Harden release workflow: bumpVersion input, echohq registry, scope nightly permissions

cx-luis-ventuzelos · cx-luis-ventuzelos · commit aa704aa99400 · 2026-06-18T14:40:18.000+01:00
diff --git a/.github/workflows/nightly.yml b/.github/workflows/nightly.yml
@@ -1,9 +1,7 @@
 name: Nightly Release
 
 permissions:
-  id-token: write
-  contents: write
-  packages: write
+  contents: read
 
 on:
   push:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -18,6 +18,11 @@ on:
         required: false
         default: true
         type: boolean
+      bumpVersion:
+        description: 'Bump npm version, create and merge version PR'
+        required: false
+        default: true
+        type: boolean
   workflow_dispatch:
     inputs:
       cliTag:
@@ -33,6 +38,11 @@ on:
         required: false
         default: true
         type: boolean
+      bumpVersion:
+        description: 'Bump npm version, create and merge version PR'
+        required: false
+        default: true
+        type: boolean
 
 permissions:
   contents: read
@@ -72,18 +82,26 @@ jobs:
       - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 22.11.0
-          registry-url: https://npm.pkg.github.com/
+          registry-url: https://npm.echohq.com/
+
+      - name: Configure GitHub Packages auth
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npm config set //npm.pkg.github.com/:_authToken "${GH_TOKEN}"
 
       - name: Generate Tag name
         id: generate_tag_name
         env:
           INPUT_DEV: ${{ inputs.dev }}
           INPUT_JS_TAG: ${{ inputs.jsTag }}
+          INPUT_BUMP_VERSION: ${{ inputs.bumpVersion }}
         run: |
           if [ "$INPUT_DEV" == "true" ]; then
             TAG_NAME=$(npm version prerelease --preid="$INPUT_JS_TAG" --no-git-tag-version --allow-same-version)
-          else
+          elif [ "$INPUT_BUMP_VERSION" == "true" ]; then
             TAG_NAME=$(npm version patch --no-git-tag-version)
+          else
+            TAG_NAME=v$(node -p "require('./package.json').version")
           fi
 
           echo "Generated TAG_NAME: $TAG_NAME"
@@ -124,7 +142,7 @@ jobs:
 
       - name: Create Pull Request
         id: create_pr
-        if: inputs.dev == false
+        if: inputs.dev == false && inputs.bumpVersion == true
         uses: step-security/create-pull-request@50c103da2b9ca12cd5bc013fc6931051a5aa872b # v8.1.1
         with:
           token: ${{ env.GITHUB_TOKEN }}
@@ -136,13 +154,13 @@ jobs:
 
       - name: Wait for PR to be created
         id: pr
-        if: inputs.dev == false
+        if: inputs.dev == false && inputs.bumpVersion == true
         uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae # v3.0.0
         with:
           route: GET /repos/${{ github.repository }}/pulls?head=${{ github.repository_owner }}:${{ env.BRANCH_NAME }}
 
       - name: Merge Pull Request
-        if: inputs.dev == false
+        if: inputs.dev == false && inputs.bumpVersion == true
         uses: octokit/request-action@b91aabaa861c777dcdb14e2387e30eddf04619ae # v3.0.0
         with:
           route: PUT /repos/${{ github.repository }}/pulls/${{ steps.create_pr.outputs.pull-request-number }}/merge
