dependabot[bot] abe17aada8 Bump @types/node from 20.9.4 to 20.11.4
Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.9.4 to 20.11.4.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-02 12:55:36 -05:00
2024-02-02 12:52:31 -05:00
2024-02-02 12:52:31 -05:00
2024-02-02 12:52:31 -05:00
2024-02-02 12:52:31 -05:00
2024-02-02 12:52:31 -05:00
2024-02-02 12:52:31 -05:00
2024-02-02 12:52:31 -05:00
2024-02-02 12:52:31 -05:00
2024-02-02 12:52:31 -05:00
2023-11-17 19:56:57 +00:00
2024-02-02 12:52:31 -05:00

Publish Action Package

This action packages your action repository as OCI artifacts and publishes it to GHCR.

This allows your action to be consumed as an immutable package to make the actions ecosystem more secure.

The whole action repository is packaged by default. Set path input to specify which path you want to package.

Make sure you use the Starter Workflow (TODO) to run the action. Please also ensure you have the release trigger in the workflow where you use this action.

Usage

on:
  release:

- uses: immutable-actions/publish-action-package@1.0.1
  with:

    # Personal access token (PAT) or GITHUB_TOKEN with write:package scope used to upload the package to GHCR. The GITHUB_TOKEN is taken by default.
    #
    # We recommend using a service account with the least permissions necessary. Also
    # when generating a new PAT, select the least scopes necessary.
    #
    # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
    #
    # Default: ${{ github.token }}
    token: ''

    # Relative path of the working directory of the repository to be tar archived
    # and uploaded as OCI Artifact layer. You can mention multiple files/folders
    # by mentioning relative paths as space separated values.
    #
    # This defaults to the entire action repository contents if not explicitly defined.
    # Default: '.'
    path: 'src/ action.yml dist/'


License

The scripts and documentation in this project are released under the MIT License

[Internal] Differences from previous implementation

This is a new implementation of an Action which publishes a given release to ghcr.io (GitHub Packages).

It will eventually be moved to our `actions`` org.

The key differences are:

  • This Action goes directly to GitHub Packages rather than using an API endpoint to pass a bundle to.
  • This Action uses Node.js libraries to create both a zip and tar.gz of the content as layers.
  • This Action creates and publishes the OCI manifest which houses those archives, which was previously done on the backend.
  • This Action has the goal of generating provenance attestations for any release that is created.
  • This Action parses and validates that the release tag which triggered it is in a valid SemVer format, either 1.0.3-prerelease or v1.0.0-prerelease.

[Internal] Features to consider adding to this Action

These are some features which should likely be part of this implementation.

  • Parsing SemVer more strictly, based on what formats we decide to support (e.g. we might not support prerelease tags)
  • Checking that there is a valid action.yml file in the repository running the action, failing if it is not an Action repository
    • Could be as simple as just checking for the file, or could be validating it is yml with expected actions components
  • Sanitising and validating relative paths passed into the path arg
    • For example, checking that they're inside the repository of the action and not other places on the filsystem
  • Integration with Attestations API (speak to phillmv about this)
  • A way to dynamically work out the Container Registry's URL rather than relying on the user to provide it
    • Options seem to be an API endpoint or an environment variable in the runner, but this might be difficult for backwards compatibility
Languages
TypeScript 98.7%
Shell 1.3%