👷‍♀️ Move publishing inside single workflow

At the moment, we have two Github Action workflows: - `test.yml`: runs build and test, then tags when bumping the version in `main` - `publish.yml`: releases the package when a new tag is published The issue with this setup is that the built-in `GITHUB_TOKEN` [will not trigger another workflow][1], so we had to add a separate PAT with write permissions to our repos, which was a bit of a security concern. In order to avoid the need for this extra token, with its associated risks and administrative overheads (like rotating), this change combines our workflows into a single workflow. We tweak the `tag.sh` to `release.sh`, and it's now also in charge of publishing (since it knows when we've pushed a new tag). [1]: https://docs.github.com/en/actions/using-workflows/triggering-a-workflow#triggering-a-workflow-from-a-workflow
reedsy · Jan 18, 2024 · f64dd84 · f64dd84
1 parent 81242e2
commit f64dd84
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 63 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -4,43 +4,23 @@ on:
   push:
     branches:
     - master
-  pull_request_target:
+  pull_request:
+    branches:
+    - master
 
 jobs:
   build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-    - name: Checkout (push)
-      if: ${{ github.event_name == 'push' }}
-      uses: actions/checkout@v2
-      with:
-        # Use PAT instead of default Github token, because the default
-        # token deliberately will not trigger another workflow run
-        token: ${{ secrets.REEDSY_BOT_PERSONAL_ACCESS_TOKEN }}
-    # Separate checkout action for pull_request_target, which needs to
-    # explicitly checkout the SHA
-    - name: Checkout (pull request)
-      if: ${{ github.event_name == 'pull_request_target' }}
-      uses: actions/checkout@v2
+    - name: Checkout
+      uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
       with:
-        ref: ${{ github.event.pull_request.head.sha }}
-        # Use PAT instead of default Github token, because the default
-        # token deliberately will not trigger another workflow run
-        token: ${{ secrets.REEDSY_BOT_PERSONAL_ACCESS_TOKEN }}
-    - uses: actions/setup-node@v2
-      with:
-        node-version: '16.x'
+        node-version: '20.x'
         registry-url: 'https://npm.pkg.github.com'
     - name: Install
-      # Skip post-install to avoid malicious scripts stealing PAT
-      run: npm install --ignore-script
-      env:
-        # GITHUB_TOKEN can't access packages hosted in private repos,
-        # even within the same organisation
-        NODE_AUTH_TOKEN: ${{ secrets.REEDSY_BOT_PERSONAL_ACCESS_TOKEN }}
-    - name: Post-install
-      run: npm rebuild && npm run prepare --if-present
+      run: npm install
     - name: Lint
       run: npm run lint
     - name: Build
@@ -49,6 +29,6 @@ jobs:
       run: npm run test:coverage
       env:
         COVERAGE_REPORTER: text
-    - name: Tag
+    - name: Release
       if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
-      run: ./tag.sh
+      run: ./release.sh
diff --git a/tag.sh → release.sh b/tag.sh → release.sh
@@ -24,3 +24,5 @@ git add --all lib/
 git commit --message "Release version $VERSION"
 git tag $VERSION
 git push origin refs/tags/$VERSION
+
+npm publish