Skip to content

Commit 9d878eb

Browse files
freezyfreezy
committed
ci: Sign UPM package before publishing.
Replace the plain `npm publish` with Unity's UPM CLI signing flow: install the upm CLI, pack and sign the package with the Unity organization service account, then publish the resulting signed tarball to the registry. Also bump the action versions (checkout v2 -> v5, repository-dispatch v1 -> v4).
1 parent 45c0202 commit 9d878eb

1 file changed

Lines changed: 22 additions & 5 deletions

File tree

.github/workflows/publish.yml

Lines changed: 22 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -7,21 +7,38 @@ jobs:
77
publish:
88
runs-on: ubuntu-latest
99
steps:
10-
- uses: actions/checkout@v2
11-
- name: Publish
10+
- uses: actions/checkout@v5
11+
- name: Install Unity Package Manager CLI
12+
run: |
13+
curl -fsSL https://cdn.packages.unity.com/upm-cli/install.sh | bash
14+
echo "$HOME/.upm/bin" >> "$GITHUB_PATH"
15+
"$HOME/.upm/bin/upm" --version
16+
- name: Pack and sign
17+
run: |
18+
test -n "${UNITY_ORGANIZATION_ID}"
19+
mkdir -p "$RUNNER_TEMP/signed-package"
20+
upm pack . \
21+
--organization-id "${UNITY_ORGANIZATION_ID}" \
22+
--destination "$RUNNER_TEMP/signed-package"
23+
env:
24+
UPM_SERVICE_ACCOUNT_KEY_ID: ${{ secrets.UPM_SERVICE_ACCOUNT_KEY_ID }}
25+
UPM_SERVICE_ACCOUNT_KEY_SECRET: ${{ secrets.UPM_SERVICE_ACCOUNT_KEY_SECRET }}
26+
UNITY_ORGANIZATION_ID: ${{ secrets.UNITY_ORGANIZATION_ID }}
27+
- name: Publish signed package
1228
run: |
1329
echo "//registry.visualpinball.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
14-
npm publish
30+
package_tgz="$(find "$RUNNER_TEMP/signed-package" -maxdepth 1 -name '*.tgz' -print -quit)"
31+
test -n "$package_tgz"
32+
npm publish "$package_tgz" --registry=https://registry.visualpinball.org/
1533
env:
1634
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
1735

1836
dispatch:
1937
runs-on: ubuntu-latest
2038
needs: [ publish ]
2139
steps:
22-
- uses: peter-evans/repository-dispatch@v1
40+
- uses: peter-evans/repository-dispatch@v4
2341
with:
2442
token: ${{ secrets.GH_PAT }}
2543
event-type: publish-complete
2644
client-payload: '{"artifacts_run_id": "${{ github.run_id }}"}'
27-

0 commit comments

Comments
 (0)