ci: attestations

Author: JCMais

.github/workflows/build-and-release.yaml

@@ -16,7 +16,7 @@ on:
       publish-binary:
         type: boolean
         default: false
-        description: Publish binary?
+        description: Force publish binary?
         required: true
 
 env:
@@ -26,7 +26,6 @@ env:
   # https://www.electronjs.org/docs/latest/tutorial/installation#cache
   electron_config_cache: ~/.cache/electron
   NODE_LIBCURL_GITHUB_TOKEN: ${{ secrets.NODE_LIBCURL_GITHUB_TOKEN }}
-  PUBLISH_BINARY: ${{ inputs.publish-binary }}
 
 concurrency:
   group: build-and-release-${{ github.ref_name }}
@@ -66,6 +65,11 @@ jobs:
         run: pnpm build:dist
 
   build-and-release:
+    permissions:
+      id-token: write
+      attestations: write
+      contents: write
+      packages: write
     runs-on: ${{ matrix.os == 'alpine' && 'ubuntu-22.04' || matrix.os }}
     container: ${{ matrix.os == 'alpine' && format('node:{0}-alpine3.21', matrix.node) || '' }}
     needs:
@@ -78,26 +82,26 @@ jobs:
         electron-version:
           - ''
         os:
-          # - macos-15
-          # - ubuntu-22.04
+          - macos-15
+          - ubuntu-22.04
           # - ubuntu-24.04-arm
           - alpine
-          # - windows-2025
+          - windows-2025
         libcurl-release:
           - ${{ needs.set-params.outputs.latest-libcurl-release }}
         node:
           - 24
           - 22
-        # include:
-        #   # electron builds
-        #   - os: ubuntu-22.04
-        #     libcurl-release: ${{ needs.set-params.outputs.latest-libcurl-release }}
-        #     node: 24
-        #     electron-version: 38.1.2
-        #   - os: macos-15
-        #     libcurl-release: ${{ needs.set-params.outputs.latest-libcurl-release }}
-        #     node: 24
-        #     electron-version: 38.1.2
+        include:
+          # electron builds
+          - os: ubuntu-22.04
+            libcurl-release: ${{ needs.set-params.outputs.latest-libcurl-release }}
+            node: 24
+            electron-version: 38.1.2
+          - os: macos-15
+            libcurl-release: ${{ needs.set-params.outputs.latest-libcurl-release }}
+            node: 24
+            electron-version: 38.1.2
     env:
       LIBCURL_RELEASE: ${{ matrix.libcurl-release }}
       LATEST_LIBCURL_RELEASE: ${{ matrix.libcurl-release }}
@@ -121,7 +125,14 @@ jobs:
 
       - if: runner.os == 'Linux' && matrix.os != 'alpine'
         name: Install Needed packages on Linux
-        run: sudo apt-get install -y cmake groff
+        run: sudo apt-get update && sudo apt-get install -y cmake groff
+
+      - name: Export Electron npm_config envs
+        if: matrix.electron-version
+        run: |
+          echo "npm_config_runtime=electron" >> $GITHUB_ENV
+          echo "npm_config_dist_url=https://electronjs.org/headers" >> $GITHUB_ENV
+          echo "npm_config_target=${{ matrix.electron-version }}" >> $GITHUB_ENV
 
       - name: Checkout
         uses: actions/checkout@v5
@@ -168,12 +179,14 @@ jobs:
         uses: mxschmitt/action-tmate@v3
         if: matrix.enable-debugging
 
-      - name: 'Publish Binary'
+      - name: 'Build and Package Binary'
         if: runner.os != 'Windows'
-        run: |
-          GIT_COMMIT=${{ github.sha }} \
-          GIT_REF_NAME=${{ github.ref_name}} \
-          ./scripts/ci/build.sh
+        env:
+          # this is false because we publish as a separate step
+          PUBLISH_BINARY: false
+          GIT_COMMIT: ${{ github.sha }}
+          GIT_REF_NAME: ${{ github.ref_name }}
+        run: ./scripts/ci/build.sh
 
       - name: 'Check if fully installed and built'
         id: built-and-installed
@@ -192,15 +205,42 @@ jobs:
           path: |
             ~/.node-gyp
             ~/deps
-          key: v4-${{ runner.os }}-libcurl-deps-cache-${{ matrix.electron-version && 'electron' || 'node' }}-${{ matrix.electron-version || matrix.node }}
+          key: v4-${{ matrix.os }}-libcurl-deps-cache-${{ matrix.electron-version && 'electron' || 'node' }}-${{ matrix.electron-version || matrix.node }}
 
