github/lodestar
1
1
Fork 0
mirror of https://github.com/ChainSafe/lodestar.git synced 2026-01-09 15:48:08 -05:00
Code Issues Packages Projects Releases Wiki Activity

chore: use npm trusted publishing (#8675)

Browse Source 
**Motivation**

Use more secure way publish a release.

**Description**

- Use `npm` [trusted
publishing](https://docs.npmjs.com/trusted-publishers)

---------

Co-authored-by: Matthew Keil <me@matthewkeil.com>
This commit is contained in:
Nazar Hussain
2025-12-10 14:55:26 +01:00
committed by GitHub
parent 688d5584ea
commit fe261483ef
9 changed files with 1646 additions and 2092 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
.github/workflows/publish-dev.yml vendored
View File

@@ -5,9 +5,12 @@ concurrency:
group: cd-publish-dev group: cd-publish-dev
on: on:
push: workflow_call:
branches:
- unstable permissions:
contents: write # Required for OIDC
id-token: write # Required to create a Github release
pull-requests: write # Required to add tags to pull requests
jobs: jobs:
npm: npm:
@@ -15,7 +18,7 @@ jobs:
runs-on: buildjet-4vcpu-ubuntu-2204 runs-on: buildjet-4vcpu-ubuntu-2204
steps: steps:
# <common-build> - Uses YAML anchors in the future # <common-build> - Uses YAML anchors in the future
- uses: actions/checkout@v4 - uses: actions/checkout@v6
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: actions/setup-node@v4 - uses: actions/setup-node@v4
@@ -57,7 +60,7 @@ jobs:
# This "temp" commit doesn't change the actually release commit which is captured above. # This "temp" commit doesn't change the actually release commit which is captured above.
# git-data is also correct, since it's generated at build time, before `lerna version` run. # git-data is also correct, since it's generated at build time, before `lerna version` run.
run: | run: |
node_modules/.bin/lerna version ${{ steps.version.outputs.version }} \ yarn lerna version ${{ steps.version.outputs.version }} \
--force-publish \ --force-publish \
--exact \ --exact \
--yes \ --yes \
@@ -92,15 +95,13 @@ jobs:
# #
# NOTE: Using --preid dev.$(git rev-parse --short=7 HEAD) results in `0.24.3-dev.3ddb91d.0+3ddb91d` # NOTE: Using --preid dev.$(git rev-parse --short=7 HEAD) results in `0.24.3-dev.3ddb91d.0+3ddb91d`
run: | run: |
node_modules/.bin/lerna publish from-package \ yarn lerna publish from-package \
--yes \ --yes \
--no-verify-access \ --no-verify-access \
--dist-tag next \ --dist-tag next \
--no-git-reset \ --no-git-reset \
--force-publish \ --force-publish \
--exact --exact
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
outputs: outputs:
version: ${{ steps.version.outputs.version }} version: ${{ steps.version.outputs.version }}

17
.github/workflows/publish-nextfork.yml vendored
View File

@@ -5,9 +5,12 @@ concurrency:
group: cd-publish-nextfork group: cd-publish-nextfork
on: on:
push: workflow_call:
branches:
- peerDAS # Nextfork branch permissions:
contents: write # Required for OIDC
id-token: write # Required to create a Github release
pull-requests: write # Required to add tags to pull requests
env: env:
NEXT_FORK: peerDAS NEXT_FORK: peerDAS
@@ -18,7 +21,7 @@ jobs:
runs-on: buildjet-4vcpu-ubuntu-2204 runs-on: buildjet-4vcpu-ubuntu-2204
steps: steps:
# <common-build> - Uses YAML anchors in the future # <common-build> - Uses YAML anchors in the future
- uses: actions/checkout@v4 - uses: actions/checkout@v6
with: with:
fetch-depth: 0 fetch-depth: 0
- uses: actions/setup-node@v4 - uses: actions/setup-node@v4
@@ -60,7 +63,7 @@ jobs:
# This "temp" commit doesn't change the actually release commit which is captured above. # This "temp" commit doesn't change the actually release commit which is captured above.
# git-data is also correct, since it's generated at build time, before `lerna version` run. # git-data is also correct, since it's generated at build time, before `lerna version` run.
run: | run: |
node_modules/.bin/lerna version ${{ steps.version.outputs.version }} \ yarn lerna version ${{ steps.version.outputs.version }} \
--force-publish \ --force-publish \
--exact \ --exact \
--yes \ --yes \
@@ -95,15 +98,13 @@ jobs:
# #
# NOTE: Using --preid dev.$(git rev-parse --short=7 HEAD) results in `0.24.3-dev.3ddb91d.0+3ddb91d` # NOTE: Using --preid dev.$(git rev-parse --short=7 HEAD) results in `0.24.3-dev.3ddb91d.0+3ddb91d`
run: | run: |
node_modules/.bin/lerna publish from-package \ yarn lerna publish from-package \
--yes \ --yes \
--no-verify-access \ --no-verify-access \
--dist-tag next \ --dist-tag next \
--no-git-reset \ --no-git-reset \
--force-publish \ --force-publish \
--exact --exact
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
outputs: outputs:
version: ${{ steps.version.outputs.version }} version: ${{ steps.version.outputs.version }}

