Skip to content

ci(provenance): inline standalone publish workflow + auto-tag#639

Open
John-David Dalton (jdalton) wants to merge 1 commit into
v1.4.xfrom
feat/inline-provenance-tag-after-publish
Open

ci(provenance): inline standalone publish workflow + auto-tag#639
John-David Dalton (jdalton) wants to merge 1 commit into
v1.4.xfrom
feat/inline-provenance-tag-after-publish

Conversation

@jdalton
Copy link
Copy Markdown
Collaborator

@jdalton John-David Dalton (jdalton) commented May 20, 2026

Summary

  • Inlines the publish workflow for the v1.4.x release branch — replaces uses: SocketDev/socket-registry/.github/workflows/provenance.yml@… with a fully standalone workflow so v1.4.x is decoupled from socket-registry's reusable-workflow evolution.
  • Adds an automatic tag-release job that creates v<version> git tags at the published commit SHA after a successful npm publish, idempotently.
  • Uses gh api (not git push) so the GITHUB_TOKEN only lives in the tag step's env block — never written to .git/config where the publish job's pnpm install could expose it to postinstall scripts.
  • Hard-fails on tag-SHA mismatch with an existing tag (GitHub Release Immutability means moving the tag is unsafe; operator recovery required).
  • Adds a dry-run input (defaults true) so accidental dispatches don't publish.

Mirrors:

  • socket-cli/main patch (8043cf709)
  • socket-cli v1.x PR (SocketDev/socket-cli#1322)
  • socket-registry/main reusable workflow update (0a96e8a5)
  • socket-sdk-js/main pin bump (a47e8786)

Test plan

  • actionlint passes (verified locally — zero findings, including no pre-existing warnings).
  • zizmor passes (verified locally — zero findings).
  • Next v1.4.x publish dispatch with dry-run=false creates a v<sdk_version> tag pointing at the published SHA.
  • Re-running the workflow against an already-published version no-ops on the tag step (idempotency).
  • Dispatching with dry-run=true runs build but does not publish or tag.

Why

socket-cli 1.1.98 and 1.1.99 were published from the fleet with no git tags on origin — hand-created on 2026-05-20 from npm view socket@<v> gitHead. v1.4.x of socket-sdk-js is the next release branch at risk; inlining (rather than tracking socket-registry main) keeps this workflow stable across infra evolution while still enforcing the new tag-creation contract.

Notes

  • Action pins (actions/checkout@8e8c483d, pnpm/action-setup@a7487c7e, actions/setup-node@53b83947) all verified against the upstream GitHub API. The pnpm action pin is the dereferenced commit SHA (the v4.1.0 tag is annotated).
  • pnpm install --frozen-lockfile is used because this is a release-branch publish path; lockfile drift would be a release-blocker.

@jdalton
ci(provenance): inline standalone publish workflow with auto-tag
75ead4c 
Replaces the `uses: SocketDev/socket-registry/.github/workflows/provenance.yml@…`
call with a fully standalone publish workflow. Decouples v1.4.x from
socket-registry main so future reusable-workflow changes don't drift
this release branch.

The inlined workflow:

- checks out, sets up pnpm + Node, installs, builds, publishes via
  `pnpm run publish:ci -- --tag <dist-tag>`.
- captures published SHA + version after a successful publish.
- runs a downstream `tag-release` job that creates `v<version>` at the
  published SHA via `gh api` (GITHUB_TOKEN only lives in that step's
  env; never written to `.git/config` where untrusted code in the
  publish job could read it).
- idempotent tag creation: no-op on same SHA, hard-fail on different
  SHA (GitHub Release Immutability means moving a tag is unsafe).
- adds a `dry-run` input (defaults true) so accidental dispatches don't
  publish.

Why: socket-cli 1.1.98 and 1.1.99 were published from this fleet with
no git tags on origin — hand-created on 2026-05-20 from `npm view
gitHead`. v1.4.x is a release branch; embedding the workflow rather
than tracking socket-registry main keeps it stable across infra
evolution.
@socket-security-staging
Copy link
Copy Markdown

socket-security-staging Bot commented May 20, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedgithub/​pnpm/​action-setup@​a7487c7e89a18df4991f7f222e4898a00d66ddda90100100100100
Addedgithub/​actions/​setup-node@​53b83947a5a98c8d113130e565377fae1a50d02f99100100100100

View full report

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 20, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedgithub/​pnpm/​action-setup@​a7487c7e89a18df4991f7f222e4898a00d66ddda90100100100100
Addedgithub/​actions/​setup-node@​53b83947a5a98c8d113130e565377fae1a50d02f99100100100100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdalton