ci(Actions): Fixes Semantic Release creds (#1436)

* ci(Actions): Fixes Semantic Release creds * ci(Actions): Removes unnecessary workflow * ci(Actions): Separates bundle and lint
ryasmi · Nov 4, 2023 · 071a77d · 071a77d
1 parent 33ed489
commit 071a77d
Showing 1 changed file with 41 additions and 10 deletions.
diff --git a/.github/workflows/node.yml b/.github/workflows/node.yml
@@ -6,8 +6,23 @@ on:
   pull_request:
     branches: [master]
 
+permissions:
+  contents: read
+
 jobs:
-  build:
+  bundle-and-lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+      - run: npm ci
+      - run: npx --no-install microbundle
+      - run: npx --no-install eslint src
+
+  test:
+    needs: bundle-and-lint
     runs-on: ubuntu-latest
 
     strategy:
@@ -17,18 +32,34 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v4
+      - uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
       - run: npm ci
-      - run: npx --no-install microbundle
-      - run: npx --no-install eslint src
       - run: npx --no-install jest
-      - name: Codecov
-        uses: codecov/codecov-action@v3.1.4
-      - run: npx --no-install semantic-release
-        if: matrix.node-version == '18.x'
+      - uses: codecov/codecov-action@v3.1.4
+  release:
+    needs: test
+    if: success() && github.ref == 'refs/heads/master'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+      - uses: actions/setup-node@v3
+        with:
+          node-version: 20.x
+      - run: npm ci
+      - run: npx --no-install microbundle
+      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+        run: npm audit signatures
+      - name: Release
         env:
-          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npx semantic-release