feat(TU-33149): Write the actual secret value into the file (#719) #520
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: [main] | |
| jobs: | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| id-token: write | |
| steps: | |
| - name: Check out Git repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| # Use custom token from repo secrets to allow semantic release to push commit: | |
| # https://github.com/semantic-release/semantic-release/blob/master/docs/recipes/github-actions.md#pushing-packagejson-changes-to-a-master-branch | |
| persist-credentials: false | |
| token: ${{ secrets.GH_TOKEN }} | |
| - name: Set up Node.js | |
| uses: actions/setup-node@v3 | |
| with: | |
| node-version: 22 | |
| - name: Get yarn cache | |
| uses: actions/cache@v4 | |
| id: yarn-cache | |
| with: | |
| path: | | |
| **/node_modules | |
| ~/.cache | |
| key: ${{ runner.os }}-node-22-yarn-${{ hashFiles('**/yarn.lock') }}-${{ hashFiles('.github/workflows/**.yml') }} | |
| - name: Install Node.js dependencies | |
| if: steps.yarn-cache.outputs.cache-hit != 'true' | |
| run: yarn install --frozen-lockfile | |
| - run: yarn lerna bootstrap | |
| - run: yarn build | |
| env: | |
| NODE_ENV: 'production' | |
| # Configure registry for GitHub Packages using local .npmrc to avoid npm global config corruption | |
| - run: rm ./.npmrc | |
| - run: | | |
| cat > .npmrc << EOF | |
| //npm.pkg.github.com/:_authToken=${GH_TOKEN} | |
| @typeform:registry=https://npm.pkg.github.com/ | |
| EOF | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
| - run: yarn add -W @typeform/jarvis | |
| - run: git checkout HEAD -- package.json # do not save jarvis dependency to package.json because it is private (the file is committed by semantic-release to bump version) | |
| # Create clean .npmrc with just auth token | |
| - run: | | |
| cat > .npmrc << EOF | |
| //npm.pkg.github.com/:_authToken=${GH_TOKEN} | |
| EOF | |
| env: | |
| GH_TOKEN: ${{ secrets.GH_TOKEN }} | |
| # authenticate to AWS | |
| - uses: aws-actions/configure-aws-credentials@v4 | |
| with: | |
| aws-region: 'us-east-1' | |
| mask-aws-account-id: true | |
| role-to-assume: ${{ secrets.DEPLOYMENT_ROLE_ARN }} | |
| role-session-name: ${{ github.run_id }}-${{ github.run_attempt }} | |
| role-duration-seconds: 900 | |
| unset-current-credentials: true | |
| - run: yarn release | |
| env: | |
| AWS_ASSETS_BUCKET: 'typeform-public-assets/embed' | |
| AWS_CLOUDFRONT_DIST: 'E3IUO95IYL1RI3' | |
| GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} | |
| PUBLIC_CDN_URL: 'https://embed.typeform.com' | |
| SEGMENT_WRITE_KEY: ${{ secrets.DEPLOYMENT_SEGMENT_WRITE_KEY }} | |
| - uses: 8398a7/action-slack@v3 | |
| if: failure() | |
| with: | |
| status: ${{ job.status }} | |
| fields: repo,message,commit,author,action | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.ACTION_MONITORING_SLACK }} |