Merge pull request 'feat: add publish actions with documentation' (!42) from feature/publish into main

Reviewed-on: #42
Reviewed-by: Böhringer_Sebastian_-_J._Schmalz_GmbH <Sebastian.Boehringer@schmalz.de>

.forgejo/workflows/tag-release.yml

@@ -26,6 +26,8 @@ on:
           - pnpm-build
           - playwright-merge
           - playwright-run
+          - publish-npm-package
+          - publish-rust-crate
           - publish-static-contents
           - rust-build
           - terraform-apply

README.md

@@ -19,6 +19,8 @@ Shared actions for Forgejo CI/CD pipelines.
 | [pnpm-build](pnpm-build) | Action for building and validating with PNPM |
 | [playwright-merge](playwright-merge) | Merge Playwright shard blob reports and publish consolidated reports |
 | [playwright-run](playwright-run) | Run Playwright tests for one shard and upload its blob report |
+| [publish-npm-package](publish-npm-package) | Publish a PNPM package to JFrog Artifactory |
+| [publish-rust-crate](publish-rust-crate) | Publish a Rust crate to JFrog Artifactory |
 | [publish-static-contents](publish-static-contents) | Syncs frontend assets to S3 and invalidates a CloudFront distribution |
 | [rust-build](rust-build) | Set up Rust toolchain, run checks, and build via the project's build.sh |
 | [terraform-apply](terraform-apply) | Apply Terraform configuration files using the official Terraform CLI |

publish-npm-package/README.md

@@ -0,0 +1,28 @@
+# publish-npm-package
+
+Publish a PNPM package to JFrog Artifactory.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `working-directory` | No | `.` | Directory containing `package.json` |
+| `node-version` | No | `24` | Node.js version |
+| `pnpm-version` | No | `10.33` | pnpm version |
+| `jfrog-token` | Yes | — | JFrog npm auth token |
+| `registry-url` | No | `https://schmalz.jfrog.io/artifactory/api/npm/default-npm/` | npm registry URL |
+
+## Usage
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/publish-npm-package@publish-npm-package-v1
+  with:
+    working-directory: .
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+```
+
+## Notes
+
+- Publishes with `pnpm publish`.
+- Configures the registry auth token from `registry-url` and `jfrog-token`.
+- Third-party actions used internally are pinned to exact commit SHAs to prevent supply chain attacks.

publish-npm-package/action.yml

@@ -0,0 +1,64 @@
+name: publish-npm-package
+description: Publish a PNPM package to JFrog Artifactory.
+
+inputs:
+  working-directory:
+    description: Directory containing package.json
+    required: false
+    default: "."
+  node-version:
+    description: Node.js version
+    required: false
+    default: "24"
+  pnpm-version:
+    description: pnpm version
+    required: false
+    default: "10.33"
+  jfrog-token:
+    description: JFrog npm auth token
+    required: true
+  registry-url:
+    description: npm registry URL
+    required: false
+    default: "https://schmalz.jfrog.io/artifactory/api/npm/default-npm/"
+
+runs:
+  using: composite
+  steps:
+    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
+    # actions/setup-node v4.4.0 — https://code.forgejo.org/actions/setup-node/commits/tag/v4.4.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
+      with:
+        node-version: ${{ inputs.node-version }}
+
+    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
+    # pnpm/action-setup v4.3.0 — https://code.forgejo.org/pnpm/action-setup/commits/tag/v4.3.0
+    - name: Install pnpm
+      uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1
+      env:
+        # pnpm/action-setup bootstraps itself via npm before pnpm is available,
+        # so it must reach the public npm registry.
+        NPM_CONFIG_REGISTRY: https://registry.npmjs.org
+      with:
+        version: ${{ inputs.pnpm-version }}
+
+    - name: Configure JFrog registry authentication
+      shell: bash
+      env:
+        JFROG_TOKEN: ${{ inputs.jfrog-token }}
+        REGISTRY_URL: ${{ inputs.registry-url }}
+      run: |
+        set -euo pipefail
+
+        pnpm set registry "${REGISTRY_URL}"
+
+        AUTHORITY="${REGISTRY_URL#https://}"
+        AUTHORITY="${AUTHORITY#http://}"
+        AUTHORITY="${AUTHORITY%/}"
+        pnpm set "//${AUTHORITY}/:_authToken" "${JFROG_TOKEN}"
+
+    - name: Publish
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      run: pnpm publish

