ep_offline_edit 0.0.39 → 0.0.50

package/.github/workflows/backend-tests.yml

@@ -22,11 +22,11 @@ jobs:
           version: 1.0
       -
         name: Install etherpad core
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           repository: ether/etherpad-lite
           path: etherpad-lite
-      - uses: pnpm/action-setup@v5
+      - uses: pnpm/action-setup@v3
         name: Install pnpm
         with:
           version: 10
@@ -35,7 +35,7 @@ jobs:
         shell: bash
         run: |
           echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-      - uses: actions/cache@v5
+      - uses: actions/cache@v4
         name: Setup pnpm cache
         with:
           path: ${{ env.STORE_PATH }}
@@ -44,7 +44,7 @@ jobs:
             ${{ runner.os }}-pnpm-store-
       -
         name: Checkout plugin repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           path: plugin
       - name: Remove tests
@@ -62,6 +62,7 @@ jobs:
         name: Run the backend tests
         working-directory: ./etherpad-lite/src
         run: |
+          shopt -s globstar
           res=$(find ./plugin_packages -path "*/static/tests/backend/specs/*" 2>/dev/null | wc -l)
           if [ $res -eq 0 ]; then
           echo "No backend tests found"

package/.github/workflows/frontend-tests.yml

@@ -12,10 +12,10 @@ jobs:
     steps:
       -
         name: Check out Etherpad core
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           repository: ether/etherpad-lite
-      - uses: pnpm/action-setup@v5
+      - uses: pnpm/action-setup@v3
         name: Install pnpm
         with:
           version: 10
@@ -24,7 +24,7 @@ jobs:
         shell: bash
         run: |
           echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-      - uses: actions/cache@v5
+      - uses: actions/cache@v4
         name: Setup pnpm cache
         with:
           path: ${{ env.STORE_PATH }}
@@ -33,7 +33,7 @@ jobs:
             ${{ runner.os }}-pnpm-store-
       -
         name: Check out the plugin
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           path: ./node_modules/__tmp
       -

package/.github/workflows/npmpublish.yml

@@ -1,5 +1,10 @@
 # This workflow will run tests using node and then publish a package to the npm registry when a release is created
 # For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
+#
+# Publishing uses npm Trusted Publishing (OIDC) — no NPM_TOKEN secret is
+# required. Each package must have a trusted publisher configured on npmjs.com
+# pointing at this workflow file. See:
+# https://docs.npmjs.com/trusted-publishers
 
 name: Node.js Package
 
@@ -9,11 +14,19 @@ on:
 jobs:
   publish-npm:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write   # for the atomic version-bump push (branch + tag)
+      id-token: write   # for npm OIDC trusted publishing
     steps:
       - uses: actions/setup-node@v6
         with:
+          # OIDC trusted publishing needs npm >= 11.5.1, which requires
+          # Node >= 20.17.0. setup-node's `20` resolves to the latest
+          # 20.x, which satisfies that.
           node-version: 20
           registry-url: https://registry.npmjs.org/
+      - name: Upgrade npm to >=11.5.1 (required for trusted publishing)
+        run: npm install -g npm@latest
       - name: Check out Etherpad core
         uses: actions/checkout@v6
         with:
@@ -47,8 +60,22 @@ jobs:
           git config user.name 'github-actions[bot]'
           git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
           pnpm i
+          # `pnpm version patch` bumps package.json, makes a commit, and creates
+          # a `v<new-version>` tag. Capture the new tag name from package.json
+          # rather than parsing pnpm's output, which has historically varied.
           pnpm version patch
-          git push --follow-tags
+          NEW_TAG="v$(node -p "require('./package.json').version")"
+          # CRITICAL: use --atomic so the branch update and the tag update
+          # succeed (or fail) as a single transaction on the server. The old
+          # `git push --follow-tags` was non-atomic per ref: if a concurrent
+          # publish run won the race, the branch fast-forward would be rejected
+          # but the tag push would still land — leaving a dangling tag with no
+          # matching commit on the branch. Subsequent runs would then forever
+          # try to bump to the same already-existing tag and fail with
+          # `tag 'vN+1' already exists`. With --atomic, a rejected branch push
+          # rejects the tag push too, and the next workflow tick can retry
+          # cleanly against the up-to-date refs.
+          git push --atomic origin "${GITHUB_REF_NAME}" "${NEW_TAG}"
       # This is required if the package has a prepare script that uses something
       # in dependencies or devDependencies.
       -
@@ -63,12 +90,10 @@ jobs:
       # already-used version number. By running `npm publish` after `git push`,
       # back-to-back merges will cause the first merge's workflow to fail but
       # the second's will succeed.
-      -
-        run: pnpm publish
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
-      #-
-      #  name: Add package to etherpad organization
-      #  run: pnpm access grant read-write etherpad:developers
-      #  env:
-      #    NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+      #
+      # Use `npm publish` directly (not `pnpm publish`) because OIDC trusted
+      # publishing requires npm CLI >= 11.5.1 and `pnpm publish` shells out to
+      # whichever `npm` is on PATH; calling `npm` directly avoids any shim
+      # ambiguity.
+      - name: Publish to npm via OIDC
+        run: npm publish --provenance --access public

package/.github/workflows/test-and-release.yml

@@ -1,6 +1,11 @@
 name: Node.js Package
 on: [push]
 
+# id-token: write must be granted here so the reusable npmpublish workflow
+# can request an OIDC token for npm trusted publishing.
+permissions:
+  contents: write
+  id-token: write
 
 jobs:
   backend:
@@ -14,5 +19,8 @@ jobs:
     needs:
       - backend
       - frontend
+    permissions:
+      contents: write   # for the version bump push
+      id-token: write   # for npm OIDC trusted publishing
     uses: ./.github/workflows/npmpublish.yml
     secrets: inherit

package/README.md

@@ -1,4 +1,4 @@
-![Publish Status](https://github.com/ether/ep_offline_edit/workflows/Node.js%20Package/badge.svg) ![Backend Tests Status](https://github.com/ether/ep_offline_edit/workflows/Backend%20tests/badge.svg)
+![Publish Status](https://github.com/ether/ep_offline_edit/workflows/Node.js%20Package/badge.svg) [![Backend Tests Status](https://github.com/ether/ep_offline_edit/actions/workflows/test-and-release.yml/badge.svg)](https://github.com/ether/ep_offline_edit/actions/workflows/test-and-release.yml)
 
 # Allows you to see your document if you get disconnected from the Internet.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ep_offline_edit",
-  "version": "0.0.39",
+  "version": "0.0.50",
   "description": "View your pad data even if you are disconnected from the Internets",
   "author": {
     "name": "John McLear",
@@ -12,7 +12,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/JohnMcLear/ep_offline_edit.git"
+    "url": "https://github.com/ether/ep_offline_edit.git"
   },
   "readmeFilename": "README.md",
   "funding": {
@@ -22,10 +22,10 @@
   "devDependencies": {
     "eslint": "^8.57.1",
     "eslint-config-etherpad": "^4.0.4",
-    "typescript": "^6.0.2"
+    "typescript": "^5.9.3"
   },
   "scripts": {
     "lint": "eslint .",
     "lint:fix": "eslint --fix ."
   }
-}
+}