ci: switch pub.dev auth to credentials file with refresh token (#3)

* chore: migrate package publishing from Artifactory to pub.dev

Replaces Artifactory configs with pub.dev authentication via PUB_TOKEN,
updates CI/CD to use `dart pub token add`, and removes old secrets.
Also updates documentation to reflect the new publishing process,
streamlining releases in the Dart/Flutter ecosystem.

* ci: update pub.dev auth to use full credentials with auto-refresh

Enables automatic token renewal in CI/CD by using the complete
credentials file. Updates workflows accordingly and adds a guide
on managing pub.dev credentials and token rotation best practices.

* docs: add dependency management strategy and fix analysis warnings script

Author: LeoPaulJulie

.github/SECRETS.md

@@ -1,106 +1,110 @@
 # GitHub Secrets Configuration
 
-This document lists all the secrets and environment variables required for the CI/CD pipelines.
+This document describes the required secrets for the CI/CD pipeline.
 
 ## Required Secrets
 
-### Repository Secrets
-
 Configure these secrets in your GitHub repository settings (`Settings > Secrets and variables > Actions`):
 
-#### Artifactory Configuration
-- **`ARTIFACTORY_URL`** - URL of your artifactory instance (e.g., `https://your-company.jfrog.io/artifactory/api/pub/dart`)
-- **`ARTIFACTORY_USERNAME`** - Username for artifactory authentication
-- **`ARTIFACTORY_PASSWORD`** - Password or API key for artifactory authentication
+### pub.dev Configuration
+- **`PUB_CREDENTIALS`** - Complete credentials JSON file for pub.dev publishing (includes refresh token for auto-renewal)
 
-#### Optional Notification Secrets
-- **`SLACK_WEBHOOK_URL`** - Slack webhook for release notifications (optional)
-- **`DISCORD_WEBHOOK_URL`** - Discord webhook for release notifications (optional)
+### Optional Notification Secrets
+- **`SLACK_WEBHOOK_URL`** - Webhook URL for Slack notifications (optional)
+- **`DISCORD_WEBHOOK_URL`** - Webhook URL for Discord notifications (optional)
 
-### Environment Variables
+## Setting Up Secrets
 
-These are automatically available in GitHub Actions:
+### 1. pub.dev Setup
 
-- **`GITHUB_TOKEN`** - Automatically provided by GitHub Actions
-- **`GITHUB_ACTOR`** - Username of the person who triggered the workflow
-- **`GITHUB_REF`** - Branch or tag ref that triggered the workflow
+1. **Generate pub.dev token:**
+   ```bash
+   # Login to pub.dev locally first
+   dart pub login
+   
+   # Get your credentials file
+   cat ~/.pub-cache/credentials.json
+   ```
 
-## Setting Up Secrets
+2. **Copy complete credentials:**
+   - Copy the ENTIRE JSON content from the credentials.json file
+   - Include the `refreshToken` for automatic token renewal
+   - This is your `PUB_CREDENTIALS` value
 
-### 1. Artifactory Setup
+3. **Add to GitHub:**
+   - Go to repository Settings > Secrets and variables > Actions
+   - Click "New repository secret"
+   - Name: `PUB_CREDENTIALS`
+   - Value: The complete JSON from step 2
 
+### 2. Notification Setup (Optional)
+
+#### Slack
 ```bash
-# Example artifactory URL formats:
-# JFrog Cloud: https://your-company.jfrog.io/artifactory/api/pub/dart
-# Self-hosted: https://artifactory.your-company.com/artifactory/api/pub/dart
+# Create a Slack webhook in your workspace
+# Add the webhook URL as SLACK_WEBHOOK_URL secret
 ```
 
