feat: Initial commit

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020 Clay Miller
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,28 @@
+# action-package-audit
+
+Requires 2FA for publishing an npm org’s packages.
+
+## Environment Variables
+
+### `NPM_TOKEN`
+
+**Required** A [token](https://docs.npmjs.com/about-access-tokens) to authenticate with the npm registry. An automtion token should be provided, not a read-only or publish token.
+
+### `PACKAGE_AUDIT_ORG`
+
+**Required** The npm org to audit. For example, `"smockle"`.
+
+### `PACKAGE_AUDIT_EXCEPTIONS`
+
+**Optional** A space-delimited list of npm packages which should not require 2FA for publishing. For example, `"@smockle/contrast @smockle/periodic"`.
+
+## Example usage
+
+```YAML
+- name: Package Audit
+  uses: smockle/action-package-audit@main
+  env:
+    NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+    PACKAGE_AUDIT_ORG: "smockle"
+    PACKAGE_AUDIT_EXCEPTIONS: "@smockle/contrast @smockle/periodic"
+```

action.yml

@@ -0,0 +1,9 @@
+name: "action-package-audit"
+author: "smockle"
+description: "Requires 2FA for publishing an npm org’s packages."
+runs:
+  using: "node14"
+  image: "index.mjs"
+branding:
+  icon: "shield"
+  color: "blue"

index.mjs

@@ -0,0 +1,36 @@
+#!/usr/bin/env node --es-module-specifier-resolution=node
+
+import { run } from "./run.js";
+
+/** An automation token to authenticate with the npm registry. */
+const token = process.env.NPM_TOKEN;
+if (!token) {
+  console.error("Missing environment variable: NPM_TOKEN");
+  process.exit(1);
+}
+await run(`echo "//registry.npmjs.org/:_authToken=${token}" > "${process.env.HOME}/.npmrc"`)
+
+/** The npm org to audit */
+const org = process.env.PACKAGE_AUDIT_ORG;
+if (!org) {
+  console.error("Missing environment variable: PACKAGE_AUDIT_ORG");
+  process.exit(1);
+}
+
+/** Packages which should not require 2FA for publishing */
+const exceptions = (process.env.PACKAGE_AUDIT_EXCEPTIONS ?? "")
+  .trim()
+  .split(" ")
+  .filter((x) => x);
+
+// Retrieve org packages
+const { stdout } = await run(`npm access ls-packages ${org}`);
+
+// Extract a list of org packages from command output
+const packages = Object.keys(JSON.parse(stdout.trim()));
+
+// Require 2FA for publishing packages
+// Docs: https://docs.npmjs.com/requiring-2fa-for-package-publishing-and-settings-modification
+for (const pkg in packages.filter((pkg) => !exceptions.includes(pkg))) {
+  await run(`npm access 2fa-required ${pkg}`);
+}

package.json

@@ -0,0 +1,18 @@
+{
+  "name": "action-package-audit",
+  "description": "Requires 2FA for publishing an npm org’s packages.",
+  "version": "1.0.0",
+  "type": "module",
+  "main": "index.mjs",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/smockle/action-package-audit.git"
+  },
+  "author": "Clay Miller <[email protected]> (https://www.smockle.com/)",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://github.com/smockle/action-package-audit/issues"
+  },
+  "homepage": "https://github.com/smockle/action-package-audit#readme",
+  "dependencies": {}
+}

run.mjs

@@ -0,0 +1,34 @@
+#!/usr/bin/env node --es-module-specifier-resolution=node
+// @ts-check
+
+import { exec } from "child_process";
+import { promisify } from "util";
+const execAsync = promisify(exec);
+
+/**
+ * @typedef {Object} Result
+ * @property {string} stdout Content written to the `stdout` buffer
+ * @property {string} stderr Content written to the `stderr` buffer
+ */
+
+/**
+ * Run the given shell command using `child_process.exec` and handle the result.
+ * @param command A shell command
+ * @returns {Promise<Result>}
+ */
+export async function run(command) {
+  console.log(`Running '${command}'`)
+  let stdout, stderr;
+  try {
+    ({ stdout, stderr } = await execAsync(command));
+  } catch (error) {
+    // Exit if there was an error
+    console.error(error);
+    process.exit(1);
+  }
+  // Don’t swallow errors from the `exec`’d command
+  if (stderr) {
+    console.error(stderr);
+  }
+  return { stdout, stderr };
+}