build.yaml

name: SLSA Generator Custom NodeJS

on:
  workflow_dispatch:
  push:

permissions:
  contents: read
  id-token: write

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Setup node
        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
      - name: Build steps
        run: |
          echo "Building the project"
          npm pack 
      - name: Get npm package filename
        id: package-info
        run: |
          PACKAGE_PATH=$(ls -1 *.tgz | head -n 1) # To be change with the action as input

          pack_json=$(npm pack $PACKAGE_PATH --json | tee pack.json | jq -c)
          jq <pack.json
          
          PACKAGE_FILENAME=$(echo "$pack_json" | jq -r '.[0].filename')
          echo "PACKAGE_FILENAME=${PACKAGE_FILENAME}" >> $GITHUB_OUTPUT
      - name: Attest for npmjs.com
        uses: LedgerHQ/actions-security/actions/attest-for-npmsjs-com@feat-init-npmjs-com-action
        with:
          subject-path: ${{ steps.package-info.outputs.PACKAGE_FILENAME }}