zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-05-19 23:33:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

security: scope release oidc publishing

Browse Source
This commit is contained in:
Affaan Mustafa
2026-05-18 13:41:10 -04:00
parent 386326df8e
commit 7911af4a39
5 changed files with 124 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
tests/scripts/release-publish.test.js
View File

@@ -32,9 +32,11 @@ for (const workflow of [
'.github/workflows/reusable-release.yml',
]) {
const content = load(workflow);
const workflowHeader = content.slice(0, content.indexOf('\njobs:\n'));
test(`${workflow} grants id-token for npm provenance`, () => {
assert.match(content, /permissions:\s*[\s\S]*id-token:\s*write/m);
test(`${workflow} scopes id-token to the publish job for npm provenance`, () => {
assert.doesNotMatch(workflowHeader, /id-token:\s*write/);
assert.match(content, /\n\s+permissions:\n\s+contents:\s*write\n\s+id-token:\s*write/m);
});
test(`${workflow} configures the npm registry`, () => {
@@ -51,7 +53,7 @@ for (const workflow of [
});
test(`${workflow} publishes new tag versions to npm`, () => {
assert.match(content, /npm publish --access public --provenance/);
assert.match(content, /npm publish "\$\{\{ needs\.verify\.outputs\.package_file \}\}" --access public --provenance/);
assert.match(content, /NODE_AUTH_TOKEN:\s*\$\{\{\s*secrets\.NPM_TOKEN\s*\}\}/);
});