (would downgrade trust evidence). | |
| env: | |
| DRY_RUN: ${{ inputs.dry-run }} | |
| MODE: ${{ inputs.mode }} | |
| run: | | |
| ARGS="--${MODE:-staged}" | |
| if [ "$DRY_RUN" = "true" ]; then | |
| ARGS="$ARGS --dry-run" | |
| fi | |
| node scripts/fleet/publish.mts $ARGS |