From 1eac8ab2b32030850cc2f5e234fc24b7503ed460 Mon Sep 17 00:00:00 2001 From: mshanemc Date: Wed, 29 Oct 2025 09:15:07 -0500 Subject: [PATCH 1/8] feat: monorepo publishing --- .github/workflows/npmPublish.yml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/.github/workflows/npmPublish.yml b/.github/workflows/npmPublish.yml index 31943ba..9a887d1 100644 --- a/.github/workflows/npmPublish.yml +++ b/.github/workflows/npmPublish.yml @@ -61,6 +61,12 @@ on: required: false default: true type: boolean + packagePath: + description: relative path to the package to publish, should start with a ".". Defaults to the root of the repository. Useful for monorepos. + required: false + type: string + default: . + jobs: check-publish: outputs: @@ -279,6 +285,7 @@ jobs: ${{ inputs.dryrun && '--dryrun' || '' }} \ ${{ inputs.prerelease && format('--prerelease {0}', github.ref_name) || '' }} \ ${{ inputs.sign && '--sign' || '' }} + working-directory: ${{ inputs.packagePath }} env: NPM_TOKEN: ${{secrets.NPM_TOKEN}} AWS_ACCESS_KEY_ID: ${{secrets.AWS_ACCESS_KEY_ID}} From 91db5033814fc605e1c391cabcb465773b020be4 Mon Sep 17 00:00:00 2001 From: mshanemc Date: Wed, 29 Oct 2025 09:21:34 -0500 Subject: [PATCH 2/8] chore: publish check is pkg-aware --- .github/workflows/npmPublish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/npmPublish.yml b/.github/workflows/npmPublish.yml index 9a887d1..5b1f5a4 100644 --- a/.github/workflows/npmPublish.yml +++ b/.github/workflows/npmPublish.yml @@ -102,6 +102,7 @@ jobs: fi env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + working-directory: ${{ inputs.packagePath }} - run: echo "[INFO] Is package published:\ $STEPS_IS_PUBLISHED_PUBLISHED" env: From 1fef8858b069f3c7dfe5588e9496823d8899ba31 Mon Sep 17 00:00:00 2001 From: mshanemc Date: Wed, 29 Oct 2025 10:35:12 -0500 Subject: [PATCH 3/8] refactor: use npm ci, timeout flag is invalid for npm --- .github/actions/npmInstallWithRetries/action.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/actions/npmInstallWithRetries/action.yml b/.github/actions/npmInstallWithRetries/action.yml index 822c729..dafe127 100644 --- a/.github/actions/npmInstallWithRetries/action.yml +++ b/.github/actions/npmInstallWithRetries/action.yml @@ -7,7 +7,10 @@ inputs: runs: using: composite steps: - - name: npm install + - name: timeout config + run: npm config set timeout 600000 + shell: bash + - name: npm ci uses: salesforcecli/github-workflows/.github/actions/retry@main with: - command: npm install --timeout 600000 ${{ inputs.ignore-scripts == 'true' && '--ignore-scripts' || '' }} + command: npm ci --no-audit --no-fund ${{ inputs.ignore-scripts == 'true' && '--ignore-scripts' || '' }} From 129b065020897dd14171cf9d4c19fcb19c3546d3 Mon Sep 17 00:00:00 2001 From: mshanemc Date: Wed, 29 Oct 2025 11:31:53 -0500 Subject: [PATCH 4/8] test: temporarily use branch --- .github/workflows/npmPublish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/npmPublish.yml b/.github/workflows/npmPublish.yml index 5b1f5a4..8c1e15f 100644 --- a/.github/workflows/npmPublish.yml +++ b/.github/workflows/npmPublish.yml @@ -144,7 +144,7 @@ jobs: uses: salesforcecli/github-workflows/.github/actions/yarnInstallWithRetries@main - name: Install dependencies with npm if: inputs.packageManager == 'npm' - uses: salesforcecli/github-workflows/.github/actions/npmInstallWithRetries@main + uses: salesforcecli/github-workflows/.github/actions/npmInstallWithRetries@sm/monorepo-npm-publishes - name: Vulnerability check if: inputs.vulnerabilityCheck # Temporary check for known vulnerable