Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 8 additions & 4 deletions .github/workflows/publish.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ on:
pull_request:
types:
- closed
workflow_dispatch:

concurrency: ${{ github.workflow }}-${{ github.ref }}

Expand All @@ -13,10 +14,13 @@ jobs:
publish:
if: >-
github.repository == 'hack-dance/schema-stream' &&
github.event.pull_request.merged == true &&
github.base_ref == 'main' &&
github.event.pull_request.head.repo.full_name == github.repository &&
github.head_ref == 'changeset-release/main'
((github.event_name == 'pull_request' &&
github.event.pull_request.merged == true &&
github.base_ref == 'main' &&
github.event.pull_request.head.repo.full_name == github.repository &&
github.head_ref == 'changeset-release/main') ||
(github.event_name == 'workflow_dispatch' &&
github.ref == 'refs/heads/main'))
Comment on lines +22 to +23

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Pin the recovery publish to the failed release

When the failed publish is recovered after main has advanced, this manual path still accepts the latest main checkout and the later bun run release step will publish that current tarball under the still-unpublished package version. That can ship unreleased commits as the recovery version instead of the exact release PR contents; consider requiring and checking out a specific release SHA/version for workflow_dispatch rather than accepting branch head.

Useful? React with 👍 / 👎.

runs-on: ubuntu-latest
environment: PUBLISH
permissions:
Expand Down
4 changes: 3 additions & 1 deletion tests/workflow-security.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -39,14 +39,16 @@ describe("GitHub Actions security", () => {
expect(workflow.match(persistedCredentialsPattern)).toHaveLength(2)
})

test("limits trusted publishing to the merged canonical release PR", async () => {
test("limits trusted publishing to canonical release paths", async () => {
const workflow = await readWorkflow("publish.yml")

expect(workflow).toContain("github.repository == 'hack-dance/schema-stream'")
expect(workflow).toContain("github.event.pull_request.merged == true")
expect(workflow).toContain("github.base_ref == 'main'")
expect(workflow).toContain("github.event.pull_request.head.repo.full_name == github.repository")
expect(workflow).toContain("github.head_ref == 'changeset-release/main'")
expect(workflow).toContain("github.event_name == 'workflow_dispatch'")
expect(workflow).toContain("github.ref == 'refs/heads/main'")
expect(workflow).toMatch(publishEnvironmentPattern)
expect(workflow).toMatch(publishPermissionsPattern)
expect(workflow).toContain("persist-credentials: false")
Expand Down