@codfish/actions 2.0.0 → 3.3.1

package/setup-node-and-install/README.md

@@ -6,7 +6,8 @@ dynamic Node version detection via the `node-version` input, `.node-version`, `.
 This action provides the following functionality:
 
 - Automatically detects package manager (npm, yarn, or pnpm) from lockfiles
-- Uses GitHub's official `setup-node` action with optimized caching
+- Uses GitHub's official `setup-node` action (v6) with optimized caching
+- **Upgrades npm to v11** (pinned to `^11.5.1` for OIDC trusted publishing support)
 - Installs dependencies with appropriate commands based on detected package manager
 - Supports `.node-version`, `.nvmrc`, and `package.json` `volta.node` for version specification
 - Intelligent caching of node_modules when lockfiles are present
@@ -17,15 +18,17 @@ This action provides the following functionality:
 
 See [action.yml](action.yml).
 
-```yaml
+```yml
 steps:
-  - uses: actions/checkout@v5
+  - uses: actions/checkout@v6
 
-  # will install latest Node v18.x
-  - uses: codfish/actions/setup-node-and-install@v1
+  # Will setup node, inferring node version from your codebase & installing your dependencies
+  - uses: codfish/actions/setup-node-and-install@v3
+
+  # Or if you want to be explicit
+  - uses: codfish/actions/setup-node-and-install@v3
     with:
-      node-version: 18
-      cache-key-suffix: '-${{ github.head_ref || github.event.release.tag_name }}'
+      node-version: 24.4
 
   - run: npm test
 ```
@@ -35,9 +38,6 @@ The `node-version` input is optional. If not supplied, this action will attempt
 1. `.node-version`, 2) `.nvmrc`, 3) `package.json` `volta.node`. If none are present, `actions/setup-node` runs without
    an explicit version and will use its default behavior.
 
-The `cache-key-suffix` input is optional. If not supplied, no suffix will be applied to the cache key used to restore
-cache in subsequent workflow runs.
-
 The `install-options` input is optional. If not supplied, the npm install commands will execute as defined without any
 additional options.
 
@@ -48,11 +48,11 @@ additional options.
 v18.14.1
 ```
 
-```yaml
+```yml
 steps:
-  - uses: actions/checkout@v5
+  - uses: actions/checkout@v6
   # will install Node v18.14.1
-  - uses: codfish/actions/setup-node-and-install@v1
+  - uses: codfish/actions/setup-node-and-install@v3
   - run: npm test
 ```
 
@@ -63,11 +63,11 @@ steps:
 20.10.0
 ```
 