packages from the following supply chain attacks: From 56de8efce03f9a39569f576a3fbf4ef28caf8314 Mon Sep 17 00:00:00 2001 From: mshanemc Date: Wed, 29 Oct 2025 11:38:41 -0500 Subject: [PATCH 5/8] chore: wrong config --- .github/actions/npmInstallWithRetries/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/npmInstallWithRetries/action.yml b/.github/actions/npmInstallWithRetries/action.yml index dafe127..30c64cf 100644 --- a/.github/actions/npmInstallWithRetries/action.yml +++ b/.github/actions/npmInstallWithRetries/action.yml @@ -8,7 +8,7 @@ runs: using: composite steps: - name: timeout config - run: npm config set timeout 600000 + run: npm config set fetch-timeout 600000 shell: bash - name: npm ci uses: salesforcecli/github-workflows/.github/actions/retry@main From ddca188617ab435d946049a9513611100f62996b Mon Sep 17 00:00:00 2001 From: mshanemc Date: Wed, 29 Oct 2025 12:09:48 -0500 Subject: [PATCH 6/8] chore: revert branch --- .github/workflows/npmPublish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/npmPublish.yml b/.github/workflows/npmPublish.yml index 8c1e15f..5b1f5a4 100644 --- a/.github/workflows/npmPublish.yml +++ b/.github/workflows/npmPublish.yml @@ -144,7 +144,7 @@ jobs: uses: salesforcecli/github-workflows/.github/actions/yarnInstallWithRetries@main - name: Install dependencies with npm if: inputs.packageManager == 'npm' - uses: salesforcecli/github-workflows/.github/actions/npmInstallWithRetries@sm/monorepo-npm-publishes + uses: salesforcecli/github-workflows/.github/actions/npmInstallWithRetries@main - name: Vulnerability check if: inputs.vulnerabilityCheck # Temporary check for known vulnerable packages from the following supply chain attacks: From a9dac39201e0f2384907ffa7eb950aa4b0891f9b Mon Sep 17 00:00:00 2001 From: mshanemc Date: Wed, 29 Oct 2025 12:19:37 -0500 Subject: [PATCH 7/8] test: revert to do not-dry-run --- .github/workflows/npmPublish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/npmPublish.yml b/.github/workflows/npmPublish.yml index 5b1f5a4..8c1e15f 100644 --- a/.github/workflows/npmPublish.yml +++ b/.github/workflows/npmPublish.yml @@ -144,7 +144,7 @@ jobs: uses: salesforcecli/github-workflows/.github/actions/yarnInstallWithRetries@main - name: Install dependencies with npm if: inputs.packageManager == 'npm' - uses: salesforcecli/github-workflows/.github/actions/npmInstallWithRetries@main + uses: salesforcecli/github-workflows/.github/actions/npmInstallWithRetries@sm/monorepo-npm-publishes - name: Vulnerability check if: inputs.vulnerabilityCheck # Temporary check for known vulnerable packages from the following supply chain attacks: From c83b35cea4bc3ed069ddcdf25798db2246ea3d97 Mon Sep 17 00:00:00 2001 From: mshanemc Date: Thu, 30 Oct 2025 16:26:11 -0500 Subject: [PATCH 8/8] chore: revert branch name --- .github/workflows/npmPublish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/npmPublish.yml b/.github/workflows/npmPublish.yml index 8c1e15f..5b1f5a4 100644 --- a/.github/workflows/npmPublish.yml +++ b/.github/workflows/npmPublish.yml @@ -144,7 +144,7 @@ jobs: uses: salesforcecli/github-workflows/.github/actions/yarnInstallWithRetries@main - name: Install dependencies with npm if: inputs.packageManager == 'npm' - uses: salesforcecli/github-workflows/.github/actions/npmInstallWithRetries@sm/monorepo-npm-publishes + uses: salesforcecli/github-workflows/.github/actions/npmInstallWithRetries@main - name: Vulnerability check if: inputs.vulnerabilityCheck # Temporary check for known vulnerable packages from the following supply chain attacks: