From 50fc488b1baea5a9028eeb40e1d3bc81c1a521e3 Mon Sep 17 00:00:00 2001 From: Andrew Branch Date: Fri, 29 May 2026 09:08:12 -0700 Subject: [PATCH 1/2] Update for OIDC tokenless publishing --- .github/workflows/ci.yml | 12 +++++--- .github/workflows/deploy-web.yml | 16 ++++++---- .github/workflows/version-or-publish.yml | 38 +++++++++++++++++++----- 3 files changed, 48 insertions(+), 18 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 05cee16..cb93a51 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,23 +3,27 @@ on: pull_request: branches: [main] +permissions: {} + jobs: build: strategy: matrix: os: [ubuntu-latest, windows-latest] runs-on: ${{ matrix.os }} + permissions: + contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 - - uses: pnpm/action-setup@v6 + persist-credentials: false + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: cache: true - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 22 - cache: "pnpm" - run: pnpm install --frozen-lockfile - run: pnpm tsc - run: pnpm build diff --git a/.github/workflows/deploy-web.yml b/.github/workflows/deploy-web.yml index e58c35c..9f4c986 100644 --- a/.github/workflows/deploy-web.yml +++ b/.github/workflows/deploy-web.yml @@ -3,24 +3,28 @@ on: push: branches: [main] +permissions: {} + jobs: build: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 - - uses: pnpm/action-setup@v6 + persist-credentials: false + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: cache: true - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 22 - cache: "pnpm" - run: pnpm install --frozen-lockfile - run: pnpm build - run: pnpm test - - uses: actions/upload-pages-artifact@v5 + - uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9 # v5 with: path: ./packages/web/dist deploy: @@ -34,5 +38,5 @@ jobs: name: github-pages url: ${{ steps.deploy.outputs.page_url }} steps: - - uses: actions/deploy-pages@v5 + - uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128 # v5 id: deploy diff --git a/.github/workflows/version-or-publish.yml b/.github/workflows/version-or-publish.yml index 754f241..68e8bfa 100644 --- a/.github/workflows/version-or-publish.yml +++ b/.github/workflows/version-or-publish.yml @@ -11,29 +11,51 @@ on: concurrency: ${{ github.workflow }}-${{ github.ref }} +permissions: {} + jobs: - publish: + test: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 with: fetch-depth: 1 - - uses: pnpm/action-setup@v6 + persist-credentials: false + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 with: cache: true - - uses: actions/setup-node@v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 22 - cache: "pnpm" - run: pnpm install --frozen-lockfile - run: pnpm build - run: pnpm test - run: pnpm check-dts - - uses: changesets/action@v1 + publish: + needs: test + runs-on: ubuntu-latest + permissions: + contents: write + pull-requests: write + id-token: write + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + with: + node-version: 22 + package-manager-cache: false + - run: pnpm install --frozen-lockfile + - run: pnpm build + - uses: changesets/action@ce079ea084e08a340947ed4d6ecedb2433c8f293 # v1 with: - publish: pnpm publish -r && pnpm changeset tag + publish: pnpm publish -r --provenance && pnpm changeset tag version: pnpm run version env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_TOKEN: "" # OIDC trusted publishing; see https://github.com/changesets/changesets/issues/1152#issuecomment-3190884868 AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }} From d8d7d0476db8564d90a077d67e05a5854d457120 Mon Sep 17 00:00:00 2001 From: Andrew Branch Date: Fri, 29 May 2026 09:11:13 -0700 Subject: [PATCH 2/2] Remove redundant config --- package.json | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/package.json b/package.json index 1d15fab..67c50cc 100644 --- a/package.json +++ b/package.json @@ -24,10 +24,5 @@ "node": ">=22", "pnpm": ">=11" }, - "packageManager": "pnpm@11.1.1+sha512.d1fdf5f73c617b64fa1a56a81c3c8dfe0e966e33a6010aa256b517ae77be21d93e05affc0de1a83b0e4f29d569f68b446ae8f068cd7247c0bb3df0fb4d7bdf9a", - "pnpm": { - "patchedDependencies": { - "cjs-module-lexer@1.4.0": "patches/cjs-module-lexer@1.4.0.patch" - } - } + "packageManager": "pnpm@11.1.1+sha512.d1fdf5f73c617b64fa1a56a81c3c8dfe0e966e33a6010aa256b517ae77be21d93e05affc0de1a83b0e4f29d569f68b446ae8f068cd7247c0bb3df0fb4d7bdf9a" }