-### 2. GitHub Repository Settings
-
-1. Go to your repository on GitHub
-2. Click on `Settings` tab
-3. Navigate to `Secrets and variables > Actions`
-4. Click `New repository secret`
-5. Add each secret with the exact name listed above
-
-### 3. Testing Secrets
-
-You can test if secrets are properly configured by running the manual release workflow with dry-run enabled.
+#### Discord
+```bash
+# Create a Discord webhook in your server
+# Add the webhook URL as DISCORD_WEBHOOK_URL secret
+```
 
 ## Security Best Practices
 
-### Secret Management
-- Use API keys instead of passwords when possible
-- Rotate secrets regularly
-- Use least-privilege access for artifactory users
+- Use tokens with minimal required permissions
+- Rotate tokens regularly
 - Never log secret values in workflows
+- Use environment-specific secrets when possible
 
-### Access Control
-- Limit repository access to trusted contributors
-- Use branch protection rules for main/develop branches
-- Require PR reviews for sensitive changes
+## Verification
 
-### Monitoring
-- Monitor artifactory access logs
-- Set up alerts for failed releases
-- Review workflow logs regularly
+Test your setup:
+```bash
+# Dry run to test authentication
+melos publish --dry-run
+```
 
 ## Troubleshooting
 
 ### Common Issues
 
-#### Artifactory Authentication Failed
+#### pub.dev Authentication Failed
 ```
-Error: 401 Unauthorized
+Error: 401 Unauthorized when accessing https://pub.dartlang.org
 ```
-**Solution:** Check `ARTIFACTORY_USERNAME` and `ARTIFACTORY_PASSWORD` are correct.
+**Solution:** Check that `PUB_CREDENTIALS` contains valid JSON with both accessToken and refreshToken.
 
-#### Artifactory URL Not Found
+#### Token Expired
 ```
-Error: Could not resolve host
+Error: Token has expired
 ```
-**Solution:** Verify `ARTIFACTORY_URL` is correct and accessible.
+**Solution:** Generate a new token using `dart pub login` and update the secret.
 
 #### Missing Permissions
 ```
-Error: Resource not accessible by integration
+Error: Insufficient permissions to publish package
 ```
-**Solution:** Ensure the repository has proper permissions and the `GITHUB_TOKEN` has write access.
+**Solution:** Ensure you have publisher permissions for the package on pub.dev.
 
-### Debug Mode
+## Token Management
 
-To enable debug logging in workflows, add this secret:
-- **`ACTIONS_RUNNER_DEBUG`** = `true`
+### Rotating Tokens
+1. Generate new token: `dart pub login`
+2. Update GitHub secret with new token
+3. Test with dry-run: `melos publish --dry-run`
 
-## Workflow Permissions
+### Monitoring
+- Monitor pub.dev package dashboard
+- Set up alerts for failed releases
+- Review workflow logs regularly
 
-The workflows require these permissions:
+## Package Publishing Process
 
-```yaml
-permissions:
-  contents: write      # For creating commits and tags
-  packages: write      # For publishing packages
-  pull-requests: write # For commenting on PRs
-```
+1. **Authentication**: GitHub Actions uses `PUB_TOKEN` to authenticate
+2. **Validation**: Packages are validated before publishing
+3. **Publishing**: Only changed packages are published
+4. **Verification**: Success/failure is reported in workflow logs
 
-These are automatically configured in the workflow files.
+For more details, see the main [CI/CD documentation](../docs/CI-CD.md).

.github/workflows/ci-cd.yml

@@ -194,35 +194,26 @@ jobs:
           git push origin main
           git push origin --tags
 
