npm - @codfish/actions-playground - Versions diffs - 0.0.0-PR-77--2cb1b74 → 0.0.0-PR-98--c28fd93 - Mend

@codfish/actions-playground 0.0.0-PR-77--2cb1b74 → 0.0.0-PR-98--c28fd93

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/.github/workflows/release.yml +4 -1
package/.github/workflows/validate-pr-title.yml +2 -0
package/.github/workflows/validate.yml +54 -61
package/.markdownlint.json +0 -0
package/package.json +42 -14
package/renovate.json +6 -0
package/test.txt +0 -1

package/.github/workflows/release.yml CHANGED Viewed

@@ -12,6 +12,7 @@ on:
 permissions:
   contents: write
+  id-token: write
   pull-requests: write
   issues: write
@@ -74,6 +75,9 @@ jobs:
       - run: cat Dockerfile
+      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+        run: npm audit signatures
       - name: semantic-release
         uses: docker://ghcr.io/codfish/semantic-release-action@sha256:327a3ce08284f9dd9b83b607e3f668dae90139e68ce90780b0a43a09d577dc3a
         id: semantic
@@ -127,7 +131,6 @@ jobs:
             ]
         env:
           GITHUB_TOKEN: ${{ secrets.SEMANTIC_GH_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       - name: Dump semantic outputs
         if: steps.semantic.outputs.new-release-published == 'true'

package/.github/workflows/validate-pr-title.yml CHANGED Viewed

@@ -13,6 +13,8 @@ jobs:
       cancel-in-progress: true
     steps:
+      - uses: actions/checkout@v6
       - name: 'Install pnpm'
         id: pnpm-setup
         uses: pnpm/action-setup@v4

package/.github/workflows/validate.yml CHANGED Viewed

@@ -2,6 +2,11 @@ name: Validate Code
 on: pull_request
+permissions:
+  contents: read
+  id-token: write
+  pull-requests: write
 jobs:
   validate:
     runs-on: ubuntu-latest
@@ -11,7 +16,7 @@ jobs:
       cancel-in-progress: true
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
@@ -36,63 +41,24 @@ jobs:
           echo "$PNPM_CONTEXT"
           echo "PNPM_HOME: $PNPM_HOME"
-      - uses: codfish/actions/setup-node-and-install@fixes
-      - name: semantic release dry run
-        uses: docker://ghcr.io/codfish/semantic-release-action@sha256:327a3ce08284f9dd9b83b607e3f668dae90139e68ce90780b0a43a09d577dc3a
+      - uses: actions/setup-node@v4
         with:
-          dry-run: true
-          additional-packages: |
-            ['@google/semantic-release-replace-plugin', '@semantic-release/git', 'conventional-changelog-conventionalcommits@7']
-          plugins: |
-            [
-              '@semantic-release/commit-analyzer',
-              [
-                '@google/semantic-release-replace-plugin',
-                {
-                  'replacements': [
-                    {
-                      'files': ['Dockerfile'],
-                      'from': 'RELEASE_VERSION=.*',
-                      'to': 'RELEASE_VERSION=${nextRelease.version}'
-                    },
-                    {
-                      'files': ['provisioning/Chart.yml'],
-                      'from': 'ersion: .*',
-                      'to': 'ersion: ${nextRelease.version}'
-                    }
-                  ]
-                }
-              ],
-              [ '@semantic-release/git', {'assets': ['Dockerfile', 'provisioning/Chart.yml']} ],
-              [
-                "@semantic-release/release-notes-generator",
-                {
-                  "preset": "conventionalcommits",
-                  "presetConfig": {
-                    "types": [
-                      { type: 'feat', section: 'Features', hidden: false },
-                      { type: 'fix', section: 'Bug Fixes', hidden: false },
-                      { type: 'perf', section: 'Performance Improvements', hidden: false },
-                      { type: 'revert', section: 'Reverts', hidden: false },
-                      { type: 'docs', section: 'Other Updates', hidden: false },
-                      { type: 'style', section: 'Other Updates', hidden: false },
-                      { type: 'chore', section: 'Other Updates', hidden: false },
-                      { type: 'refactor', section: 'Other Updates', hidden: false },
-                      { type: 'test', section: 'Other Updates', hidden: false },
-                      { type: 'build', section: 'Other Updates', hidden: false },
-                      { type: 'ci', section: 'Other Updates', hidden: false }
-                    ]
-                  }
-                }
-              ],
-              '@semantic-release/npm',
-              '@semantic-release/github'
-            ]
-          pnpm-dest: ${{ steps.pnpm-setup.outputs.dest }}
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          node-version-file: 'package.json'
+          cache: 'pnpm'
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+      - name: Ensure npm 11.5.1+ for trusted publishing
+        run: |
+          echo "Current npm version: $(npm --version)"
+          # npm 11.5.1+ is required for OIDC trusted publishing (Jan 2026)
+          npm install -g npm@latest
+          echo "Updated npm version: $(npm --version)"
+          if [ "$(npm --version | cut -d. -f1)" -lt 11 ]; then
+            echo "ERROR: npm 11.5.1+ is required for trusted publishing"
+            exit 1
+          fi
       - name: Retrieve text file
         uses: actions/download-artifact@v4
@@ -108,10 +74,37 @@ jobs:
       - name: run tests
         run: pnpm test
-      - uses: codfish/actions/npm-publish-pr@fixes
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          npm-token: ${{ secrets.NPM_TOKEN }}
+      - name: Publish PR package (direct)
+        if: github.event.pull_request.head.repo.full_name == github.repository
+        shell: bash
+        env:
+          PR_NUMBER: ${{ github.event.number }}
+          PR_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          set -euo pipefail
+          # Verify OIDC token is available
+          if [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]; then
+            echo "OIDC token is not available for this run. Trusted publishing cannot proceed."
+            echo "This usually happens on forked PRs or when id-token permissions are missing."
+            exit 1
+          fi
+          echo "OIDC environment detected:"
+          echo "ACTIONS_ID_TOKEN_REQUEST_URL is set: ${ACTIONS_ID_TOKEN_REQUEST_URL:+yes}"
+          echo "ACTIONS_ID_TOKEN_REQUEST_TOKEN is set: ${ACTIONS_ID_TOKEN_REQUEST_TOKEN:+yes}"
+          short_sha="$(echo "$PR_SHA" | cut -c -7)"
+          version="0.0.0-PR-${PR_NUMBER}--${short_sha}"
+          echo "Publishing $(jq -r '.name' package.json)@$version via OIDC trusted publishing"
+          npm version "$version" --no-git-tag-version
+          # CRITICAL: Do not set, unset, or manipulate NODE_AUTH_TOKEN or NPM_TOKEN
+          # They must not exist in the environment for OIDC to work
+          echo "npm version: $(npm --version)"
+          # Publish with OIDC - npm will automatically use OIDC when --provenance is used
+          npm publish --access public --tag pr --provenance
       - name: Build package
         run: pnpm build

