revise CI

Author: fs-eire

.github/workflows/auto-publish.yml

@@ -1,111 +1,88 @@
-name: Auto Version Bump and Publish
+name: Auto Publish
 
 on:
   push:
     branches: [main]
-    paths-ignore:
-      - "README.md"
-      - "LICENSE"
-      - ".gitignore"
-      - ".npmignore"
-      - "docs/**"
+  workflow_run:
+    workflows: ["CI"]
+    types: [completed]
+    branches: [main]
+
+# Only permissions to create tags and publish to NPM
+permissions:
+  contents: write # For creating tags
+  id-token: write # For NPM provenance
 
 jobs:
-  version-and-publish:
+  auto-publish:
     runs-on: ubuntu-latest
-
-    # Only run if the commit doesn't already contain a version bump or skip ci
-    if: "!contains(github.event.head_commit.message, 'chore: bump version') && !contains(github.event.head_commit.message, '[skip ci]')"
+    # Only run if CI passed and this is a push to main
+    if: |
+      github.event_name == 'push' && 
+      github.ref == 'refs/heads/main' ||
+      (github.event_name == 'workflow_run' && 
+       github.event.workflow_run.conclusion == 'success' &&
+       github.event.workflow_run.head_branch == 'main')
 
     steps:
-      - name: Checkout code
+      - name: Checkout
         uses: actions/checkout@v4
         with:
-          # Fetch full history for version bumping
           fetch-depth: 0
-          # Use a token that can push back to the repository
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: "18"
-          registry-url: "https://registry.npmjs.org/"
           cache: "npm"
+          registry-url: "https://registry.npmjs.org"
 
       - name: Install dependencies
         run: npm ci
 
-      - name: Run tests
-        run: npm test
-
-      - name: Build project
+      - name: Build
         run: npm run build
 
-      - name: Configure Git
-        run: |
-          git config --local user.email "action@github.com"
-          git config --local user.name "GitHub Action"
-
-      - name: Determine version bump type
-        id: version-bump
+      - name: Check if publish needed
+        id: check-publish
         run: |
-          # Check commit messages to determine bump type
-          COMMITS=$(git log --oneline $(git describe --tags --abbrev=0)..HEAD 2>/dev/null || git log --oneline)
-
-          if echo "$COMMITS" | grep -q -i "breaking\|major"; then
-            echo "bump_type=major" >> $GITHUB_OUTPUT
-            echo "Detected MAJOR version bump"
-          elif echo "$COMMITS" | grep -q -i "feat\|feature\|minor"; then
-            echo "bump_type=minor" >> $GITHUB_OUTPUT
-            echo "Detected MINOR version bump"
+          CURRENT_VERSION=$(node -p "require('./package.json').version")
+          PUBLISHED_VERSION=$(npm view $(node -p "require('./package.json').name") version 2>/dev/null || echo "0.0.0")
+          echo "Current version: $CURRENT_VERSION"
+          echo "Published version: $PUBLISHED_VERSION"
+          echo "current_version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+
+          if [ "$CURRENT_VERSION" != "$PUBLISHED_VERSION" ]; then
+            echo "publish_needed=true" >> $GITHUB_OUTPUT
+            echo "✅ Version bump detected: $PUBLISHED_VERSION → $CURRENT_VERSION"
           else
-            echo "bump_type=patch" >> $GITHUB_OUTPUT
-            echo "Detected PATCH version bump"
+            echo "publish_needed=false" >> $GITHUB_OUTPUT
+            echo "ℹ️ No version bump needed (current: $CURRENT_VERSION)"
           fi
 
-      - name: Bump version
-        id: version
+      - name: Create tag
+        if: steps.check-publish.outputs.publish_needed == 'true'
         run: |
-          # Bump version based on detected type
-          NEW_VERSION=$(npm version ${{ steps.version-bump.outputs.bump_type }} --no-git-tag-version)
-          echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
-          echo "New version: $NEW_VERSION"
-
-      - name: Update package-lock.json
-        run: npm install --package-lock-only
-
-      - name: Commit version bump
-        run: |
-          git add package.json package-lock.json
-          git commit -m "chore: bump version to ${{ steps.version.outputs.new_version }}"
-          git tag ${{ steps.version.outputs.new_version }}
-
-      - name: Push changes
-        run: |
-          git push origin main
-          git push origin ${{ steps.version.outputs.new_version }}
+          CURRENT_VERSION=$(node -p "require('./package.json').version")
+          git config --local user.email "action@github.com"
+          git config --local user.name "GitHub Action"
+          git tag "v$CURRENT_VERSION"
+          git push origin "v$CURRENT_VERSION"
 
