@plasius/react-state 1.0.6 → 1.0.7

package/.github/workflows/cd.yml

@@ -6,6 +6,7 @@ on:
 permissions:
   contents: write
   id-token: write # for npm provenance (requires Node 18+ and npm >=9)
+  attestations: write
 
 jobs:
   publish:
@@ -24,9 +25,114 @@ jobs:
       - name: Install deps (CI)
         run: npm ci
 
+      - name: Update CHANGELOG.md (move Unreleased to new version)
+        env:
+          VERSION: ${{ steps.pkg.outputs.version }}
+          TAG: ${{ steps.pkg.outputs.tag }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          verbose: true
+        run: |
+          set -euo pipefail
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+
+          FILE="CHANGELOG.md"
+          if [ ! -f "$FILE" ]; then
+            echo "No CHANGELOG.md found; skipping changelog update."
+            exit 0
+          fi
+
+          DATE=$(date -u +%Y-%m-%d)
+          VERSION_LINE="## [${VERSION}] - ${DATE}"
+
+          # Identify Unreleased block boundaries
+          UNREL_START=$(grep -n '^## \[Unreleased\]' "$FILE" | cut -d: -f1 || true)
+          if [ -z "$UNREL_START" ]; then
+            echo "No '## [Unreleased]' section found; skipping changelog update."
+            exit 0
+          fi
+          NEXT_HDR=$(awk 'NR>'"$UNREL_START"' && /^## \[/{print NR; exit}' "$FILE")
+          if [ -z "$NEXT_HDR" ]; then
+            NEXT_HDR=$(wc -l < "$FILE")
+            NEXT_HDR=$((NEXT_HDR+1))
+          fi
+
+          # Extract sections
+          HEADER=$(sed -n "1,${UNREL_START}p" "$FILE")
+          UNREL_CONTENT=$(sed -n "$((UNREL_START+1)),$((NEXT_HDR-1))p" "$FILE")
+          TAIL=$(sed -n "${NEXT_HDR},\$p" "$FILE")
+
+          # Prepare new Unreleased template (Keep a Changelog style) without tabs/indent issues
+          NEW_UNRELEASED=$(printf '%s\n' \
+            '' \
+            '- **Added**' \
+            '  - (placeholder)' \
+            '' \
+            '- **Changed**' \
+            '  - (placeholder)' \
+            '' \
+            '- **Fixed**' \
+            '  - (placeholder)' \
+            '' \
+            '- **Security**' \
+            '  - (placeholder)')
+
+          # Build the new CHANGELOG content
+          TMP_FILE=$(mktemp)
+          {
+            printf "%s\n" "$HEADER"
+            printf "%s\n\n" "$NEW_UNRELEASED"
+            printf "%s\n" "$VERSION_LINE"
+            # If Unreleased was empty, at least add a placeholder so the section isn't blank
+            if [ -z "$(echo "$UNREL_CONTENT" | tr -d '\n' | tr -d '[:space:]')" ]; then
+              printf "### Changed\n- (no notable changes)\n\n"
+            else
+              printf "%s\n" "$UNREL_CONTENT"
+              # Ensure a trailing newline after the inserted section
+              printf "\n"
+            fi
+            printf "%s\n" "$TAIL"
+          } > "$TMP_FILE"
+
+          mv "$TMP_FILE" "$FILE"
+
+          # Update bottom compare links
+          # Update [Unreleased] compare to start at v${VERSION}
+          COMPARE_URL="https://github.com/${GITHUB_REPOSITORY}/compare/v${VERSION}...HEAD"
+          awk -v repl="[Unreleased]: ${COMPARE_URL}" 'BEGIN{OFS=FS} { if ($0 ~ /^\[Unreleased\]: /) { print repl } else { print } }' "$FILE" > "$FILE.tmp"
+          mv "$FILE.tmp" "$FILE"
+
+          # Append a link for the new version if not present
+          if ! grep -q "^\[${VERSION}\]:" "$FILE"; then
+            echo "[${VERSION}]: https://github.com/${GITHUB_REPOSITORY}/releases/tag/v${VERSION}" >> "$FILE"
+          fi
+
+          git add "$FILE"
+          git commit -m "docs(changelog): release v${VERSION}"
+          git push
+
+      - name: Test (coverage)
+        run: npm run test -- --coverage
+        
+      - name: Upload coverage to Codecov
+        uses: codecov/codecov-action@v4
+        with:
+         token: ${{ secrets.CODECOV_TOKEN }}
+         files: ./coverage/lcov.info
+         flags: unittests
+         fail_ci_if_error: true
+
       - name: Build
         run: npm run build --if-present
 