package/.markdownlint.json CHANGED Viewed

File without changes

package/package.json CHANGED Viewed

@@ -1,11 +1,23 @@
 {
   "name": "@codfish/actions-playground",
-  "version": "0.0.0-PR-77--2cb1b74",
+  "version": "0.0.0-PR-98--c28fd93",
   "description": "My own testing ground for messing around with GitHub Actions.",
   "private": false,
   "publishConfig": {
     "access": "public"
   },
+  "scripts": {
+    "start": "PUBLIC_URL=/ react-scripts start",
+    "build": "react-scripts build",
+    "build:docs": "jsdoc src -d docs",
+    "eject": "react-scripts eject",
+    "format": "cod-scripts format",
+    "lint": "cod-scripts lint",
+    "lint:md": "markdownlint -i node_modules -i dist .",
+    "lint:commit": "cod-scripts commitlint",
+    "test": "echo \"No tests yet.\"",
+    "validate": "cod-scripts validate"
+  },
   "repository": {
     "type": "git",
     "url": "git+https://github.com/codfish/actions-playground.git"
@@ -13,6 +25,7 @@
   "keywords": [
     "foobar"
   ],
+  "packageManager": "pnpm@10.17.1",
   "author": "",
   "license": "MIT",
   "bugs": {
@@ -41,6 +54,33 @@
       "./node_modules/cod-scripts/eslint.js"
     ]
   },
+  "commitlint": {
+    "extends": [
+      "@commitlint/config-conventional"
+    ],
+    "rules": {
+      "header-max-length": [
+        0,
+        "never"
+      ],
+      "subject-case": [
+        0,
+        "never"
+      ],
+      "type-case": [
+        0,
+        "never"
+      ],
+      "body-max-line-length": [
+        0,
+        "always"
+      ],
+      "footer-max-line-length": [
+        0,
+        "always"
+      ]
+    }
+  },
   "browserslist": {
     "production": [
       ">0.2%",
@@ -56,17 +96,5 @@
   "volta": {
     "node": "22.18.0",
     "yarn": "4.10.3"
-  },
-  "scripts": {
-    "start": "PUBLIC_URL=/ react-scripts start",
-    "build": "react-scripts build",
-    "build:docs": "jsdoc src -d docs",
-    "eject": "react-scripts eject",
-    "format": "cod-scripts format",
-    "lint": "cod-scripts lint",
-    "lint:md": "markdownlint -i node_modules -i dist .",
-    "lint:commit": "cod-scripts commitlint",
-    "test": "echo \"No tests yet.\"",
-    "validate": "cod-scripts validate"
   }
-}
+}

package/renovate.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}

package/test.txt CHANGED Viewed

@@ -3,4 +3,3 @@ testing dry run outputs
 test release with a chore
 test latest release