       - name: Publish to NPM
-        run: npm publish
+        if: steps.check-publish.outputs.publish_needed == 'true'
+        run: npm publish --access public --provenance
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Create GitHub Release
+        if: steps.check-publish.outputs.publish_needed == 'true'
         uses: actions/create-release@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: ${{ steps.version.outputs.new_version }}
-          release_name: Release ${{ steps.version.outputs.new_version }}
-          body: |
-            ## Changes in ${{ steps.version.outputs.new_version }}
-
-            Auto-generated release for version ${{ steps.version.outputs.new_version }}.
-
-            ### Commits included:
-            ${{ github.event.head_commit.message }}
-
-            **Full Changelog**: https://github.com/${{ github.repository }}/compare/${{ github.event.before }}...${{ github.sha }}
+          tag_name: v${{ steps.check-publish.outputs.current_version }}
+          release_name: Release v${{ steps.check-publish.outputs.current_version }}
           draft: false
           prerelease: false

.github/workflows/ci.yml

@@ -2,21 +2,24 @@ name: CI
 
 on:
   push:
-    branches: [main, develop]
+    branches: [main]
   pull_request:
-    branches: [main, develop]
+    branches: [main]
+
+# Minimal permissions - read repo and write to PR branches only
+permissions:
+  contents: write # Needed for pushing to PR branches
+  pull-requests: write
 
 jobs:
   ci:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout code
+      - name: Checkout
         uses: actions/checkout@v4
         with:
-          # Use a token that can push back to the repository for format fixes
           token: ${{ secrets.GITHUB_TOKEN }}
-          fetch-depth: 0
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
@@ -27,58 +30,39 @@ jobs:
       - name: Install dependencies
         run: npm ci
 
-      - name: Build project
-        run: npm run build
-
-      - name: Run linter
-        run: npm run lint
-
-      - name: Check code formatting
+      - name: Check format
         id: format-check
         run: |
-          # Run format and capture if any files were changed
-          npm run format
+          npm run format:check
+          echo "format_needed=$?" >> $GITHUB_OUTPUT
+        continue-on-error: true
 
-          # Check if any files were modified
-          if git diff --quiet; then
-            echo "formatting_needed=false" >> $GITHUB_OUTPUT
-            echo "✅ All files are properly formatted"
-          else
-            echo "formatting_needed=true" >> $GITHUB_OUTPUT
-            echo "❌ Files need formatting"
-            echo "The following files were reformatted:"
-            git diff --name-only
-          fi
-
-      - name: Configure Git for auto-fix
-        if: steps.format-check.outputs.formatting_needed == 'true'
+      - name: Auto-fix formatting (PR only)
+        if: github.event_name == 'pull_request' && steps.format-check.outputs.format_needed != '0'
         run: |
+          npm run format
           git config --local user.email "action@github.com"
-          git config --local user.name "GitHub Action Auto-Format"
-
-      - name: Commit formatting fixes (PR only)
-        if: steps.format-check.outputs.formatting_needed == 'true' && github.event_name == 'pull_request'
-        run: |
+          git config --local user.name "GitHub Action"
           git add .
-          git commit -m "style: auto-fix code formatting [skip ci]"
-          git push origin HEAD:${{ github.head_ref }}
-          echo "✅ Formatting fixes committed to PR branch: ${{ github.head_ref }}"
-
-      - name: Fail CI due to formatting issues
-        if: steps.format-check.outputs.formatting_needed == 'true'
-        run: |
-          if [ "${{ github.event_name }}" = "pull_request" ]; then
-            echo "::error::Code formatting issues were found and automatically fixed."
-            echo "::error::The formatting fixes have been committed to the PR branch."
-            echo "::error::Please review the formatting changes and re-run CI."
+          if git diff --staged --quiet; then
+            echo "No formatting changes needed after all"
           else
-            echo "::error::Code formatting issues were found in main branch."
-            echo "::error::Please run 'npm run format' locally and commit the changes."
-            echo "::error::Auto-fix is only available for Pull Requests."
+            git commit -m "Auto-fix formatting [skip ci]"
+            git push origin HEAD:${{ github.head_ref }}
           fi
+
+      - name: Fail on format issues (main branch)
+        if: github.ref == 'refs/heads/main' && steps.format-check.outputs.format_needed != '0'
+        run: |
+          echo "❌ Code formatting issues detected on main branch"
+          echo "Please run 'npm run format' locally and commit the changes"
           exit 1
 