22
.github/workflows/publish-rc.yml vendored
View File

@@ -5,9 +5,12 @@ concurrency: cd-publish-rc
# See for rationale https://github.com/ChainSafe/lodestar/blob/unstable/RELEASE.md # See for rationale https://github.com/ChainSafe/lodestar/blob/unstable/RELEASE.md
on: on:
push: workflow_call:
tags:
- v* permissions:
contents: write # Required for OIDC
id-token: write # Required to create a Github release
pull-requests: write # Required to add tags to pull requests
jobs: jobs:
tag: tag:
@@ -55,7 +58,7 @@ jobs:
needs: [tag, binaries] needs: [tag, binaries]
if: needs.tag.outputs.is_rc == 'true' if: needs.tag.outputs.is_rc == 'true'
steps: steps:
- uses: actions/checkout@v4 - uses: actions/checkout@v6
with: with:
fetch-depth: 0 # Needs full depth for changelog generation fetch-depth: 0 # Needs full depth for changelog generation
@@ -67,7 +70,7 @@ jobs:
run: node scripts/generate_changelog.mjs ${{ needs.tag.outputs.prev_tag }} ${{ needs.tag.outputs.tag }} CHANGELOG.md run: node scripts/generate_changelog.mjs ${{ needs.tag.outputs.prev_tag }} ${{ needs.tag.outputs.tag }} CHANGELOG.md
- name: Get binaries - name: Get binaries
uses: actions/download-artifact@v4 uses: actions/download-artifact@v5
with: with:
path: dist/ path: dist/
merge-multiple: true merge-multiple: true
@@ -91,7 +94,7 @@ jobs:
# This "temp" commit doesn't change the actually release commit which is captured above. # This "temp" commit doesn't change the actually release commit which is captured above.
# git-data is also correct, since it's generated at build time, before `lerna version` run. # git-data is also correct, since it's generated at build time, before `lerna version` run.
run: | run: |
node_modules/.bin/lerna version ${{ needs.tag.outputs.version }} \ yarn lerna version ${{ needs.tag.outputs.version }} \
--force-publish \ --force-publish \
--exact \ --exact \
--yes \ --yes \
@@ -101,15 +104,8 @@ jobs:
git config user.email 'temp@github.com' git config user.email 'temp@github.com'
git commit -am "${{ needs.tag.outputs.version }}" git commit -am "${{ needs.tag.outputs.version }}"
# From https://github.com/lerna/lerna/issues/2404
- run: echo //registry.npmjs.org/:_authToken=${NPM_TOKEN} > .npmrc
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: Publish to npm registry - name: Publish to npm registry
run: yarn run release:publish --dist-tag rc run: yarn run release:publish --dist-tag rc
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
# In case of failure # In case of failure
- name: Rollback on failure - name: Rollback on failure

18
.github/workflows/publish-stable.yml vendored
View File

@@ -5,9 +5,12 @@ concurrency: cd-publish-stable
# See for rationale https://github.com/ChainSafe/lodestar/blob/unstable/RELEASE.md # See for rationale https://github.com/ChainSafe/lodestar/blob/unstable/RELEASE.md
on: on:
push: workflow_call:
tags:
- v* permissions:
contents: write # Required for OIDC
id-token: write # Required to create a Github release
pull-requests: write # Required to add tags to pull requests
jobs: jobs:
tag: tag:
@@ -15,7 +18,7 @@ jobs:
runs-on: buildjet-4vcpu-ubuntu-2204 runs-on: buildjet-4vcpu-ubuntu-2204
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v6
with: with:
fetch-depth: 0 fetch-depth: 0
@@ -91,15 +94,8 @@ jobs:
name: Release ${{ needs.tag.outputs.tag }} name: Release ${{ needs.tag.outputs.tag }}
prerelease: false prerelease: false
# From https://github.com/lerna/lerna/issues/2404
- run: echo //registry.npmjs.org/:_authToken=${NPM_TOKEN} > .npmrc
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: Publish to npm registry (release) - name: Publish to npm registry (release)
run: yarn run release:publish run: yarn run release:publish
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
# In case of failure # In case of failure
- name: Rollback on failure - name: Rollback on failure