-      - name: 'Publish Binary Windows'
+      - name: 'Build and Package Binary Windows'
         if: runner.os == 'Windows'
         shell: pwsh
+        env:
+          # this is false because we publish as a separate step
+          PUBLISH_BINARY: false
+          GIT_COMMIT: ${{ github.sha }}
+          GIT_REF_NAME: ${{ github.ref_name }}
+        run: ./scripts/ci/windows/build.ps1
+
+      - name: Create attestations
+        uses: actions/attest-build-provenance@v3
+        if: inputs.publish-binary
+        with:
+          subject-path: 'build/**/node_libcurl-*.tar.gz'
+
+      - name: 'Publish Binary [macos arm64]'
+        if: runner.os == 'macOS' && inputs.publish-binary
+        env:
+          npm_config_target_arch: arm64
+        run: |
+          node scripts/module-packaging.js --publish "$(pnpm --silent pregyp reveal staged_tarball --silent)"
+
+      - name: 'Publish Binary [macos x64]'
+        if: runner.os == 'macOS' && inputs.publish-binary
+        env:
+          npm_config_target_arch: x64
+        run: |
+          node scripts/module-packaging.js --publish "$(pnpm --silent pregyp reveal staged_tarball --silent)"
+
+      - name: 'Publish Binary [non macos]'
+        if: runner.os != 'macOS' && inputs.publish-binary
         run: |
-          $env:GIT_COMMIT = '${{ github.sha }}'
-          $env:GIT_REF_NAME = '${{ github.ref_name }}'
-          ./scripts/ci/windows/build.ps1
+          node scripts/module-packaging.js --publish "$(pnpm --silent pregyp reveal staged_tarball --silent)"
 
       - name: Upload artifacts
         if: always() && runner.os != 'Windows'

.github/workflows/publish.yml

@@ -0,0 +1,166 @@
+name: publish
+
+defaults:
+  run:
+    shell: bash
+
+on:
+  workflow_dispatch:
+    inputs:
+      enable-debugging:
+        type: boolean
+        description: Enable tmate session
+        required: false
+        default: false
+      version:
+        type: string
+        description: Version to release, takes precedence over release-type
+        required: false
+        default: ''
+      release-type:
+        type: choice
+        description: Kind of release
+        required: true
+        default: patch
+        options:
+          - prerelease
+          - premajor
+          - preminor
+          - prepatch
+          - major
+          - minor
+          - patch
+
+concurrency:
+  group: release
+  cancel-in-progress: false
+
+env:
+  NODE_VERSION: 24
+
+jobs:
+  release:
+    runs-on: ubuntu-22.04
+    environment: release
+    permissions:
+      id-token: write
+      attestations: write
+      contents: write
+      packages: write
+    steps:
+      - uses: actions/create-github-app-token@v2
+        id: app-token
+        with:
+          app-id: ${{ vars.APP_ID }}
+          private-key: ${{ secrets.APP_PRIVATE_KEY }}
+
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Get GitHub App User ID
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.app-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+
+      - run: |
+          git config --global user.name '${{ steps.app-token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.app-token.outputs.app-slug }}[bot]@users.noreply.github.com'
+  
+      # Node.js / PNPM
+      - uses: pnpm/action-setup@v4
+      - name: Set up Node ${{ env.NODE_VERSION }}
+        uses: actions/setup-node@v5
+        with:
+          node-version: '${{ env.NODE_VERSION }}'
+          cache: 'pnpm'
+          package-manager-cache: 'pnpm'
+
+      - name: Setup tmate session
+        uses: mxschmitt/action-tmate@v3
+        if: inputs.enable-debugging
+
+      - name: Install
+        run: pnpm install --frozen-lockfile
+
+      - uses: actions/github-script@v8
+        id: version-check
+        with:
+          result-encoding: json
+          script: |
+            const semver = require('semver');
+            const refName = '${{ github.ref_name }}';
+            let version = '${{ inputs.version }}'.trim();
+            const currentVersion = require('./package.json').version;
+
+            if (version) {
+              const isValid = semver.valid(version);
+              if (!isValid) {
+                throw new Error('Version is not a valid semver');
+              }
+
+              // must be greater than current version
+              const isGt = semver.gt(version, currentVersion);
+              if (!isGt) {
+                throw new Error('Version is not greater than current version');
+              }
+            } else {
+              version = semver.inc(currentVersion, '${{ inputs.release-type }}');
+              if (!version) {
+                throw new Error(`Failed to increment version with release type ${{ inputs.release-type }} for current version ${currentVersion}`);
+              }
+            }
+
+            const preRelease = semver.prerelease(version);
+            const isPreRelease = preRelease !== null;
+
+            if (refName !== 'master' && !isPreRelease) {
+              throw new Error('Version is not a prerelease and not on the main branch.');
+            }
+
+            return { version, isPreRelease };
+
+      - name: Run lint
+        run: pnpm lint
+      - name: Run tsc
+        run: pnpm build:dist
+
+      - name: Bump version (and run hooks) and create commit
+        run: pnpm version ${{ fromJson(steps.version-check.outputs.result).version }}
+
+      - name: Push Commit and Tags
+        run: git push origin --follow-tags
+
+      # Use https://github.com/changesets/changesets eventually
+      - name: Create release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          VERSION=${{ fromJson(steps.version-check.outputs.result).version }}
+          IS_PRE_RELEASE=${{ fromJson(steps.version-check.outputs.result).isPreRelease }}
+          IS_LATEST=${{ fromJson(steps.version-check.outputs.result).isPreRelease == false }}
+          gh release create v$VERSION \
+            --fail-on-no-commits \
+            --verify-tag \
+            --prerelease=$IS_PRE_RELEASE \
+            --latest=$IS_LATEST \
+            --title=v$VERSION \
+            --draft
+
+      - name: Ensure clean git state
+        run: git diff --exit-code
+
+      - name: Sleep for 1 minute
+        run: sleep 60
+
+      - name: Publish to NPM
+        env:
+          NPM_CONFIG_PROVENANCE: true
+        run: |
+          pnpm publish \
+            --access public \
+            --no-git-checks \
+            --tag ${{ fromJson(steps.version-check.outputs.result).isPreRelease && 'next' || 'latest' }}

