name: Publish Packages

# This workflow publishes packages to npm when changes are merged to main branch or when manually triggered.

on:

push:

paths:

- package.json

# For security reasons, this should never be set to anything but `main`

branches: [main]

workflow_dispatch:

permissions:

contents: read

# For npm OIDC (https://docs.npmjs.com/trusted-publishers)

id-token: write

env:

COMMIT_SHA: ${{ github.sha }}

jobs:

prepare:

runs-on: ubuntu-latest

outputs:

# Output the matrix of packages to publish for use in the publish job

should_publish: ${{ steps.check.outputs.should_publish }}

steps:

- name: Harden Runner

uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0

with:

egress-policy: audit

- name: Verify commit authenticity

env:

GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

if: ${{ github.event_name != 'workflow_dispatch' }}

run: |

# Get commit data from GitHub API to verify its authenticity

COMMIT_DATA=$(gh api repos/${{ github.repository }}/commits/$COMMIT_SHA)

# Check if commit signature is verified (GPG signed)

VERIFIED=$(echo "$COMMIT_DATA" | jq -r '.commit.verification.verified')

# Check if commit was made through GitHub's web interface (merge queue)

COMMITTER=$(echo "$COMMIT_DATA" | jq -r '.commit.committer.email')

# Security checks to ensure we only publish from verified and trusted sources

if [[ "$VERIFIED" != "true" ]]; then

echo "❌ Unverified commit! Aborting."

exit 1

fi

if [[ "$COMMITTER" != "noreply@github.com" ]]; then

echo "❌ Not merged with the merge queue! Aborting."

exit 1

fi

echo "✅ Commit is verified and trusted."

- name: Checkout repository

uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

with:

fetch-depth: 2 # Need at least 2 commits to detect changes between commits

- name: Check if we should publish

id: check

env:

EVENT_NAME: ${{ github.event_name }}

run: |

OLD_VERSION=$(git show $COMMIT_SHA~1:package.json | jq -r '.version')

NEW_VERSION=$(jq -r '.version' "package.json")

if [ "$OLD_VERSION" != "$NEW_VERSION" ] || [ "$EVENT_NAME" == "workflow_dispatch" ]; then

echo "should_publish=true" >> $GITHUB_OUTPUT

fi

publish:

needs: prepare

runs-on: ubuntu-latest

if: needs.prepare.outputs.should_publish == 'true'

steps:

- uses: nodejs/web-team/actions/setup-environment@9f3c83af227d721768d9dbb63009a47ed4f4282f

with:

use-version-file: true

registry-url: 'https://registry.npmjs.org'

- name: Publish

run: npm publish --access public --no-git-checks

- name: Notify

uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # 2.3.3

env:

SLACK_COLOR: '#43853D'

SLACK_ICON: https://github.com/nodejs.png?size=48

SLACK_TITLE: ':rocket: Package Published: @node-core/doc-kit'

SLACK_MESSAGE: |

:package: *Package*: `@node-core/doc-kit` (<https://www.npmjs.com/package/@node-core/doc-kit|View on npm>)

:bust_in_silhouette: *Published by*: ${{ github.triggering_actor }}

:octocat: *Commit*: <https://github.com/${{ github.repository }}/commit/${{ env.COMMIT_SHA }}|${{ env.COMMIT_SHA }}>

SLACK_USERNAME: nodejs-bot

SLACK_CHANNEL: nodejs-web-infra-alerts

SLACK_TOKEN: ${{ secrets.SLACK_TOKEN }}