Conversation
Bumps the npm_and_yarn group with 1 update in the / directory: [ajv](https://github.com/ajv-validator/ajv). Updates `ajv` from 6.12.6 to 6.14.0 - [Release notes](https://github.com/ajv-validator/ajv/releases) - [Commits](ajv-validator/ajv@v6.12.6...v6.14.0) --- updated-dependencies: - dependency-name: ajv dependency-version: 6.14.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
…rn-f1bf2b0a19 Bump ajv from 6.12.6 to 6.14.0 in the npm_and_yarn group across 1 directory
There was a problem hiding this comment.
Pull request overview
This PR updates the project’s npm package metadata and dependency set, and adjusts the GitHub Actions release workflow to gate publishing on lint and to use deterministic installs.
Changes:
- Bump package version to
0.1.2and update several dependencies/devDependencies. - Regenerate
package-lock.jsonto reflect the dependency updates. - Update CI workflows: add a reusable lint workflow call before publishing, switch
npm installtonpm ci, and adjust job permissions.
Reviewed changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
package.json |
Version bump and dependency/devDependency updates. |
package-lock.json |
Lockfile updates reflecting new resolved dependency versions. |
.github/workflows/publish.yml |
Adds a lint gate before publish, switches to npm ci, and changes job permissions. |
.github/workflows/lint.yml |
Makes lint workflow reusable (workflow_call) and switches to npm ci. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| lint: | ||
| uses: ./.github/workflows/lint.yml | ||
|
|
There was a problem hiding this comment.
The workflow-level permissions grant id-token: write, and the new reusable-workflow job lint inherits that permission. If the lint workflow doesn’t need OIDC, set explicit job-level permissions for lint (e.g., contents: read) and move id-token: write to only the publish job to follow least-privilege.
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write |
There was a problem hiding this comment.
pull-requests: write is granted to the publish job, but none of the steps in this job appear to interact with PRs. Please drop this permission unless it’s required, to reduce the impact of a compromised workflow run.
| pull-requests: write |
| lint: | ||
| uses: ./.github/workflows/lint.yml | ||
|
|
||
| publish: | ||
| needs: [lint] | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| contents: read | ||
| pull-requests: write | ||
| id-token: write | ||
| steps: | ||
| - uses: actions/checkout@v6 | ||
| - uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: 24 | ||
| registry-url: "https://registry.npmjs.org" | ||
| - run: npm install -g npm@latest | ||
| - run: npm install | ||
| - run: npm ci |
There was a problem hiding this comment.
PR title indicates a package update, but this change also modifies CI/release workflows (adding a lint gate, changing install strategy, and updating permissions). Consider updating the PR title/description to reflect the workflow changes, or split workflow changes into a separate PR for clearer review and rollback.
No description provided.