ci(deps): bump actions/setup-node from 4.4.0 to 6.4.0 #118
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| # Actions pinned to immutable SHAs per supply-chain hygiene policy (paybot-sdk | |
| # PR #11 CodeRabbit MAJOR-level guidance). Adjacent version comment marks the | |
| # floating-tag intent so Dependabot github-actions can offer upgrades. | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| node-version: [18, 20] | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| with: | |
| persist-credentials: false | |
| - name: Use Node.js ${{ matrix.node-version }} | |
| uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: ${{ matrix.node-version }} | |
| cache: npm | |
| - name: Install dependencies | |
| run: npm ci | |
| - name: Lint | |
| run: npm run lint | |
| - name: Type check | |
| run: npm run type-check | |
| - name: Run tests | |
| run: npm test | |
| - name: Coverage gate | |
| run: npm run coverage | |
| - name: Upload coverage report | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| if: always() | |
| with: | |
| name: coverage-report-node-${{ matrix.node-version }} | |
| path: coverage/ | |
| retention-days: 14 | |
| - name: Build | |
| run: npm run build | |
| publish: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
| permissions: | |
| contents: read | |
| id-token: write | |
| steps: | |
| # NOTE: publish job intentionally does NOT set persist-credentials: false — | |
| # `npm publish --provenance` requires the OIDC-issued GITHUB_TOKEN to remain | |
| # available for the duration of the publish step. | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 | |
| with: | |
| node-version: 20 | |
| registry-url: https://registry.npmjs.org | |
| - run: npm ci | |
| - run: npm run build | |
| - run: npm publish --provenance --access public | |
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |