diff --git a/.forgejo/workflows/tag-release.yml b/.forgejo/workflows/tag-release.yml index 3bd09b0..79c61b0 100644 --- a/.forgejo/workflows/tag-release.yml +++ b/.forgejo/workflows/tag-release.yml @@ -26,6 +26,8 @@ on: - pnpm-build - playwright-merge - playwright-run + - publish-npm-package + - publish-rust-crate - publish-static-contents - rust-build - terraform-apply diff --git a/README.md b/README.md index cf223c2..66f3ecf 100644 --- a/README.md +++ b/README.md @@ -19,6 +19,8 @@ Shared actions for Forgejo CI/CD pipelines. | [pnpm-build](pnpm-build) | Action for building and validating with PNPM | | [playwright-merge](playwright-merge) | Merge Playwright shard blob reports and publish consolidated reports | | [playwright-run](playwright-run) | Run Playwright tests for one shard and upload its blob report | +| [publish-npm-package](publish-npm-package) | Publish a PNPM package to JFrog Artifactory | +| [publish-rust-crate](publish-rust-crate) | Publish a Rust crate to JFrog Artifactory | | [publish-static-contents](publish-static-contents) | Syncs frontend assets to S3 and invalidates a CloudFront distribution | | [rust-build](rust-build) | Set up Rust toolchain, run checks, and build via the project's build.sh | | [terraform-apply](terraform-apply) | Apply Terraform configuration files using the official Terraform CLI | diff --git a/publish-npm-package/README.md b/publish-npm-package/README.md new file mode 100644 index 0000000..7411507 --- /dev/null +++ b/publish-npm-package/README.md @@ -0,0 +1,28 @@ +# publish-npm-package + +Publish a PNPM package to JFrog Artifactory. + +## Inputs + +| Input | Required | Default | Description | +|-------|----------|---------|-------------| +| `working-directory` | No | `.` | Directory containing `package.json` | +| `node-version` | No | `24` | Node.js version | +| `pnpm-version` | No | `10.33` | pnpm version | +| `jfrog-token` | Yes | — | JFrog npm auth token | +| `registry-url` | No | `https://schmalz.jfrog.io/artifactory/api/npm/default-npm/` | npm registry URL | + +## Usage + +```yaml +- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/publish-npm-package@publish-npm-package-v1 + with: + working-directory: . + jfrog-token: ${{ secrets.JFROG_TOKEN }} +``` + +## Notes + +- Publishes with `pnpm publish`. +- Configures the registry auth token from `registry-url` and `jfrog-token`. +- Third-party actions used internally are pinned to exact commit SHAs to prevent supply chain attacks. diff --git a/publish-npm-package/action.yml b/publish-npm-package/action.yml new file mode 100644 index 0000000..69b8fa3 --- /dev/null +++ b/publish-npm-package/action.yml @@ -0,0 +1,64 @@ +name: publish-npm-package +description: Publish a PNPM package to JFrog Artifactory. + +inputs: + working-directory: + description: Directory containing package.json + required: false + default: "." + node-version: + description: Node.js version + required: false + default: "24" + pnpm-version: + description: pnpm version + required: false + default: "10.33" + jfrog-token: + description: JFrog npm auth token + required: true + registry-url: + description: npm registry URL + required: false + default: "https://schmalz.jfrog.io/artifactory/api/npm/default-npm/" + +runs: + using: composite + steps: + # Pinned to commit SHA instead of a tag to prevent supply chain attacks. + # actions/setup-node v4.4.0 — https://code.forgejo.org/actions/setup-node/commits/tag/v4.4.0 + - name: Setup Node + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 + with: + node-version: ${{ inputs.node-version }} + + # Pinned to commit SHA instead of a tag to prevent supply chain attacks. + # pnpm/action-setup v4.3.0 — https://code.forgejo.org/pnpm/action-setup/commits/tag/v4.3.0 + - name: Install pnpm + uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 + env: + # pnpm/action-setup bootstraps itself via npm before pnpm is available, + # so it must reach the public npm registry. + NPM_CONFIG_REGISTRY: https://registry.npmjs.org + with: + version: ${{ inputs.pnpm-version }} + + - name: Configure JFrog registry authentication + shell: bash + env: + JFROG_TOKEN: ${{ inputs.jfrog-token }} + REGISTRY_URL: ${{ inputs.registry-url }} + run: | + set -euo pipefail + + pnpm set registry "${REGISTRY_URL}" + + AUTHORITY="${REGISTRY_URL#https://}" + AUTHORITY="${AUTHORITY#http://}" + AUTHORITY="${AUTHORITY%/}" + pnpm set "//${AUTHORITY}/:_authToken" "${JFROG_TOKEN}" + + - name: Publish + shell: bash + working-directory: ${{ inputs.working-directory }} + run: pnpm publish diff --git a/publish-rust-crate/README.md b/publish-rust-crate/README.md new file mode 100644 index 0000000..69a44c2 --- /dev/null +++ b/publish-rust-crate/README.md @@ -0,0 +1,29 @@ +# publish-rust-crate + +Publish a Rust crate to JFrog Artifactory. + +## Inputs + +| Input | Required | Default | Description | +|-------|----------|---------|-------------| +| `working-directory` | No | `.` | Directory containing `Cargo.toml` | +| `rust-version` | No | `1.95.0` | Rust toolchain version | +| `jfrog-token` | Yes | — | JFrog token for the Artifactory Cargo registry | +| `registry-name` | No | `artifactory` | Cargo registry name | +| `registry-index` | No | `sparse+https://schmalz.jfrog.io/artifactory/api/cargo/schmalz-cargo-local/index/` | Cargo registry index URL | + +## Usage + +```yaml +- uses: https://schmalz-git.git.onstackit.cloud/schmalz/shared-actions/publish-rust-crate@publish-rust-crate-v1 + with: + working-directory: . + jfrog-token: ${{ secrets.JFROG_TOKEN }} +``` + +## Notes + +- Configures Cargo registry settings in `${CARGO_HOME}/config.toml` and `${CARGO_HOME}/credentials.toml`. +- Falls back to `$HOME/.cargo` when `CARGO_HOME` is not set. +- Publishes with `cargo publish --registry `. +- Third-party actions used internally are pinned to exact commit SHAs to prevent supply chain attacks. diff --git a/publish-rust-crate/action.yml b/publish-rust-crate/action.yml new file mode 100644 index 0000000..11b26b3 --- /dev/null +++ b/publish-rust-crate/action.yml @@ -0,0 +1,64 @@ +name: publish-rust-crate +description: Publish a Rust crate to JFrog Artifactory. + +inputs: + working-directory: + description: Directory containing Cargo.toml + required: false + default: "." + rust-version: + description: Rust toolchain version + required: false + default: "1.95.0" + jfrog-token: + description: JFrog token for the Artifactory Cargo registry + required: true + registry-name: + description: Cargo registry name + required: false + default: artifactory + registry-index: + description: Cargo registry index URL + required: false + default: "sparse+https://schmalz.jfrog.io/artifactory/api/cargo/schmalz-cargo-local/index/" + +runs: + using: composite + steps: + # Pinned to commit SHA instead of a tag to prevent supply chain attacks. + # dtolnay/rust-toolchain v1 (2026-03-27) — https://github.com/dtolnay/rust-toolchain/commit/3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 + - name: Setup Rust toolchain + uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 + with: + toolchain: ${{ inputs.rust-version }} + + - name: Configure Cargo registry (JFrog Artifactory) + shell: bash + env: + JFROG_TOKEN: ${{ inputs.jfrog-token }} + REGISTRY_NAME: ${{ inputs.registry-name }} + REGISTRY_INDEX: ${{ inputs.registry-index }} + run: | + set -euo pipefail + + CARGO_HOME_DIR="${CARGO_HOME:-$HOME/.cargo}" + mkdir -p "${CARGO_HOME_DIR}" + + cat >> "${CARGO_HOME_DIR}/config.toml" <> "${CARGO_HOME_DIR}/credentials.toml" <