+      - name: Generate SBOM (CycloneDX)
+        run: npm sbom --sbom-format=cyclonedx --sbom-type=library --omit dev > sbom.cdx.json
+
+      - name: Attest SBOM (GitHub Artifact Attestations)
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: sbom.cdx.json
+
       - name: Bump version & decide publish flags
         id: pkg
         env:
@@ -38,6 +144,8 @@ jobs:
           NEW_VER=$(npm version patch -m "chore: release v%s [skip ci]")
           echo "New version: $NEW_VER"
           git push --follow-tags
+          
+          # Expose tag (vX.Y.Z) and version (X.Y.Z) for later steps
           VER_NO_V=${NEW_VER#v}
           echo "tag=$NEW_VER" >> "$GITHUB_OUTPUT"
           echo "version=$VER_NO_V" >> "$GITHUB_OUTPUT"
@@ -57,13 +165,19 @@ jobs:
           set -euo pipefail
           TAG="${{ steps.pkg.outputs.tag }}"
           if gh release view "$TAG" >/dev/null 2>&1; then
-            echo "Release $TAG already exists; skipping creation."
+            echo "Release $TAG already exists; uploading SBOM asset."
           else
             gh release create "$TAG" \
               --title "Release $TAG" \
               --generate-notes \
               --latest
           fi
+          # Upload/overwrite the SBOM asset on the release
+          if [ -f sbom.cdx.json ]; then
+            gh release upload "$TAG" sbom.cdx.json --clobber
+          else
+            echo "No SBOM generated; skipping upload."
+          fi
 
       - name: Publish
         env:

package/CHANGELOG.md

@@ -9,6 +9,20 @@ The format is based on **[Keep a Changelog](https://keepachangelog.com/en/1.1.0/
 
 ## [Unreleased]
 
+- **Added**
+  - (placeholder)
+
+- **Changed**
+  - (placeholder)
+
+- **Fixed**
+  - (placeholder)
+
+- **Security**
+  - (placeholder)
+
+## [] - 2025-09-17
+
 - **Added**
   - (placeholder) Add new hooks, scoped store features, or context helpers here.
 
@@ -56,5 +70,6 @@ The format is based on **[Keep a Changelog](https://keepachangelog.com/en/1.1.0/
 
 ---
 
-[Unreleased]: https://github.com/Plasius-LTD/react-state/compare/v1.0.0...HEAD
+[Unreleased]: https://github.com/Plasius-LTD/react-state/compare/v...HEAD
 [1.0.0]: https://github.com/Plasius-LTD/react-state/releases/tag/v1.0.0
+[]: https://github.com/Plasius-LTD/react-state/releases/tag/v

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@plasius/react-state",
-  "version": "1.0.6",
+  "version": "1.0.7",
   "description": "Tiny, testable, typesafe React Scoped Store helper.",
   "keywords": [
     "react",
@@ -54,6 +54,7 @@
     "@types/node": "^24.3.1",
     "@typescript-eslint/eslint-plugin": "^8.43.0",
     "@typescript-eslint/parser": "^8.43.0",
+    "@vitest/coverage-v8": "^3.2.4",
     "eslint": "^9.35.0",
     "jsdom": "^27.0.0",
     "tsup": "^8.5.0",

package/sbom.cdx.json

@@ -0,0 +1,66 @@
+{
+  "$schema": "http://cyclonedx.org/schema/bom-1.5.schema.json",
+  "bomFormat": "CycloneDX",
+  "specVersion": "1.5",
+  "serialNumber": "urn:uuid:070834d4-7af4-4992-bf40-fcf52c4bf035",
+  "version": 1,
+  "metadata": {
+    "timestamp": "2025-09-17T15:31:48.552Z",
+    "lifecycles": [
+      {
+        "phase": "build"
+      }
+    ],
+    "tools": [
+      {
+        "vendor": "npm",
+        "name": "cli",
+        "version": "10.9.3"
+      }
+    ],
+    "component": {
+      "bom-ref": "@plasius/react-state@1.0.6",
+      "type": "library",
+      "name": "react-state",
+      "version": "1.0.6",
+      "scope": "required",
+      "author": "Plasius LTD",
+      "description": "Tiny, testable, typesafe React Scoped Store helper.",
+      "purl": "pkg:npm/%40plasius/react-state@1.0.6",
+      "properties": [
+        {
+          "name": "cdx:npm:package:path",
+          "value": ""
+        }
+      ],
+      "externalReferences": [
+        {
+          "type": "vcs",
+          "url": "git+https://github.com/Plasius-LTD/react-state.git"
+        },
+        {
+          "type": "website",
+          "url": "https://github.com/Plasius-LTD/react-state#readme"
+        },
+        {
+          "type": "issue-tracker",
+          "url": "https://github.com/Plasius-LTD/react-state/issues"
+        }
+      ],
+      "licenses": [
+        {
+          "license": {
+            "id": "Apache-2.0"
+          }
+        }
+      ]
+    }
+  },
+  "components": [],
+  "dependencies": [
+    {
+      "ref": "@plasius/react-state@1.0.6",
+      "dependsOn": []
+    }
+  ]
+}

package/vitest.config.js

@@ -6,8 +6,15 @@ export default defineConfig({
     globals: true,
     include: ["tests/**/*.test.{ts,tsx}"],
     coverage: {
+      provider: "v8",
       reporter: ["text", "lcov"],
-      exclude: ["tests/**", "dist/**"],
+      reportsDirectory: "./coverage",
+      exclude: [
+        "tests/**",
+        "dist/**",
+        "**/*.config.{js,ts}",
+        "**/.eslintrc.{js,cjs}",
+      ],
     },
   },
 });