-```yaml
+```yml
 steps:
-  - uses: actions/checkout@v5
+  - uses: actions/checkout@v6
   # will install Node v20.10.0
-  - uses: codfish/actions/setup-node-and-install@v1
+  - uses: codfish/actions/setup-node-and-install@v3
   - run: npm test
 ```
 
@@ -85,11 +85,13 @@ When multiple version specification methods are present, the action uses this pr
 
 <!-- start inputs -->
 
-| Input               | Description                                                                                                                          | Required | Default |
-| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------ | -------- | ------- |
-| `node-version`      | Node.js version to install (e.g. "24", "lts/\*"). Precedence: node-version input > .node-version > .nvmrc > package.json volta.node. | No       | -       |
-| `install-options`   | Extra command-line options to pass to npm/pnpm/yarn install.                                                                         | No       | -       |
-| `working-directory` | Directory containing package.json and lockfile.                                                                                      | No       | `.`     |
+| Input               | Description                                                                                                                                                                                                                                                                                                     | Required | Default |
+| ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------- |
+| `node-version`      | Node.js version to install (e.g. "24", "lts/\*"). Precedence: node-version input > .node-version > .nvmrc > package.json volta.node.                                                                                                                                                                            | No       | -       |
+| `install-options`   | Extra command-line options to pass to npm/pnpm/yarn install.                                                                                                                                                                                                                                                    | No       | -       |
+| `working-directory` | Directory containing package.json and lockfile.                                                                                                                                                                                                                                                                 | No       | `.`     |
+| `registry-url`      | Optional registry URL to configure for publishing (e.g. "https://registry.npmjs.org/"). Creates .npmrc with NODE_AUTH_TOKEN placeholder. NOT recommended if using semantic-release (it handles auth independently). Only needed for publishing with manual npm publish or other non-semantic-release workflows. | No       | -       |
+| `upgrade-npm`       | Whether to upgrade npm to v11.5.1. This is required for OIDC trusted publishing but can be disabled if you want to shave off some run time and you are still using token-based authentication.                                                                                                                  | No       | `true`  |
 
 <!-- end inputs -->
 
@@ -98,35 +100,76 @@ When multiple version specification methods are present, the action uses this pr
 The action automatically detects your package manager:
 
 - **pnpm**: Detected when `pnpm-lock.yaml` exists
+- **yarn**: Detected when `yarn.lock` exists
 - **npm**: Detected when `package-lock.json` exists or as fallback
 
+## npm Version Upgrade
+
+This action automatically upgrades npm to **v11** after Node.js setup (pinned to `^11.5.1`). This ensures:
+
+- npm 11.5.1+ is available for **OIDC trusted publishing** support (required as of January 2026)
+- Stable, predictable npm behavior across workflows
+- Security fixes and improvements within the v11 release line
+- No unexpected breaking changes from major version updates
+
+The upgrade happens transparently and is logged in the workflow output. The version is pinned to prevent unexpected
+breaking changes while still receiving patch and minor updates within v11.
+
+## Registry URL Configuration
+
+The `registry-url` input configures npm authentication by creating a `.npmrc` file with a `NODE_AUTH_TOKEN` placeholder.
+**In most cases, you should NOT set this parameter.**
+
+### When NOT to use registry-url (recommended)
+
+**Skip this parameter if:**
+
+- You're **only installing dependencies** (the primary use case for this action) - authentication is not needed for
+  public packages
+- You're using **semantic-release** for publishing - it handles npm authentication independently and `registry-url` can
+  cause conflicts
+  ([semantic-release docs](https://semantic-release.gitbook.io/semantic-release/recipes/ci-configurations/github-actions#important-avoid-registry-url-in-setup-node))
+- You're using **OIDC trusted publishing** with npm - the upgraded npm v11 handles this automatically
+
+### When to use registry-url
+
+**Only set this parameter if:**
+
+- You're publishing to npm using **manual `npm publish`** (not semantic-release)
+- You need to authenticate to a **private npm registry**
+- You're using **legacy token-based publishing** and need the `.npmrc` file created
+
+### Example with registry-url
+
+```yml
+- uses: codfish/actions/setup-node-and-install@v3
+  with:
+    registry-url: 'https://registry.npmjs.org/'
+  env:
+    NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+- run: npm publish
+```
+
 ## Examples
 
 ### With specific Node version
 
-```yaml
-- uses: codfish/actions/setup-node-and-install@v1
+```yml
+- uses: codfish/actions/setup-node-and-install@v3
   with:
     node-version: '18'
 ```
 
 ### With pnpm in subdirectory
 
-```yaml
-- uses: codfish/actions/setup-node-and-install@v1
+```yml
+- uses: codfish/actions/setup-node-and-install@v3
   with:
     working-directory: './frontend'
     install-options: '--frozen-lockfile'
 ```
 
-### With custom cache key
-
-```yaml
-- uses: codfish/actions/setup-node-and-install@v1
-  with:
-    cache-key-suffix: '-${{ github.head_ref }}'
-```
-
 ## Migrating
 
 Replace multiple setup steps with this single action:
@@ -137,5 +180,5 @@ Replace multiple setup steps with this single action:
 -     node-version-file: '.nvmrc'
 -     cache: 'npm'
 - - run: npm ci --prefer-offline --no-audit
-+ - uses: codfish/actions/setup-node-and-install@v1
++ - uses: codfish/actions/setup-node-and-install@v3
 ```

package/setup-node-and-install/action.yml

@@ -16,11 +16,31 @@ inputs:
   working-directory:
     description: Directory containing package.json and lockfile.
     default: .
+  registry-url:
+    description:
+      'Optional registry URL to configure for publishing (e.g. "https://registry.npmjs.org/"). Creates .npmrc with
+      NODE_AUTH_TOKEN placeholder. NOT recommended if using semantic-release (it handles auth independently). Only
+      needed for publishing with manual npm publish or other non-semantic-release workflows.'
+    required: false
+  upgrade-npm:
+    description:
+      Whether to upgrade npm to v11.5.1. This is required for OIDC trusted publishing but can be disabled if you want to
+      shave off some run time and you are still using token-based authentication.
+    default: true
 
 outputs:
+  node-version:
+    description: The installed node version.
+    value: ${{ steps.setup-node.outputs.node-version }}
   cache-hit:
     description: Whether the dependency cache was hit (true/false).
     value: "${{ steps.setup-node.outputs.cache-hit == 'true' && 'true' || 'false' }}"
+  pnpm-dest:
+    description: Expanded path of pnpm dest.
+    value: ${{ steps.pnpm-setup.outputs.dest }}
+  pnpm-bin-dest:
+    description: Location of pnpm and pnpx command.
+    value: ${{ steps.pnpm-setup.outputs.bin_dest }}
 
 runs:
   using: composite
@@ -64,6 +84,7 @@ runs:
     - name: Install pnpm
       if: steps.detect-package-manager.outputs.package-manager == 'pnpm'
       uses: pnpm/action-setup@v4
+      id: pnpm-setup
       with:
         run_install: false
 
