Skip to content

chore: switch to Trusted Publishing #389

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
svor merged 1 commit into from
Jun 10, 2026
+135 −135
Merged

chore: switch to Trusted Publishing #389

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 0 additions & 57 deletions .github/workflows/devworkspace-generator-publish-next.yml
View file
Open in desktop

This file was deleted.

78 changes: 0 additions & 78 deletions .github/workflows/devworkspace-generator-release.yml
View file
Open in desktop

This file was deleted.

135 changes: 135 additions & 0 deletions .github/workflows/typescript-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,135 @@
#
# Copyright (c) 2022-2024
# This program and the accompanying materials are made
# available under the terms of the Eclipse Public License 2.0
# which is available at https://www.eclipse.org/legal/epl-2.0/
#
# SPDX-License-Identifier: EPL-2.0
#

# Main workflow for building and publishing release builds
# Release commit
name: Publish project to npmjs

on:
workflow_dispatch:
inputs:
release-version:
description: 'release version in format 7.y.z'
required: true
release-remake:
Comment thread
svor marked this conversation as resolved.
description: 'set to true to recreate existing tags (otherwise release will fail if tags already exist)'
type: boolean
default: false
required: true
push:
branches:
- main
- 7.**.x

permissions:
id-token: write # Required for publishing to npmjs
contents: write
pull-requests: write

jobs:
publish:
name: Build and publish DevWorkspace Generator to npmjs
runs-on: ubuntu-22.04
steps:
- name: Validate parameters and build type
shell: bash
id: dist-tag-eval
run: |
# check if workflow is triggered manually (release) or via branch push (next build)
# release will always be performed as workflow_dispatch trigger, while push triggers are for dev/next builds
# based on this information, we determine the dist-tag for pushing to npmjs
DIST_TAG=
if [[ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then
RELEASE_VERSION=${{ github.event.inputs.release-version }}
if [[ "$RELEASE_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
echo "[INFO]" preparing to build and release with version: $RELEASE_VERSION
# DIST_TAG is not used in make-release.sh, as release version will always be latest anyway
DIST_TAG=latest
else
echo "[ERROR] incorrect version "$RELEASE_VERSION". Must be following format <number>.<number>.<number>, e.g. 7.111.0"
exit 1
fi
fi
if [[ "$GITHUB_EVENT_NAME" == "push" ]]; then
if [[ ${GITHUB_REF##*/} == "7."**".x" ]]; then
echo "[INFO] using ${GITHUB_REF##*/} tag"
DIST_TAG="next-${GITHUB_REF##*/}"
else
echo "[INFO] using "next" tag"
DIST_TAG=next
fi
fi
echo "npm_dist_tag=$DIST_TAG" >> $GITHUB_OUTPUT
Comment on lines +40 to +68

@coderabbitai coderabbitai Bot Jun 9, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Follow GitHub Actions security best practice for user input handling.

Line 49 directly expands github.event.inputs.release-version in the run block via template syntax. While the regex on line 50 validates the format, GitHub Actions template expansion occurs before the shell parses the script, creating a window for injection if the input contains shell metacharacters.

Best practice is to pass user inputs through environment variables:

🔒 Recommended fix: use environment variables 
       - name: Validate parameters and build type
         shell: bash
         id: dist-tag-eval
+        env:
+          RELEASE_VERSION: ${{ github.event.inputs.release-version }}
         run: |
           # check if workflow is triggered manually (release) or via branch push (next build)
           # release will always be performed as workflow_dispatch trigger, while push triggers are for dev/next builds
           # based on this information, we determine the dist-tag for pushing to npmjs
           DIST_TAG=
           if [[ "$GITHUB_EVENT_NAME" == "workflow_dispatch" ]]; then
-            RELEASE_VERSION=${{ github.event.inputs.release-version }}
             if [[ "$RELEASE_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then

Apply the same pattern to lines 79-80 and 121 where inputs are expanded.

🧰 Tools
🪛 zizmor (1.25.2)

[error] 49-49: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/typescript-publish.yml around lines 40 - 68, The workflow
expands user input directly into the run script
(github.event.inputs.release-version) which can cause shell injection; in the
dist-tag-eval step (id: dist-tag-eval) set the release input as an environment
variable (e.g., RELEASE_VERSION) using the step's env: mapping and reference
$RELEASE_VERSION inside the run block instead of expanding the template inline,
then apply the same pattern to the other places mentioned (the other inputs
expanded around lines 79-80 and 121) so all user-supplied inputs are passed via
env variables and consumed from the shell-safe environment.

Source: Linters/SAST tools

- name: "Checkout source code"
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Check existing release tags
if: github.event_name == 'workflow_dispatch'
env:
GITHUB_TOKEN: ${{secrets.DEVWORKSPACE_GENERATOR_RELEASE_GITHUB_TOKEN}}
run: |
set +e
RECREATE_TAGS=${{ github.event.inputs.release-remake }}
VERSION=${{ github.event.inputs.release-version }}
EXISTING_TAG=$(git ls-remote --exit-code origin refs/tags/${VERSION})
if [[ -n ${EXISTING_TAG} ]]; then
if [[ ${RECREATE_TAGS} == "true" ]]; then
echo "[INFO] Removing tag for ${VERSION} version. New tag will be recreated during release."
git push origin :${VERSION}
else
echo "[ERROR] Cannot proceed with release - tag ${EXISTING_TAG} already exists."
exit 1
fi
else
echo "[INFO] No existing tags detected for ${VERSION}"
fi
Comment thread
coderabbitai[bot] marked this conversation as resolved.
- uses: actions/setup-node@v4
with:
node-version: '24'
registry-url: 'https://registry.npmjs.org'
scope: '@eclipse-che'
- name: Set up environment
run: |
sudo apt-get update -y || true
sudo apt-get -y -q install hub
hub --version
- name: Get yarn cache directory path
id: yarn-cache-dir-path
run: |
echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
- uses: actions/cache@v4
id: yarn-cache
with:
path: ${{ steps.yarn-cache-dir-path.outputs.dir }}
key: yarn-${{ hashFiles('yarn.lock') }}
restore-keys: yarn-
- name: Build and publish release version
Comment thread
svor marked this conversation as resolved.
if: github.event_name == 'workflow_dispatch'
env:
GITHUB_TOKEN: ${{secrets.DEVWORKSPACE_GENERATOR_RELEASE_GITHUB_TOKEN}}
run: |
git config --global user.name "Mykhailo Kuznietsov"
git config --global user.email "mkuznets@redhat.com"

./make-release.sh --version ${{ github.event.inputs.release-version }}
- name: Build and publish next version
if: github.event_name == 'push'
run: |
SHORT_SHA1=$(git rev-parse --short=7 HEAD)
Comment thread
svor marked this conversation as resolved.
CURRENT_VERSION=$(jq -r '.version' package.json)
NEW_VERSION="${CURRENT_VERSION}-${SHORT_SHA1}"
echo New version is ${NEW_VERSION}
sed -i -r -e "s/(\"version\": )(\".*\")/\1\"$NEW_VERSION\"/" package.json

# build
yarn
yarn compile

npm publish --tag ${{ steps.dist-tag-eval.outputs.npm_dist_tag }}
Loading