feat: add EVM adapter access control module (#338) #330
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Public npm release workflow | |
| # =========================== | |
| # This workflow handles CI and publishing to the public npm registry using Changesets. | |
| name: Release | |
| on: | |
| push: | |
| branches: | |
| - main | |
| # Prevent concurrent release operations and coordinate with staging workflow | |
| concurrency: | |
| group: release-publishing-${{ github.ref }} | |
| cancel-in-progress: false | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| issues: write | |
| id-token: write | |
| attestations: write | |
| actions: write | |
| jobs: | |
| provenance: | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0 | |
| with: | |
| run-scripts: 'install-pnpm, install-deps, build, test' | |
| node-version: '22.14.0' | |
| rekor-log-public: true | |
| release: | |
| needs: [provenance] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/create-github-app-token@af35edadc00be37caa72ed9f3e6d5f7801bfdf09 # v1.11.7 | |
| id: gh-app-token | |
| with: | |
| app-id: ${{ vars.GH_APP_ID }} | |
| private-key: ${{ secrets.GH_APP_PRIVATE_KEY }} | |
| - name: Checkout Repo | |
| uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
| with: | |
| token: ${{ steps.gh-app-token.outputs.token }} | |
| fetch-depth: 0 | |
| - name: Prepare pre-requisites | |
| uses: ./.github/actions/prepare | |
| with: | |
| token: ${{ steps.gh-app-token.outputs.token }} | |
| - name: Verify dependencies | |
| run: pnpm audit | |
| continue-on-error: true | |
| - name: Create temp dir | |
| id: temp-dir | |
| run: | | |
| set -euo pipefail | |
| temp_dir=$(mktemp -d) | |
| echo "path=${temp_dir}" >>"${GITHUB_OUTPUT}" | |
| - name: Upload tarball artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 | |
| with: | |
| name: ${{ github.ref_name }} | |
| path: ${{ needs.provenance.outputs.package-name }} | |
| - name: Download tarball | |
| uses: slsa-framework/slsa-github-generator/.github/actions/secure-download-artifact@3bcecb4ade4f265cff30488059a9dca39e26b360 # main | |
| with: | |
| name: ${{ needs.provenance.outputs.package-download-name }} | |
| path: '${{ steps.temp-dir.outputs.path }}/${{ needs.provenance.outputs.package-name }}' | |
| sha256: ${{ needs.provenance.outputs.package-download-sha256 }} | |
| - name: Download provenance | |
| uses: slsa-framework/slsa-github-generator/actions/nodejs/secure-attestations-download@3bcecb4ade4f265cff30488059a9dca39e26b360 # v1.6.0 | |
| with: | |
| name: ${{ needs.provenance.outputs.provenance-download-name }} | |
| path: '${{ steps.temp-dir.outputs.path }}' | |
| sha256: ${{ needs.provenance.outputs.provenance-download-sha256 }} | |
| - name: Unpack the zipped artifact | |
| run: | | |
| set -euo pipefail | |
| cd "${{ steps.temp-dir.outputs.path }}" | |
| tar -xzvf "${{ needs.provenance.outputs.package-name }}" -C $GITHUB_WORKSPACE --strip-components=1 | |
| cd "$GITHUB_WORKSPACE" | |
| pnpm run install-deps | |
| - name: Build packages | |
| run: pnpm run build | |
| env: | |
| NODE_OPTIONS: '--max-old-space-size=8192' | |
| - name: Guard against disallowed file modes (executables/symlinks) | |
| run: pnpm run check-file-modes | |
| - name: Make files non-executable for GitHub API compatibility | |
| run: | | |
| # Make Husky files non-executable | |
| chmod -x .husky/commit-msg .husky/pre-commit .husky/pre-push 2>/dev/null || true | |
| # Find and make any other executable files non-executable (except in .husky/) | |
| find . -type f -executable ! -path "./.husky/*" ! -path "./node_modules/*" ! -path "./.git/*" -exec chmod -x {} \; 2>/dev/null || true | |
| - name: Create Release Pull Request or Publish to npm | |
| id: changesets | |
| uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3 | |
| with: | |
| publish: pnpm changeset publish --no-git-checks | |
| commitMode: 'github-api' | |
| env: | |
| GITHUB_TOKEN: ${{ steps.gh-app-token.outputs.token }} | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| NPM_CONFIG_PROVENANCE: true | |
| TARBALL: ${{ needs.provenance.outputs.package-name }} | |
| NPM_CONFIG_ACCESS: public | |
| SKIP_PUBLISH_BUILD: true | |
| - name: Extract version from package.json | |
| id: extract_version | |
| run: | | |
| version=$(jq -r '.version' package.json) | |
| echo "version=$version" >> $GITHUB_OUTPUT | |
| - name: Generate SBOM | |
| uses: anchore/sbom-action@d94f46e13c6c62f59525ac9a1e147a99dc0b9bf5 | |
| with: | |
| artifact-name: sbom-${{ github.event.repository.name }}-${{ steps.extract_version.outputs.version }}.spdx.json | |
| output-file: /${{ steps.temp-dir.outputs.path }}/sbom-${{ github.event.repository.name }}-${{ steps.extract_version.outputs.version }}.spdx.json | |
| upload-artifact: false | |
| upload-release-assets: false | |
| - name: Download Artifacts | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 | |
| - name: Upload attestations SLSA | |
| uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 | |
| with: | |
| subject-path: ${{ needs.provenance.outputs.provenance-download-name }} | |
| subject-name: ${{ github.event.repository.name }}-${{ steps.extract_version.outputs.version }} | |
| - name: Upload attestations SBOM | |
| uses: actions/attest-build-provenance@5e9cb68e95676991667494a6a4e59b8a2f13e1d0 | |
| with: | |
| subject-path: /${{ steps.temp-dir.outputs.path }}/sbom-${{ github.event.repository.name }}-${{ steps.extract_version.outputs.version }}.spdx.json |