Skip to content

chore: configure npm trusted publishing #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
3w36zj6 merged 11 commits into from
Jan 1, 2026
Merged

chore: configure npm trusted publishing #26

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
5b415bd
ci: grant id-token permission to publish workflow
3w36zj6 Dec 31, 2025
eff6ba3
ci: update action versions
3w36zj6 Dec 31, 2025
34e95e3
chore: add pinact
3w36zj6 Dec 31, 2025
c636fc8
ci: pin action versions
3w36zj6 Dec 31, 2025
8ed0b91
chore: add zizmor
3w36zj6 Dec 31, 2025
aaf3e51
ci: apply zizmor suggestions
3w36zj6 Dec 31, 2025
2f7b608
chore: add actionlint
3w36zj6 Dec 31, 2025
999735c
chore: add ghalint
3w36zj6 Dec 31, 2025
f1b2576
ci: apply ghalint suggestions
3w36zj6 Dec 31, 2025
118935a
ci: add GitHub Actions linting jobs
3w36zj6 Dec 31, 2025
75622f8
ci: update npm publish command to include provenance flag
3w36zj6 Dec 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
65 changes: 57 additions & 8 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,8 @@
name: CI

permissions:
contents: read

on:
push:
branches:
Expand All @@ -12,48 +15,94 @@ on:
jobs:
biome:
runs-on: ubuntu-24.04
timeout-minutes: 15
permissions:
contents: read
steps:
- name: Checkout your repository using git
uses: actions/checkout@v4
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- name: Setup toolchain
uses: jdx/mise-action@v2
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3.5.1
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Check using Biome
run: bun run ci

tsc:
runs-on: ubuntu-24.04
timeout-minutes: 15
permissions:
contents: read
steps:
- name: Checkout your repository using git
uses: actions/checkout@v4
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- name: Setup toolchain
uses: jdx/mise-action@v2
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3.5.1
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Check using tsc
run: bun run tsc

test:
runs-on: ubuntu-24.04
timeout-minutes: 15
permissions:
contents: read
steps:
- name: Checkout your repository using git
uses: actions/checkout@v4
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- name: Setup toolchain
uses: jdx/mise-action@v2
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3.5.1
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Test
run: bun run test

build:
runs-on: ubuntu-24.04
timeout-minutes: 15
permissions:
contents: read
steps:
- name: Checkout your repository using git
uses: actions/checkout@v4
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- name: Setup toolchain
uses: jdx/mise-action@v2
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3.5.1
- name: Install dependencies
run: bun install --frozen-lockfile
- name: Build
run: bun run build

github-actions:
runs-on: ubuntu-24.04
timeout-minutes: 15
permissions:
contents: read
strategy:
matrix:
task: ["actionlint", "ghalint", "zizmor"]
fail-fast: false
steps:
- name: Checkout your repository using git
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- name: Setup toolchain
uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3.5.1
- name: Run actionlint
if: matrix.task == 'actionlint'
run: actionlint
- name: Run ghalint
if: matrix.task == 'ghalint'
run: ghalint run
- name: Run zizmor
if: matrix.task == 'zizmor'
run: zizmor .
17 changes: 12 additions & 5 deletions .github/workflows/publish.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,20 +2,27 @@ name: Publish package to npmjs
on:
release:
types: [published]
permissions:
id-token: write
contents: read
jobs:
build:
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
with:
persist-credentials: false
- uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
with:
node-version-file: ".tool-versions"
registry-url: "https://registry.npmjs.org"
- uses: oven-sh/setup-bun@v2
- uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2.0.2
with:
bun-version-file: ".tool-versions"
- run: bun install --frozen-lockfile
- run: npm run build
- run: npm publish
Copy link

Copilot AI Dec 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The provenance option should be explicitly set to true when using npm trusted publishing with OIDC. Add 'provenance: true' to the npm publish command to ensure package provenance is generated and published.

Suggested change
- run: npm publish
- run: npm publish --provenance

Copilot uses AI. Check for mistakes.
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
8 changes: 6 additions & 2 deletions .tool-versions
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,2 +1,6 @@
bun 1.2.13
nodejs 24.12.0
bun 1.2.13
nodejs 24.12.0
pinact 3.2.0
zizmor 1.18.0
actionlint 1.7.9
ghalint 1.5.3