@@ -107,21 +128,35 @@ runs:
         INPUT_NODE_VERSION: ${{ inputs.node-version }}
 
     - name: Setup Node.js
-      uses: actions/setup-node@v5
+      uses: actions/setup-node@v6
       id: setup-node
       with:
         # use detected package manager cache
         cache: ${{ steps.detect-package-manager.outputs.package-manager }}
         cache-dependency-path: ${{ inputs.working-directory }}
         node-version: ${{ steps.detect-node-version.outputs.version }}
-        registry-url: 'https://registry.npmjs.org'
+        registry-url: ${{ inputs.registry-url }}
+
+    - name: Upgrade npm for OIDC support
+      if: inputs.upgrade-npm == 'true'
+      shell: bash
+      run: |
+        echo "📦 Current npm version: $(npm --version)"
+        echo "🔄 Upgrading npm to v11 (required for OIDC trusted publishing)..."
+        if ! npm install -g npm@^11.5.1; then
+          echo "❌ Failed to upgrade npm to v11.5.1. Check network access or permissions."
+          exit 1
+        fi
+        echo "✅ Updated to npm version: $(npm --version)"
 
-    # apply `./node_modules` cache only if a lockfile is present
+    # Apply `./node_modules` cache only if a lockfile is present and using `npm`
     # Will remove the need to run install commands twice. Risk reduced by using a very specific cache key.
     # Cache wont be used if the lockfile changes, package manager, node version, or OS changes.
     - name: Setup node_modules dependency cache
-      if: steps.detect-package-manager.outputs.lockfile-exists == 'true'
-      uses: actions/cache@v4
+      if:
+        steps.detect-package-manager.outputs.lockfile-exists == 'true' &&
+        steps.detect-package-manager.outputs.package-manager == 'npm'
+      uses: actions/cache@v5
       id: cache
       with:
         path: ${{ inputs.working-directory }}/node_modules

package/.github/codeql-config.yml

@@ -1,21 +0,0 @@
-name: GitHub Actions Security Analysis
-
-disable-default-queries: false
-
-queries:
-  - uses: security-and-quality
-  - uses: security-experimental
-
-paths-ignore:
-  - tests/
-  - '**/*.test.js'
-  - '**/*.spec.js'
-  - '**/node_modules'
-  - '**/dist'
-  - '**/build'
-
-paths:
-  - '**/*.js'
-  - '**/*.yml'
-  - '**/*.yaml'
-  - '**/*.json'

package/.github/dependabot.yml

@@ -1,35 +0,0 @@
-version: 2
-updates:
-  # Enable version updates for pnpm dependencies
-  - package-ecosystem: npm
-    directory: /
-    schedule:
-      interval: weekly
-      day: monday
-      time: '09:00'
-    open-pull-requests-limit: 3
-    reviewers:
-      - codfish
-    assignees:
-      - codfish
-    commit-message:
-      prefix: deps
-      include: scope
-    # Use pnpm for package management
-    versioning-strategy: increase
-
-  # Monitor GitHub Actions for updates
-  - package-ecosystem: github-actions
-    directory: /
-    schedule:
-      interval: weekly
-      day: monday
-      time: '09:00'
-    open-pull-requests-limit: 3
-    reviewers:
-      - codfish
-    assignees:
-      - codfish
-    commit-message:
-      prefix: ci
-      include: scope

package/.github/workflows/claude-code-review.yml

@@ -1,43 +0,0 @@
-name: Claude Code Review
-
-on: pull_request_target
-
-jobs:
-  claude-review:
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-      pull-requests: write
-      issues: read
-      id-token: write
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 1
-
-      - name: Run Claude Code Review
-        id: claude-review
-        uses: anthropics/claude-code-action@beta
-        with:
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-
-          # Optional: Specify model (defaults to Claude Sonnet 4, uncomment for Claude Opus 4)
-          # model: "claude-opus-4-20250514"
-
-          allowed_tools:
-            'mcp__github_inline_comment__create_inline_comment,Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr
-            view:*)'
-
-          # Direct prompt for automated review (no @claude mention needed)
-          direct_prompt: |
-            Please review this pull request and provide feedback on:
-            - Code quality and best practices
-            - Potential bugs or issues
-            - Performance considerations
-            - Security concerns
-            - Test coverage
-
-            Be constructive and helpful in your feedback.