50
.github/workflows/publish.yml vendored Normal file
View File

@@ -0,0 +1,50 @@
name: Publish
# only one can run at a time
concurrency: cd-publish
on:
push:
tags:
- v*
branches:
# - peerDAS # Nextfork branch
- unstable
permissions:
contents: write # Required for OIDC
id-token: write # Required to create a Github release
pull-requests: write # Required to add tags to pull requests
jobs:
call-publish-workflow:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: Call publish-stable.yml
if: |
startsWith(github.ref, 'refs/tags/v') && (
!contains(github.ref_name, '-rc') &&
!contains(github.ref_name, '-beta') &&
!contains(github.ref_name, '-alpha')
)
uses: ./.github/workflows/publish-stable.yml
- name: Call publish-rc.yml
if: |
startsWith(github.ref, 'refs/tags/v') && (
contains(github.ref_name, '-rc') ||
contains(github.ref_name, '-beta') ||
contains(github.ref_name, '-alpha')
)
uses: ./.github/workflows/publish-rc.yml
# - name: Call publish-nextfork.yml
# if: github.ref == 'refs/heads/peerDAS'
# uses: ./.github/workflows/publish-next-fork.yml
- name: Call publish-dev.yml
if: github.ref == 'refs/heads/unstable'
uses: ./.github/workflows/publish-dev.yml

4
lerna.json
View File

@@ -3,7 +3,6 @@
"packages/*" "packages/*"
], ],
"npmClient": "yarn", "npmClient": "yarn",
"useNx": true,
"version": "1.37.0", "version": "1.37.0",
"stream": true, "stream": true,
"command": { "command": {
@@ -11,5 +10,6 @@
"message": "chore(release): %s" "message": "chore(release): %s"
} }
}, },
"$schema": "node_modules/lerna/schemas/lerna-schema.json" "useWorkspaces": true,
"$schema": "node_modules/@lerna-lite/cli/schemas/lerna-schema.json"
} }

5
package.json
View File

@@ -45,6 +45,10 @@
"@biomejs/biome": "^2.2.0", "@biomejs/biome": "^2.2.0",
"@chainsafe/benchmark": "^1.2.3", "@chainsafe/benchmark": "^1.2.3",
"@chainsafe/biomejs-config": "^1.0.0", "@chainsafe/biomejs-config": "^1.0.0",
"@lerna-lite/cli": "^4.9.4",
"@lerna-lite/publish": "^4.9.4",
"@lerna-lite/run": "^4.9.4",
"@lerna-lite/version": "^4.9.4",
"@types/node": "^24.10.1", "@types/node": "^24.10.1",
"@types/react": "^19.1.12", "@types/react": "^19.1.12",
"@vitest/browser": "^4.0.7", "@vitest/browser": "^4.0.7",
@@ -56,7 +60,6 @@
"electron": "^26.2.2", "electron": "^26.2.2",
"https-browserify": "^1.0.0", "https-browserify": "^1.0.0",
"jsdom": "^23.0.1", "jsdom": "^23.0.1",
"lerna": "^7.3.0",
"libp2p": "2.9.0", "libp2p": "2.9.0",
"node-gyp": "^9.4.0", "node-gyp": "^9.4.0",
"npm-run-all": "^4.1.5", "npm-run-all": "^4.1.5",

8
tsconfig.build.json
View File

@@ -40,5 +40,13 @@
"../../node_modules/@types", "../../node_modules/@types",
"../../types", "../../types",
], ],
// TODO: This is a workaround to fix the error came after adding `@lerna-lite/version`
// Need to be cleared and cleaned this config later
//
// @lodestar/params: error TS2688: Cannot find type definition file for 'parse-path'.
// @lodestar/params: The file is in the program because:
// @lodestar/params: Entry point for implicit type library 'parse-path'
"types": ["node", "bun", "snappyjs", "mitt", "vitest"],
} }
} }

3597
yarn.lock
View File

File diff suppressed because it is too large Load Diff