From 78576d4008660de2921c1c66a8f6e4312618b854 Mon Sep 17 00:00:00 2001 From: Ricardo Amaral Date: Fri, 24 Oct 2025 17:29:45 +0100 Subject: [PATCH] ci: Enable trusted publishing and npm provenance --- .github/workflows/publish.yml | 39 +++++++++++++++++------------- .github/workflows/pull_request.yml | 11 ++++----- .npmrc | 5 ++-- package-lock.json | 31 ++++++++++++++++-------- package.json | 9 +++---- 5 files changed, 54 insertions(+), 41 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 4727a3d30..8526a164d 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -8,11 +8,12 @@ on: workflow_dispatch: permissions: - # Enable the use of OIDC for npm provenance + # Enable the use of OIDC for trusted publishing and npm provenance id-token: write # Enable the use of GitHub Packages registry - contents: read packages: write + # Enable Release Please to publish a GitHub release + contents: read jobs: publish: @@ -23,13 +24,14 @@ jobs: timeout-minutes: 60 steps: - uses: actions/checkout@v4 - - name: Read Node.js version from '.nvmrc' - id: nvmrc - run: | - echo "NODE_VERSION=$(cat .nvmrc)" >> $GITHUB_OUTPUT - - uses: actions/setup-node@v1 + + - name: Prepare Node.js environment + uses: actions/setup-node@v3 with: - node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }} + node-version-file: '.nvmrc' + + - name: Ensure npm 11.5.1 or later is installed + run: npm install -g npm@latest # Remove any registry configurations from .npmrc - run: sed -i "/@doist/d" ./.npmrc @@ -43,21 +45,24 @@ jobs: - run: npm run build # Publish to GitHub package registry - - uses: actions/setup-node@v1 + - name: Publish to GitHub Package Registry + uses: actions/setup-node@v3 with: - node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }} + node-version-file: '.nvmrc' registry-url: https://npm.pkg.github.com/ scope: '@doist' - - run: npm publish --provenance + - run: npm publish env: - NODE_AUTH_TOKEN: ${{secrets.GITHUB_TOKEN}} + NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Clear npm config between GitHub/npm registries + run: rm -f $NPM_CONFIG_USERCONFIG # Publish to npm registry - - uses: actions/setup-node@v1 + - name: Publish to npm registry + uses: actions/setup-node@v3 with: - node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }} + node-version-file: '.nvmrc' registry-url: https://registry.npmjs.org/ scope: '@doist' - - run: npm publish --provenance - env: - NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} + - run: npm publish --provenance --access public diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index a798ee13b..ad7ac8979 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -9,13 +9,12 @@ jobs: timeout-minutes: 15 steps: - uses: actions/checkout@v4 - - name: Read Node.js version from '.nvmrc' - id: nvmrc - run: | - echo "NODE_VERSION=$(cat .nvmrc)" >> $GITHUB_OUTPUT - - uses: actions/setup-node@v1 + + - name: Prepare Node.js environment + uses: actions/setup-node@v3 with: - node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }} + node-version-file: '.nvmrc' + - run: npm ci - run: npm run lint - run: npm run type-check diff --git a/.npmrc b/.npmrc index 77fd2dcb9..b99d08343 100644 --- a/.npmrc +++ b/.npmrc @@ -1,5 +1,6 @@ -engine-strict=true - # Ensure dependencies are installed from the npm registry instead of GitHub # if you've defined the default registry for @doist in another .npmrc @doist:registry=https://registry.npmjs.org/ + +# Refuse to install any package incompatible with the current Node.js version +engine-strict=true \ No newline at end of file diff --git a/package-lock.json b/package-lock.json index 5615b6f52..726769ef4 100644 --- a/package-lock.json +++ b/package-lock.json @@ -12527,14 +12527,25 @@ } }, "node_modules/caniuse-lite": { - "version": "1.0.30001265", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001265.tgz", - "integrity": "sha512-YzBnspggWV5hep1m9Z6sZVLOt7vrju8xWooFAgN6BA5qvy98qPAPb7vNUzypFaoh2pb3vlfzbDO8tB57UPGbtw==", + "version": "1.0.30001751", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001751.tgz", + "integrity": "sha512-A0QJhug0Ly64Ii3eIqHu5X51ebln3k4yTUkY1j8drqpWHVreg/VLijN48cZ1bYPiqOQuqpkIKnzr/Ul8V+p6Cw==", "dev": true, - "funding": { - "type": "opencollective", - "url": "https://opencollective.com/browserslist" - } + "funding": [ + { + "type": "opencollective", + "url": "https://opencollective.com/browserslist" + }, + { + "type": "tidelift", + "url": "https://tidelift.com/funding/github/npm/caniuse-lite" + }, + { + "type": "github", + "url": "https://github.com/sponsors/ai" + } + ], + "license": "CC-BY-4.0" }, "node_modules/capital-case": { "version": "1.0.4", @@ -47603,9 +47614,9 @@ } }, "caniuse-lite": { - "version": "1.0.30001265", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001265.tgz", - "integrity": "sha512-YzBnspggWV5hep1m9Z6sZVLOt7vrju8xWooFAgN6BA5qvy98qPAPb7vNUzypFaoh2pb3vlfzbDO8tB57UPGbtw==", + "version": "1.0.30001751", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001751.tgz", + "integrity": "sha512-A0QJhug0Ly64Ii3eIqHu5X51ebln3k4yTUkY1j8drqpWHVreg/VLijN48cZ1bYPiqOQuqpkIKnzr/Ul8V+p6Cw==", "dev": true }, "capital-case": { diff --git a/package.json b/package.json index 9e9e4f339..5528da1d1 100644 --- a/package.json +++ b/package.json @@ -1,18 +1,15 @@ { "name": "@doist/reactist", "description": "Open source React components by Doist", + "version": "28.7.0", + "repository": "https://github.com/Doist/reactist", + "homepage": "https://github.com/Doist/reactist#readme", "author": { "name": "Henning Muszynski", "email": "henning@doist.com", "url": "http://doist.com" }, - "version": "28.7.0", "license": "MIT", - "homepage": "https://github.com/Doist/reactist#readme", - "repository": { - "type": "git", - "url": "git+https://github.com/Doist/reactist.git" - }, "prettier": "@doist/prettier-config", "main": "lib/index.js", "module": "es/index.js",