package.json

@@ -115,6 +115,7 @@
     "np": "10.2.0",
     "prettier": "3.6.2",
     "progress": "2.0.3",
+    "semver": "7.7.2",
     "sort-package-json": "3.4.0",
     "tsx": "4.20.6",
     "typedoc": "0.28.13",

pnpm-lock.yaml

@@ -435,30 +435,35 @@ if [ "$RUN_TESTS" == "true" ]; then
   fi
 fi
 
+# Create the tarballs
+if [[ "$MACOS_UNIVERSAL_BUILD" == "true" ]]; then
+  # Need to publish two binaries when doing a universal build.
+  #
+  # Could also publish the universal build twice instead, but it might not
+  # play well with electron-builder which will try to lipo native add-ons
+  # for different architectures.
+  # --
+  lipo build/Release/node_libcurl.node -thin x86_64 -output lib/binding/node_libcurl.node
+  lipo build/Release/node_libcurl.node -thin arm64 -output lib/binding/node_libcurl.node
+
+  npm_config_target_arch=arm64 pnpm pregyp package testpackage --verbose
+  npm_config_target_arch=x64 pnpm pregyp package testpackage --verbose
+else
+  pnpm pregyp package testpackage --verbose
+fi
+
 # If we are here, it means the addon worked
 # Check if we need to publish the binaries
+# Notice, this is only useful if publishing locally, as the CI has a separate
+# step defined on the workflow itself, which uses attestations.
 if [[ $PUBLISH_BINARY == true && $LIBCURL_RELEASE == $LATEST_LIBCURL_RELEASE ]]; then
-  echo "Publish binary is true - Testing and publishing package with pregyp"
+  echo "Publish binary is true - Publishing package with pregyp"
   if [[ "$MACOS_UNIVERSAL_BUILD" == "true" ]]; then
-    # Need to publish two binaries when doing a universal build.
-    #
-    # Could also publish the universal build twice instead, but it might not
-    # play well with electron-builder which will try to lipo native add-ons
-    # for different architectures.
-    # --
-    # Build and publish x64 package
-    lipo build/Release/node_libcurl.node -thin x86_64 -output lib/binding/node_libcurl.node
-    npm_config_target_arch=x64 pnpm pregyp package testpackage --verbose
-    npm_config_target_arch=x64 node scripts/module-packaging.js --publish \
+    node scripts/module-packaging.js --publish \
       "$(npm_config_target_arch=x64 pnpm --silent pregyp reveal staged_tarball --silent)"
-  
-    # Build and publish arm64 package.
-    lipo build/Release/node_libcurl.node -thin arm64 -output lib/binding/node_libcurl.node
-    npm_config_target_arch=arm64 pnpm pregyp package --verbose  # Can't testpackage for arm64 yet.
-    npm_config_target_arch=arm64 node scripts/module-packaging.js --publish \
+    node scripts/module-packaging.js --publish \
       "$(npm_config_target_arch=arm64 pnpm --silent pregyp reveal staged_tarball --silent)"
   else
-    pnpm pregyp package testpackage --verbose
     node scripts/module-packaging.js --publish "$(pnpm --silent pregyp reveal staged_tarball --silent)"
   fi
 fi