-      - name: Run tests
-        # Only run tests if formatting was OK
-        if: steps.format-check.outputs.formatting_needed == 'false'
+      - name: Lint
+        run: npm run lint
+
+      - name: Build
+        run: npm run build
+
+      - name: Test
         run: npm test

.github/workflows/manual-publish.yml

@@ -12,18 +12,23 @@ on:
           - patch
           - minor
           - major
-      skip_tests:
-        description: "Skip tests before publishing"
+      dry_run:
+        description: "Dry run (no actual publish)"
         required: false
         default: false
         type: boolean
 
+# Enhanced permissions for manual version bumping and publishing
+permissions:
+  contents: write # For creating commits, tags, and releases
+  id-token: write # For NPM provenance
+
 jobs:
   manual-publish:
     runs-on: ubuntu-latest
 
     steps:
-      - name: Checkout code
+      - name: Checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
@@ -33,17 +38,16 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: "18"
-          registry-url: "https://registry.npmjs.org/"
           cache: "npm"
+          registry-url: "https://registry.npmjs.org"
 
       - name: Install dependencies
         run: npm ci
 
       - name: Run tests
-        if: ${{ !inputs.skip_tests }}
         run: npm test
 
-      - name: Build project
+      - name: Build
         run: npm run build
 
       - name: Configure Git
@@ -54,41 +58,67 @@ jobs:
       - name: Bump version
         id: version
         run: |
-          NEW_VERSION=$(npm version ${{ inputs.version_type }} --no-git-tag-version)
-          echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
-          echo "Manual version bump: $NEW_VERSION"
+          if [ "${{ inputs.dry_run }}" = "true" ]; then
+            echo "🔍 DRY RUN MODE - No changes will be made"
+            CURRENT_VERSION=$(node -p "require('./package.json').version")
+            echo "current_version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+            echo "new_version=dry-run-$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          else
+            NEW_VERSION=$(npm version ${{ inputs.version_type }} --no-git-tag-version)
+            echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
+            echo "✅ Version bumped to: $NEW_VERSION"
+          fi
 
       - name: Update package-lock.json
+        if: inputs.dry_run == false
         run: npm install --package-lock-only
 
       - name: Commit version bump
+        if: inputs.dry_run == false
         run: |
           git add package.json package-lock.json
-          git commit -m "chore: manual bump version to ${{ steps.version.outputs.new_version }}"
-          git tag ${{ steps.version.outputs.new_version }}
+          git commit -m "chore: bump version to ${{ steps.version.outputs.new_version }}"
+          git tag "${{ steps.version.outputs.new_version }}"
 
       - name: Push changes
+        if: inputs.dry_run == false
         run: |
           git push origin main
-          git push origin ${{ steps.version.outputs.new_version }}
+          git push origin "${{ steps.version.outputs.new_version }}"
 
       - name: Publish to NPM
-        run: npm publish
+        if: inputs.dry_run == false
+        run: npm publish --access public --provenance
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Create GitHub Release
+        if: inputs.dry_run == false
         uses: actions/create-release@v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           tag_name: ${{ steps.version.outputs.new_version }}
           release_name: Release ${{ steps.version.outputs.new_version }}
           body: |
-            ## Manual Release ${{ steps.version.outputs.new_version }}
+            ## Changes in ${{ steps.version.outputs.new_version }}
 
-            This release was manually triggered with a ${{ inputs.version_type }} version bump.
+            Manual release for version ${{ steps.version.outputs.new_version }}.
 
-            **Full Changelog**: https://github.com/${{ github.repository }}/commits/main
+            Version bump type: **${{ inputs.version_type }}**
           draft: false
           prerelease: false
+
+      - name: Summary
+        run: |
+          if [ "${{ inputs.dry_run }}" = "true" ]; then
+            echo "🔍 **DRY RUN COMPLETED**"
+            echo "- Current version: ${{ steps.version.outputs.current_version }}"
+            echo "- Would bump to: ${{ inputs.version_type }}"
+            echo "- No changes were made"
+          else
+            echo "✅ **PUBLISH COMPLETED**"
+            echo "- New version: ${{ steps.version.outputs.new_version }}"
+            echo "- Published to NPM: https://www.npmjs.com/package/$(node -p 'require(\"./package.json\").name')"
+            echo "- GitHub release created"
+          fi