From c46292bfffd39a6a38e29e752e8d5a5dca93dd53 Mon Sep 17 00:00:00 2001 From: philknows Date: Tue, 21 Oct 2025 14:49:04 -0400 Subject: [PATCH 1/3] bump actions and enable trustless publishing --- .github/workflows/release.yml | 14 +++++++++----- .github/workflows/test.yml | 6 +++--- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a952225..47f3fab 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,13 +5,17 @@ on: branches: - 'master' +permissions: + id-token: write # Required for OIDC + contents: read + jobs: tag: name: Check and Tag runs-on: ubuntu-latest steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Create tag id: tag uses: butlerlogic/action-autotag@1.1.2 @@ -31,18 +35,18 @@ jobs: if: needs.tag.outputs.tag != '' steps: - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Setup Nodejs - uses: actions/setup-node@v1 + uses: actions/setup-node@v4 with: - node-version: "20.x" + node-version: "24.x" registry-url: "https://registry.npmjs.org" - name: Install dependencies run: yarn install --non-interactive --frozen-lockfile - name: Build run: yarn run build - name: Publish to npm registry - run: yarn publish --no-git-tag-version --no-commit-hooks --non-interactive + run: npm publish --access public env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Create Release diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1b5277a..3479f78 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,10 +9,10 @@ jobs: strategy: fail-fast: false matrix: - node: [18, 20] + node: [22, 24] steps: - - uses: actions/checkout@v2 - - uses: actions/setup-node@v1 + - uses: actions/checkout@v4 + - uses: actions/setup-node@v4 with: node-version: ${{matrix.node}} - name: Install deps From fdc462413cf191214ea1013940f8ecb466060e26 Mon Sep 17 00:00:00 2001 From: philknows Date: Tue, 21 Oct 2025 15:33:31 -0400 Subject: [PATCH 2/3] allow content api write permissions for releasing --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 47f3fab..34b88da 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,7 +7,7 @@ on: permissions: id-token: write # Required for OIDC - contents: read + contents: write jobs: tag: From a32dc819e6e441bf18973165626321ad876442d8 Mon Sep 17 00:00:00 2001 From: philknows Date: Tue, 21 Oct 2025 18:43:47 -0400 Subject: [PATCH 3/3] Remove old node auth token and upgrade npm --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 34b88da..23b3b72 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -41,14 +41,14 @@ jobs: with: node-version: "24.x" registry-url: "https://registry.npmjs.org" + - name: Upgrade npm for OIDC + run: npm i -g npm@^11.5.1 - name: Install dependencies run: yarn install --non-interactive --frozen-lockfile - name: Build run: yarn run build - name: Publish to npm registry run: npm publish --access public - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Create Release id: create_release uses: actions/create-release@v1