package/.github/workflows/claude.yml

@@ -1,38 +0,0 @@
-name: Claude Code
-
-on:
-  issue_comment:
-    types: [created]
-  pull_request_review_comment:
-    types: [created]
-  issues:
-    types: [opened, assigned]
-  pull_request_review:
-    types: [submitted]
-
-jobs:
-  claude:
-    if: |
-      (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude')) ||
-      (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude')) ||
-      (github.event_name == 'issues' && (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')))
-
-    runs-on: ubuntu-latest
-
-    permissions:
-      contents: read
-      pull-requests: read
-      issues: read
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 1
-
-      - name: Run Claude Code
-        id: claude
-        uses: anthropics/claude-code-action@beta
-        with:
-          anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

package/.github/workflows/release.yml

@@ -1,48 +0,0 @@
-name: Release
-
-on:
-  push:
-    branches:
-      - main
-      - alpha
-      - beta
-      - canary
-      - next
-      - next-major
-      - '[0-9]+.x'
-
-permissions:
-  issues: write
-  contents: write
-  pull-requests: write
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-
-    concurrency:
-      group: ${{ github.workflow }}-${{ github.ref }}
-      cancel-in-progress: false
-
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-
-      - uses: ./setup-node-and-install
-        with:
-          node-version: lts/*
-
-      - name: validate before release
-        run: |
-          pnpm install
-          pnpm lint
-          pnpm test
-        env:
-          CI: true
-
-      - name: semantic release
-        uses: docker://ghcr.io/codfish/semantic-release-action@sha256:5d5447090feb2f9252aac2825ef14e244ecf53528fbe87d585b459adb547b914
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

package/.github/workflows/security.yml

@@ -1,103 +0,0 @@
-name: Security
-
-on:
-  push:
-    branches: [main]
-  pull_request_target:
-    branches: [main]
-  schedule:
-    # Run weekly security scan on Sundays at 2 AM UTC
-    - cron: '0 2 * * 0'
-
-permissions:
-  actions: read
-  contents: read
-  security-events: write
-
-jobs:
-  codeql:
-    name: CodeQL Analysis
-    runs-on: ubuntu-latest
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [javascript]
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
-        with:
-          languages: ${{ matrix.language }}
-          config-file: ./.github/codeql-config.yml
-
-      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
-        with:
-          category: '/language:${{matrix.language}}'
-
-  dependency-review:
-    name: Dependency Review
-    runs-on: ubuntu-latest
-    if: github.event_name == 'pull_request_target'
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-
-      - name: Dependency Review
-        uses: actions/dependency-review-action@v4
-        with:
-          fail-on-severity: moderate
-          allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-2-Clause-Views, BSD-3-Clause, ISC, AGPL-3.0
-
-  security-audit:
-    name: Security Audit
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-
-      - name: Setup Node.js and install dependencies
-        uses: ./setup-node-and-install
-        with:
-          node-version: 'lts/*'
-
-      - name: Run pnpm audit
-        run: |
-          echo "Running security audit..."
-          pnpm audit --audit-level=moderate
-
-      - name: Check for known vulnerabilities
-        run: |
-          echo "Checking for high/critical vulnerabilities..."
-          count=$(pnpm audit --audit-level=high --json | jq '.metadata.vulnerabilities.high + .metadata.vulnerabilities.critical')
-          if [ "$count" -gt 0 ]; then
-            echo "❌ High or critical vulnerabilities found!"
-            pnpm audit --audit-level=high
-            exit 1
-          else
-            echo "✅ No high or critical vulnerabilities found"
-          fi
-
-  secret-scan:
-    name: Secret Scan
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          fetch-depth: 0
-
-      - name: Run TruffleHog OSS
-        uses: trufflesecurity/trufflehog@v3.90.8
-        with:
-          extra_args: --debug --only-verified

package/.github/workflows/update-docs.yml

@@ -1,38 +0,0 @@
-name: Update Documentation
-
-on:
-  push:
-    branches: [main]
-    paths:
-      - '*/action.yml'
-      - bin/generate-docs.js
-
-permissions:
-  contents: write
-
-jobs:
-  update-docs:
-    name: Auto-update documentation
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v5
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-
-      # Dogfood our own setup-node-and-install action
-      - name: Setup Node.js and install dependencies
-        uses: ./setup-node-and-install
-        with:
-          node-version: 'lts/*'
-
-      - name: Generate updated documentation
-        run: pnpm docs:generate
-
-      - name: Commit and push changes if any
-        uses: stefanzweifel/git-auto-commit-action@v6
-        with:
-          commit_options: --no-verify --signoff
-          commit_message: 'docs: auto-update documentation with latest action metadata'
-          file_pattern: 'README.md */README.md'