publish-rust-crate/README.md

@@ -0,0 +1,29 @@
+# publish-rust-crate
+
+Publish a Rust crate to JFrog Artifactory.
+
+## Inputs
+
+| Input | Required | Default | Description |
+|-------|----------|---------|-------------|
+| `working-directory` | No | `.` | Directory containing `Cargo.toml` |
+| `rust-version` | No | `1.95.0` | Rust toolchain version |
+| `jfrog-token` | Yes | — | JFrog token for the Artifactory Cargo registry |
+| `registry-name` | No | `artifactory` | Cargo registry name |
+| `registry-index` | No | `sparse+https://schmalz.jfrog.io/artifactory/api/cargo/schmalz-cargo-local/index/` | Cargo registry index URL |
+
+## Usage
+
+```yaml
+- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/publish-rust-crate@publish-rust-crate-v1
+  with:
+    working-directory: .
+    jfrog-token: ${{ secrets.JFROG_TOKEN }}
+```
+
+## Notes
+
+- Configures Cargo registry settings in `${CARGO_HOME}/config.toml` and `${CARGO_HOME}/credentials.toml`.
+- Falls back to `$HOME/.cargo` when `CARGO_HOME` is not set.
+- Publishes with `cargo publish --registry <registry-name>`.
+- Third-party actions used internally are pinned to exact commit SHAs to prevent supply chain attacks.

publish-rust-crate/action.yml

@@ -0,0 +1,64 @@
+name: publish-rust-crate
+description: Publish a Rust crate to JFrog Artifactory.
+
+inputs:
+  working-directory:
+    description: Directory containing Cargo.toml
+    required: false
+    default: "."
+  rust-version:
+    description: Rust toolchain version
+    required: false
+    default: "1.95.0"
+  jfrog-token:
+    description: JFrog token for the Artifactory Cargo registry
+    required: true
+  registry-name:
+    description: Cargo registry name
+    required: false
+    default: artifactory
+  registry-index:
+    description: Cargo registry index URL
+    required: false
+    default: "sparse+https://schmalz.jfrog.io/artifactory/api/cargo/schmalz-cargo-local/index/"
+
+runs:
+  using: composite
+  steps:
+    # Pinned to commit SHA instead of a tag to prevent supply chain attacks.
+    # dtolnay/rust-toolchain v1 (2026-03-27) — https://github.com/dtolnay/rust-toolchain/commit/3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
+    - name: Setup Rust toolchain
+      uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
+      with:
+        toolchain: ${{ inputs.rust-version }}
+
+    - name: Configure Cargo registry (JFrog Artifactory)
+      shell: bash
+      env:
+        JFROG_TOKEN: ${{ inputs.jfrog-token }}
+        REGISTRY_NAME: ${{ inputs.registry-name }}
+        REGISTRY_INDEX: ${{ inputs.registry-index }}
+      run: |
+        set -euo pipefail
+
+        CARGO_HOME_DIR="${CARGO_HOME:-$HOME/.cargo}"
+        mkdir -p "${CARGO_HOME_DIR}"
+
+        cat >> "${CARGO_HOME_DIR}/config.toml" <<EOF
+        [registries.${REGISTRY_NAME}]
+        index = "${REGISTRY_INDEX}"
+        [registry]
+        global-credential-providers = ["cargo:token"]
+        EOF
+
+        cat >> "${CARGO_HOME_DIR}/credentials.toml" <<EOF
+        [registries.${REGISTRY_NAME}]
+        token = "Bearer ${JFROG_TOKEN}"
+        EOF
+
+    - name: Publish
+      shell: bash
+      working-directory: ${{ inputs.working-directory }}
+      env:
+        REGISTRY_NAME: ${{ inputs.registry-name }}
+      run: cargo publish --registry "${REGISTRY_NAME}"