@@ -100,12 +100,39 @@ jobs:
100100 node-version : ' 20'
101101 registry-url : ' https://registry.npmjs.org'
102102
103+ - name : Configure AWS Credentials for Publish
104+ uses : aws-actions/configure-aws-credentials@v5
105+ with :
106+ aws-region : us-west-2
107+ role-to-assume : arn:aws:iam::587316601012:role/GitHub-CI-CI-Bot-Credential-Access-Role-us-west-2
108+ role-session-name : CI_Bot_Publish
109+
110+ - name : Get NPM Token
111+ uses : aws-actions/aws-secretsmanager-get-secrets@v2
112+ with :
113+ secret-ids : npm/aws-crypto-tools-ci-bot/2FA
114+ parse-json-secrets : true
115+
103116 # Ensure npm 11.5.1 or later is installed
104117 - name : Update npm
105118 run : npm install -g npm@latest
106119 - run : npm ci --unsafe-perm
107120 - run : npm run build --if-present
108- - run : npx lerna publish from-package --yes --dist-tag ${{ github.event.inputs.dist_tag }}
121+
122+ # Generate OTP from the 2FA secret key, waiting for next TOTP window to maximize validity
123+ - name : Generate OTP and publish
124+ run : |
125+ npm install otplib --no-save
126+ OTP=$(node -e "
127+ const auth = require('otplib').authenticator;
128+ setTimeout(() =>
129+ console.log(auth.generate(process.env.OTP_SECRET_KEY)),
130+ auth.timeRemaining() * 1000);
131+ ")
132+ npx lerna publish from-package --yes --otp $OTP --dist-tag ${{ github.event.inputs.dist_tag }}
133+ env :
134+ NODE_AUTH_TOKEN : ${{ env.NPM_AWS_CRYPTO_TOOLS_CI_BOT_2FA_NPM_TOKEN }}
135+ OTP_SECRET_KEY : ${{ env.NPM_AWS_CRYPTO_TOOLS_CI_BOT_2FA_OTP_SECRET_KEY }}
109136
110137 # Once publishing is complete, validate that the published packages are useable
111138 validate :
0 commit comments