security: remove malicious obfuscated payload from postcss.config.mjs #96
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - beta | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| deployments: write | |
| packages: write | |
| statuses: write | |
| issues: write | |
| actions: write | |
| discussions: write | |
| id-token: write | |
| jobs: | |
| release: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Install pnpm | |
| run: corepack enable | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v6 | |
| with: | |
| node-version: '22' | |
| cache: 'pnpm' | |
| - name: Install dependencies | |
| run: pnpm install --frozen-lockfile | |
| - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies | |
| run: npm audit signatures | |
| - name: Build project | |
| run: pnpm build | |
| - name: Run Semantic Release | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # GitHub token for Semantic Release | |
| NPM_CONFIG_PROVENANCE: 'true' | |
| run: pnpm exec semantic-release | |
| - name: Check if current version is already published | |
| id: version-check | |
| env: | |
| NPM_PACKAGE_NAME: '@trieb.work/nextjs-turbo-redis-cache' | |
| run: | | |
| VERSION=$(node -p "require('./package.json').version") | |
| echo "version=$VERSION" >> "$GITHUB_OUTPUT" | |
| if npm view "$NPM_PACKAGE_NAME@$VERSION" version --registry https://registry.npmjs.org/ >/dev/null 2>&1; then | |
| echo "should_publish=false" >> "$GITHUB_OUTPUT" | |
| else | |
| echo "should_publish=true" >> "$GITHUB_OUTPUT" | |
| fi | |
| - name: Exchange GitHub OIDC token for npm token | |
| id: npm-oidc | |
| env: | |
| NPM_PACKAGE_NAME: '@trieb.work/nextjs-turbo-redis-cache' | |
| run: | | |
| node <<'NODE' | |
| const fs = require('node:fs'); | |
| const pkg = process.env.NPM_PACKAGE_NAME; | |
| const reqUrl = process.env.ACTIONS_ID_TOKEN_REQUEST_URL; | |
| const reqToken = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN; | |
| if (!pkg || !reqUrl || !reqToken) { | |
| console.error('Missing required env for OIDC token retrieval'); | |
| process.exit(1); | |
| } | |
| const audience = 'npm:registry.npmjs.org'; | |
| const url = reqUrl + (reqUrl.includes('?') ? '&' : '?') + 'audience=' + encodeURIComponent(audience); | |
| (async () => { | |
| const idRes = await fetch(url, { headers: { Authorization: 'Bearer ' + reqToken } }); | |
| if (!idRes.ok) { | |
| console.error('Failed to fetch GitHub OIDC token:', idRes.status, await idRes.text()); | |
| process.exit(1); | |
| } | |
| const idBody = await idRes.json(); | |
| const idToken = idBody.value; | |
| const exUrl = | |
| 'https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/' + encodeURIComponent(pkg); | |
| const exRes = await fetch(exUrl, { | |
| method: 'POST', | |
| headers: { Authorization: 'Bearer ' + idToken }, | |
| }); | |
| const exText = await exRes.text(); | |
| if (!exRes.ok) { | |
| console.error('OIDC token exchange with npm failed:', exRes.status, exText); | |
| process.exit(1); | |
| } | |
| const exBody = JSON.parse(exText); | |
| const npmToken = exBody.token; | |
| if (!npmToken) { | |
| console.error('npm exchange response missing token'); | |
| process.exit(1); | |
| } | |
| fs.appendFileSync(process.env.GITHUB_OUTPUT, `node_auth_token=${npmToken}\n`); | |
| const npmrcPath = `${process.env.RUNNER_TEMP}/npmrc`; | |
| const npmrc = [ | |
| 'registry=https://registry.npmjs.org/', | |
| 'always-auth=true', | |
| '//registry.npmjs.org/:_authToken=' + npmToken, | |
| '', | |
| ].join('\n'); | |
| fs.writeFileSync(npmrcPath, npmrc, { encoding: 'utf8' }); | |
| fs.appendFileSync(process.env.GITHUB_OUTPUT, `npmrc_path=${npmrcPath}\n`); | |
| console.log('OIDC token exchange with npm registry succeeded'); | |
| })().catch((e) => { | |
| console.error(e); | |
| process.exit(1); | |
| }); | |
| NODE | |
| - name: Publish to npm (Trusted Publishing) | |
| if: steps.version-check.outputs.should_publish == 'true' | |
| env: | |
| NPM_CONFIG_PROVENANCE: 'true' | |
| NPM_DIST_TAG: ${{ github.ref_name == 'beta' && 'beta' || 'latest' }} | |
| NPM_CONFIG_USERCONFIG: ${{ steps.npm-oidc.outputs.npmrc_path }} | |
| run: npm publish --provenance --access public --tag $NPM_DIST_TAG --registry https://registry.npmjs.org/ | |