From 83417d3e0b62ce8abf06aa969f673aa58b68ee7b Mon Sep 17 00:00:00 2001
From: Alec Gibson <12036746+alecgibson@users.noreply.github.com>
Date: Thu, 18 Jan 2024 10:41:03 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=91=B7=E2=80=8D=E2=99=80=EF=B8=8F=20Move?=
 =?UTF-8?q?=20publishing=20inside=20single=20workflow?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

At the moment, we have two Github Action workflows:

  - `push.yml`: runs build and test, then tags when bumping the version
    in `main`
  - `publish.yml`: releases the package when a new tag is published

The issue with this setup is that the built-in `GITHUB_TOKEN`
[will not trigger another workflow][1], so we had to add a separate
PAT with write permissions to our repos, which was a bit of a
security concern.

In order to avoid the need for this extra token, with its associated
risks and administrative overheads (like rotating), this change
combines our workflows into a single flow with a sequence of jobs.

We tweak the `tag.sh` to `release.sh`, and it's now also in charge of
publishing (since it knows when we've pushed a new tag).

[1]: https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
---
 .github/workflows/{push.yml => ci.yml} | 37 +++++++++++++++++++-------
 .github/workflows/publish.yml          | 32 ----------------------
 tag.sh => release.sh                   |  2 ++
 3 files changed, 29 insertions(+), 42 deletions(-)
 rename .github/workflows/{push.yml => ci.yml} (53%)
 delete mode 100644 .github/workflows/publish.yml
 rename tag.sh => release.sh (97%)

diff --git a/.github/workflows/push.yml b/.github/workflows/ci.yml
similarity index 53%
rename from .github/workflows/push.yml
rename to .github/workflows/ci.yml
index 5fb1b16..64fef1e 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/ci.yml
@@ -1,4 +1,5 @@
-name: CI/CD
+name: CI
+
 on:
   push:
     branches:
@@ -7,7 +8,6 @@ on:
 
 jobs:
   test:
-    name: Test
     runs-on: ubuntu-latest
     services:
       mongo:
@@ -17,18 +17,18 @@ jobs:
     steps:
       - name: Checkout (push)
         if: ${{ github.event_name == 'push' }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       # Separate checkout action for pull_request_target, which needs to
       # explicitly checkout the SHA
       - name: Checkout (pull request)
         if: ${{ github.event_name == 'pull_request_target' }}
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
       - name: Setup
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
-          node-version: '20.9'
+          node-version: '20.x'
       - name: Install
         run: npm install
       - name: Lint
@@ -37,7 +37,24 @@ jobs:
         run: npm run build
       - name: test
         run: npm run test
-      - name: Tag
-        if: |
-          github.event_name == 'push' && github.ref == 'refs/heads/master'
-        run: ./tag.sh
+
+  release:
+    needs:
+    - test
+    if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version: '20.x'
+        registry-url: 'https://npm.pkg.github.com'
+    - name: Install
+      run: npm install
+    - name: Build
+      run: npm run build
+    - name: Release
+      run: ./release.sh
+      env:
+        NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
deleted file mode 100644
index 07c8ea6..0000000
--- a/.github/workflows/publish.yml
+++ /dev/null
@@ -1,32 +0,0 @@
-name: Publish
-
-on:
-  push:
-    tags:
-    - '*'
-
-jobs:
-  build:
-    runs-on: ubuntu-22.04
-    timeout-minutes: 10
-    steps:
-    - uses: actions/checkout@v3
-    - uses: actions/setup-node@v3
-      with:
-        node-version: '20.9'
-        registry-url: 'https://npm.pkg.github.com'
-    - name: Install
-      # Skip post-install to avoid malicious scripts stealing PAT
-      run: npm install --ignore-script
-      env:
-        # GITHUB_TOKEN can't access packages hosted in private repos,
-        # even within the same organisation
-        NODE_AUTH_TOKEN: ${{ secrets.REEDSY_BOT_PERSONAL_ACCESS_TOKEN }}
-    - name: Post-install
-      run: npm rebuild && npm run prepare --if-present
-    - name: Build
-      run: npm run build
-    - name: Publish
-      run: npm publish
-      env:
-        NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/tag.sh b/release.sh
similarity index 97%
rename from tag.sh
rename to release.sh
index a24e4c5..679c4d4 100755
--- a/tag.sh
+++ b/release.sh
@@ -23,3 +23,5 @@ git add --all lib/
 git commit --message "Release version $VERSION"
 git tag $VERSION
 git push origin refs/tags/$VERSION
+
+npm publish