2023-11-22 13:17:51 +00:00
# Publish Action Package
2023-11-17 20:04:42 +00:00
2023-11-22 13:17:51 +00:00
This action packages your action repository as OCI artifacts and publishes it to [GHCR ](ghcr.io ).
2023-11-17 20:04:42 +00:00
2023-11-22 13:17:51 +00:00
This allows your action to be consumed as an immutable package to make the actions ecosystem more secure.
2023-11-17 20:04:42 +00:00
2023-11-22 13:17:51 +00:00
The whole action repository is packaged by default. Set `path` input to specify which path you want to package.
2023-11-17 20:04:42 +00:00
2023-11-22 13:17:51 +00:00
Make sure you use the [Starter Workflow ](https://github.com/actions-on-packages/.github ) (TODO) to run the action.
Please also ensure you have the release trigger in the workflow where you use this action.
2023-11-17 20:04:42 +00:00
2023-11-22 13:17:51 +00:00
## Usage
2023-11-17 20:04:42 +00:00
2023-11-17 20:08:25 +00:00
<!-- start usage -->
``` yaml
on :
release :
- uses : immutable-actions/publish-action-package@1.0.1
with :
# Personal access token (PAT) or GITHUB_TOKEN with write:package scope used to upload the package to GHCR. The GITHUB_TOKEN is taken by default.
#
# We recommend using a service account with the least permissions necessary. Also
# when generating a new PAT, select the least scopes necessary.
#
# [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
#
# Default: ${{ github.token }}
token : ''
# Relative path of the working directory of the repository to be tar archived
# and uploaded as OCI Artifact layer. You can mention multiple files/folders
# by mentioning relative paths as space separated values.
#
# This defaults to the entire action repository contents if not explicitly defined.
# Default: '.'
path : 'src/ action.yml dist/'
2023-11-17 20:04:42 +00:00
```
2023-11-17 20:08:25 +00:00
<!-- end usage -->
2023-11-17 20:04:42 +00:00
2023-11-22 13:17:51 +00:00
## License
2023-11-17 20:04:42 +00:00
2023-11-17 20:08:25 +00:00
The scripts and documentation in this project are released under the [MIT License ](LICENSE )
2023-11-17 20:04:42 +00:00
2023-11-22 13:17:51 +00:00
## [Internal] Differences from previous implementation
2023-11-17 20:04:42 +00:00
2023-11-22 13:17:51 +00:00
This is a new implementation of an Action which publishes a given release to ghcr.io (GitHub Packages).
2023-11-17 20:04:42 +00:00
2023-11-22 13:17:51 +00:00
It will eventually be moved to our `actions` ` org.
2023-11-17 20:08:25 +00:00
The key differences are:
2023-11-17 20:04:42 +00:00
2023-11-22 13:17:51 +00:00
- This Action goes directly to GitHub Packages rather than using an API endpoint to pass a bundle to.
- This Action uses Node.js libraries to create both a ` zip` and ` tar.gz` of the content as layers.
- This Action creates and publishes the OCI manifest which houses those archives, which was previously done on the backend.
- This Action has the goal of generating provenance attestations for any release that is created.
2023-11-22 13:36:22 +00:00
- This Action parses and validates that the release tag which triggered it is in a valid SemVer format, either ` 1.0.3-prerelease` or ` v1.0.0-prerelease`.
2023-11-22 14:32:17 +00:00
## [Internal] Features to consider adding to this Action
These are some features which should likely be part of this implementation.
2023-11-22 14:40:03 +00:00
- [ ] Parsing SemVer more strictly, based on what formats we decide to support (e.g. we might not support prerelease tags)
- [ ] Checking that there is a valid ` action.yml` file in the repository running the action, failing if it is not an Action repository
2023-11-22 16:06:33 +00:00
- Could be as simple as just checking for the file, or could be validating it is yml with expected actions components
2023-11-22 14:40:03 +00:00
- [ ] Sanitising and validating relative paths passed into the ` path` arg
2023-11-22 16:06:33 +00:00
- For example, checking that they're inside the repository of the action and not other places on the filsystem
2023-11-22 14:32:17 +00:00
- [ ] Integration with Attestations API (speak to ` phillmv` about this)
2023-11-22 14:40:03 +00:00
- [ ] A way to dynamically work out the Container Registry's URL rather than relying on the user to provide it
2023-11-22 14:49:13 +00:00
- Options seem to be an API endpoint or an environment variable in the runner, but this might be difficult for backwards compatibility