@@ -4,10 +4,10 @@ name: CI & Release
44# Workflow name based on selected inputs. Fallback to default Github naming when expression evaluates to empty string
55run-name : >-
66 ${{
7- inputs.release && inputs.test && format( 'Build {0} ➤ Test ➤ Publish to NPM', github.ref_name) ||
8- inputs.release && !inputs.test && format( 'Build {0} ➤ Skip Tests ➤ Publish to NPM', github.ref_name) ||
9- github.event_name == 'workflow_dispatch' && inputs.test && format( 'Build {0} ➤ Test', github.ref_name) ||
10- github.event_name == 'workflow_dispatch' && !inputs.test && format( 'Build {0} ➤ Skip Tests', github.ref_name) ||
7+ inputs.release && inputs.test && 'Build ➤ Test ➤ Publish to NPM' ||
8+ inputs.release && !inputs.test && 'Build ➤ Skip Tests ➤ Publish to NPM' ||
9+ github.event_name == 'workflow_dispatch' && inputs.test && 'Build ➤ Test' ||
10+ github.event_name == 'workflow_dispatch' && !inputs.test && 'Build ➤ Skip Tests' ||
1111 ''
1212 }}
1313
@@ -37,6 +37,9 @@ concurrency:
3737 group : ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
3838 cancel-in-progress : true
3939
40+ permissions :
41+ contents : read # for checkout
42+
4043jobs :
4144 build :
4245 runs-on : ubuntu-latest
7174 include :
7275 - os : ubuntu-latest
7376 # Test the oldest LTS release of Node that's still receiving bugfixes and security patches, versions older than that have reached End-of-Life
74- node : lts/-2
77+ node : lts/-1
7578 - os : ubuntu-latest
7679 # Test the actively developed version that will become the latest LTS release next October
7780 node : current
@@ -87,37 +90,44 @@ jobs:
8790 with :
8891 cache : npm
8992 node-version : ${{ matrix.node }}
90- - run : npm i
93+ - run : npm install
9194 - run : npm test --if-present
9295
9396 release :
97+ permissions :
98+ id-token : write # to enable use of OIDC for npm provenance
9499 needs : [build, test]
95100 # only run if opt-in during workflow_dispatch
96101 if : always() && github.event.inputs.release == 'true' && needs.build.result != 'failure' && needs.test.result != 'failure' && needs.test.result != 'cancelled'
97102 runs-on : ubuntu-latest
98103 name : Semantic release
99104 steps :
105+ - uses : actions/create-github-app-token@v1
106+ id : app-token
107+ with :
108+ app-id : ${{ secrets.APP_ID }}
109+ private-key : ${{ secrets.APP_PRIVATE_KEY }}
100110 - uses : actions/checkout@v4
101111 with :
102112 # Need to fetch entire commit history to
103113 # analyze every commit since last release
104114 fetch-depth : 0
115+ # Uses generated token to allow pushing commits back when strict branch rules are used
116+ token : ${{ steps.app-token.outputs.token }}
117+ # Make sure the value of GITHUB_TOKEN will not be persisted in repo's config
118+ persist-credentials : false
105119 - uses : actions/setup-node@v4
106120 with :
107121 cache : npm
108122 node-version : lts/*
109- - run : npm ci
123+ - run : npm clean-install
124+ - run : npm audit signatures
110125 # Branches that will release new versions are defined in .releaserc.json
111126 - run : npx semantic-release
112127 # Don't allow interrupting the release step if the job is cancelled, as it can lead to an inconsistent state
113128 # e.g. git tags were pushed but it exited before `npm publish`
114129 if : always()
115130 env :
116- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
117- NPM_TOKEN : ${{ secrets.NPM_PUBLISH_TOKEN }}
118- # Re-run semantic release with rich logs if it failed to publish for easier debugging
119- - run : npx semantic-release --debug
120- if : failure()
121- env :
122- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
131+ NPM_CONFIG_PROVENANCE : true
132+ GITHUB_TOKEN : ${{ steps.app-token.outputs.token }}
123133 NPM_TOKEN : ${{ secrets.NPM_PUBLISH_TOKEN }}
0 commit comments