socket-addon/.github/workflows/provenance.yml at main · SocketDev/socket-addon · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
name: 📦 Publish

# Dependencies:
#   - SocketDev/socket-registry/.github/workflows/provenance.yml
#
# socket-addon is a publish-only repo. The .node binaries are downloaded
# from socket-btm's GitHub Releases by scripts/publish.mts at publish
# time, verified against embedded SHA-256 checksums, then republished
# under the @socketaddon/* scope.
#
# No setup-script is needed — packages are static, the publish script
# pulls binaries on demand.

on:
  workflow_dispatch:
    inputs:
      dist-tag:
        description: 'Dist-tag (latest, next, beta, canary, backport, etc.)'
        required: false
        default: 'latest'
        type: string
      debug:
        description: 'Enable debug output'
        required: false
        default: '0'
        type: choice
        options:
          - '0'
          - '1'
      publish-without-sfw:
        description: 'Publish directly, bypassing Socket firewall shims'
        required: false
        default: false
        type: boolean

permissions:
  contents: write
  id-token: write

jobs:
  publish:
    uses: SocketDev/socket-registry/.github/workflows/provenance.yml@370a9ebc52ccb7fcc95552ebbd3a414021ebe889 # main (2026-05-28)
    with:
      debug: ${{ inputs.debug }}
      dist-tag: ${{ inputs.dist-tag }}
      publish-script: 'publish:ci'
      publish-without-sfw: ${{ inputs.publish-without-sfw }}
      use-trusted-publishing: true
    secrets:
      SOCKET_API_TOKEN: ${{ secrets.SOCKET_API_TOKEN || secrets.SOCKET_API_KEY }}