The below script determines whether to deploy to the development or release repository based on the branch that triggered the workflow.
build-publish.yml
name: "JFrog-GitHub NPM Publish OIDC Integration"
on:
workflow_dispatch:
# push:
# branches:
# - dev-FB-oidc-poc
# - main
permissions:
id-token: write
jobs:
build:
runs-on: self-hosted
env:
OIDC_AUDIENCE: 'frog-company'
OIDC_PROVIDER: 'jeremyl-frog'
RELEASE_REPO: 'jl-npm-releases' # Virtual that aggregates jl-npm-releases-local & npm-remote
DEV_REPO: 'jl-npm-dev' # Virtual that aggregates jl-npm-dev-local & npm-remote
JF_URL: ${{ secrets.CLOUD_JF_URL }}
BUILD_NAME: oidc-npm-publish-example
BUILD_NUMBER: ${{ github.run_number }}
defaults:
run:
working-directory: ./package
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Setup Node npm
uses: actions/setup-node@v3
- name: Setup JFrog CLI
uses: jfrog/setup-jfrog-cli@v4.5.6
with:
oidc-provider-name: ${{ env.OIDC_PROVIDER }}
oidc-audience: ${{ env.OIDC_AUDIENCE }}
env:
JF_URL: ${{ env.JF_URL }}
- name: Determine target repo
id: repo
run: |
if [[ "${GITHUB_REF}" == "refs/heads/main" ]]; then
echo "PLATFORM_REPO=${RELEASE_REPO}" >> $GITHUB_ENV
else
echo "PLATFORM_REPO=${DEV_REPO}" >> $GITHUB_ENV
fi
- name: Set CLI Config (dependency resolution only)
run: |
jf npm-config \
--repo-resolve=$PLATFORM_REPO \
--repo-deploy=$PLATFORM_REPO \
--server-id-resolve setup-jfrog-cli-server \
--server-id-deploy setup-jfrog-cli-server
- name: Show RT Servers and Set default
run: jf c use setup-jfrog-cli-server
- name: Install NPM dependencies
run: jf npm i --ignore-scripts --build-name ${{ env.BUILD_NAME }} --build-number ${{ env.BUILD_NUMBER }}
- name: Add Git data to Build Info
run: jf rt build-add-git ${{ env.BUILD_NAME }} ${{ env.BUILD_NUMBER }}
- name: Collect environment info
run: jf rt build-collect-env ${{ env.BUILD_NAME }} ${{ env.BUILD_NUMBER }}
- name: Capture committer and github actor name
run: |
COMMITTER=$(git log -1 --pretty=format:'%an' | tr ' ' '_')
echo "Committer: $COMMITTER"
echo "COMMITTER=$COMMITTER" >> $GITHUB_ENV
echo "GITHUB_ACTOR=${{ github.actor }}" >> $GITHUB_ENV
- name: NPM publish
run: jf npm publish --build-name ${{ env.BUILD_NAME }} --build-number ${{ env.BUILD_NUMBER }}
- name: Add github-commiter and github-actor properties
run: |
PACKAGE_NAME=$(jq -r .name package.json)
PACKAGE_VERSION=$(jq -r .version package.json)
# NPM repo format: <repo>/<package-name>/-/<package-name>-<version>.tgz
ARTIFACT_PATH="$PLATFORM_REPO/$PACKAGE_NAME/-/$PACKAGE_NAME-$PACKAGE_VERSION.tgz"
echo "Artifact Path: $ARTIFACT_PATH"
jf rt sp "$ARTIFACT_PATH" "github-commiter=${COMMITTER};github-actor=${GITHUB_ACTOR}"
- name: Publish Build Info to Artifactory
run: jf rt build-publish ${{ env.BUILD_NAME }} ${{ env.BUILD_NUMBER }}
# Alternative for other package types, jf rt upload (attaching properties on deployment) and build info steps
#- name: Publish with deployed-by property
# run: jf rt u <filename> ${{ env.PLATFORM_REPO }}/ --target-props=deployed-by=${{ env.COMMITTER }}
#- name: Publish Build info With JFrog CLI
# run: |
# jf rt build-collect-env
# jf rt build-add-git
# jf rt build-publish
# Pro Tip:
# Use ${{ ... }} only in YAML, when GitHub Actions needs to interpolate workflow or secret variables.
# Use $VAR inside run: blocks, after exporting anything to the environment.