-      - name: 📦 Publish to artifactory
+      - name: 📦 Publish to pub.dev
         if: steps.check-changes.outputs.changed_packages > 0
         env:
-          ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL }}
-          ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
-          ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
+          PUB_CREDENTIALS: ${{ secrets.PUB_CREDENTIALS }}
         run: |
-          # Configure pub for artifactory
-          if [ ! -z "$ARTIFACTORY_URL" ]; then
-            echo "🏛️ Publishing to artifactory: $ARTIFACTORY_URL"
-
-            # Setup artifactory credentials
+          # Setup pub.dev credentials for auto-refresh
+          if [ -n "$PUB_CREDENTIALS" ]; then
+            echo "🔐 Setting up pub.dev credentials with auto-refresh..."
             mkdir -p ~/.pub-cache
-            cat > ~/.pub-cache/credentials.json << EOF
-          {
-            "accessToken": null,
-            "refreshToken": null,
-            "tokenEndpoint": null,
-            "scopes": null,
-            "expiration": null
-          }
-          EOF
-
-            # Publish packages to artifactory
-            melos publish --no-dry-run --yes || echo "⚠️ Some packages may have failed to publish"
+            echo "$PUB_CREDENTIALS" > ~/.pub-cache/credentials.json
+            echo "✅ Credentials configured with refresh token"
           else
-            echo "⚠️ Artifactory not configured, skipping publish"
+            echo "⚠️ PUB_CREDENTIALS not configured, skipping publish"
+            exit 1
           fi
 
+          # Publish packages (dart pub will auto-refresh token if needed)
+          echo "📦 Publishing packages to pub.dev..."
+          melos publish --no-dry-run --yes || echo "⚠️ Some packages may have failed to publish"
+
       - name: 📋 Create GitHub release
         if: steps.check-changes.outputs.changed_packages > 0
         uses: actions/create-release@v1

.github/workflows/manual-release.yml

@@ -167,34 +167,26 @@ jobs:
           git add CHANGELOG.md
           git commit -m "docs: update changelog for ${{ github.event.inputs.release_type }} release" || echo "No changelog changes to commit"
 
-      - name: 📦 Publish to artifactory
+      - name: 📦 Publish to pub.dev
         if: github.event.inputs.dry_run == 'false'
         env:
-          ARTIFACTORY_URL: ${{ secrets.ARTIFACTORY_URL }}
-          ARTIFACTORY_USERNAME: ${{ secrets.ARTIFACTORY_USERNAME }}
-          ARTIFACTORY_PASSWORD: ${{ secrets.ARTIFACTORY_PASSWORD }}
+          PUB_CREDENTIALS: ${{ secrets.PUB_CREDENTIALS }}
         run: |
-          if [ ! -z "$ARTIFACTORY_URL" ]; then
-            echo "🏛️ Publishing to artifactory: $ARTIFACTORY_URL"
-
-            # Setup artifactory credentials
+          # Setup pub.dev credentials for auto-refresh
+          if [ -n "$PUB_CREDENTIALS" ]; then
+            echo "🔐 Setting up pub.dev credentials with auto-refresh..."
             mkdir -p ~/.pub-cache
-            cat > ~/.pub-cache/credentials.json << EOF
-          {
-            "accessToken": null,
-            "refreshToken": null,
-            "tokenEndpoint": null,
-            "scopes": null,
-            "expiration": null
-          }
-          EOF
-
-            # Publish packages
-            melos publish --no-dry-run --yes
+            echo "$PUB_CREDENTIALS" > ~/.pub-cache/credentials.json
+            echo "✅ Credentials configured with refresh token"
           else
-            echo "⚠️ Artifactory not configured, skipping publish"
+            echo "⚠️ PUB_CREDENTIALS not configured, skipping publish"
+            exit 1
           fi
 
+          # Publish packages (dart pub will auto-refresh token if needed)
+          echo "📦 Publishing packages to pub.dev..."
+          melos publish --no-dry-run --yes
+
       - name: 📋 Create release summary
         if: github.event.inputs.dry_run == 'false'
         run: |

.github/workflows/pr-checks.yml

@@ -301,7 +301,7 @@ jobs:
           echo "When this PR is merged to main:"
           echo "- Packages will be automatically versioned"
           echo "- Changelogs will be updated"
-          echo "- Packages will be published to artifactory"
+          echo "- Packages will be published to pub.dev"
           echo "- GitHub releases will be created"
 
       - name: ❌ Checks failed