From fa6f6086db8a1c708ee08b078bed3fc9efe91d2c Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:40:29 -0600 Subject: [PATCH 1/9] ci: harden npm release workflow --- .github/workflows/release.yml | 77 ++++++++++++++++++++++++----------- 1 file changed, 53 insertions(+), 24 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9c5ad2b..1974d63 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,60 +6,87 @@ concurrency: jobs: test: - name: πŸ§ͺ Test + name: ðŸ§Βͺ Test runs-on: ubuntu-latest steps: - - name: ⬇️ Checkout repo + - name: Ò¬‡ï¸ Checkout repo uses: actions/checkout@v5 - - name: πŸ” Setup bun + - name: Γ°ΒŸΒΒ” Setup bun uses: oven-sh/setup-bun@v1 - - name: πŸ“₯ Download deps + - name: Γ°ΒŸΒ“Β₯ Download deps run: bun install - - name: πŸ§ͺ Test + - name: ðŸ§Βͺ Test run: bun test - release: - name: πŸš€ Release + build-release-artifact: + name: πŸ“¦ Build release artifact needs: [test] runs-on: ubuntu-latest + permissions: + contents: read if: ${{ github.repository == 'epicweb-dev/remember' && contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha', github.ref) && github.event_name == 'push' }} + steps: + - name: ⬇️ Checkout repo + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + + - name: βŽ” Setup node + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + with: + node-version: lts/* + package-manager-cache: false + + - name: πŸ“₯ Install deps + run: npm install --ignore-scripts + + - name: πŸ“¦ Prepare package + run: npx -p typescript tsc --declaration --emitDeclarationOnly --allowJs --checkJs --downlevelIteration --module nodenext --moduleResolution nodenext --target es2022 --outDir . index.js + + - name: πŸ“¦ Upload package artifact + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: npm-package-artifact + path: index.d.ts + if-no-files-found: error + retention-days: 1 + + release: + name: πŸš€ Release + needs: [build-release-artifact] + runs-on: ubuntu-latest permissions: contents: write # to be able to publish a GitHub release id-token: write # to enable use of OIDC for npm provenance issues: write # to be able to comment on released issues pull-requests: write # to be able to comment on released pull requests + if: + ${{ github.repository == 'epicweb-dev/remember' && + contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha', + github.ref) && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - # I'd prefer to use bun, but I got this error when I tried using bunx instead of npx: - # error TS5042: Option 'project' cannot be mixed with source files on a command line. - # error: "tsc" exited with code 1 (SIGHUP) - # Also, I don't know how to use bun instead of node for semantic-release πŸ€·β€β™‚οΈ - name: βŽ” Setup node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: - node-version: lts/* + node-version: 24 + registry-url: https://registry.npmjs.org + package-manager-cache: false - - name: πŸ“₯ Download deps - uses: bahmutov/npm-install@v1 + - name: πŸ“¦ Download package artifact + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: - useLockFile: false - - - name: πŸ’ͺ Generate Types - run: - npx -p typescript tsc --declaration --emitDeclarationOnly --allowJs - --checkJs --downlevelIteration --module nodenext --moduleResolution - nodenext --target es2022 --outDir . index.js + name: npm-package-artifact + path: . - name: πŸš€ Release - uses: cycjimmy/semantic-release-action@v5.0.2 + uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 with: semantic_version: 25 branches: | @@ -73,3 +100,5 @@ jobs: ] env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NPM_CONFIG_PROVENANCE: true + NPM_CONFIG_IGNORE_SCRIPTS: true From ab5875beecd1b2f8920b62287f91c39b2648054a Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:48:10 -0600 Subject: [PATCH 2/9] ci: fix workflow utf-8 encoding --- .github/workflows/release.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1974d63..6a20e15 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,19 +6,19 @@ concurrency: jobs: test: - name: ðŸ§Βͺ Test + name: πŸ§ͺ Test runs-on: ubuntu-latest steps: - - name: Ò¬‡ï¸ Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v5 - - name: Γ°ΒŸΒΒ” Setup bun + - name: πŸ” Setup bun uses: oven-sh/setup-bun@v1 - - name: Γ°ΒŸΒ“Β₯ Download deps + - name: πŸ“₯ Download deps run: bun install - - name: ðŸ§Βͺ Test + - name: πŸ§ͺ Test run: bun test build-release-artifact: @@ -35,7 +35,7 @@ jobs: - name: ⬇️ Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: βŽ” Setup node + - name: βŽ„ Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: lts/* @@ -72,7 +72,7 @@ jobs: - name: ⬇️ Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: βŽ” Setup node + - name: βŽ„ Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 From 2c7431e5472927f14f24e5f2cdab5cbab3ce3671 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:51:03 -0600 Subject: [PATCH 3/9] ci: address workflow review feedback --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6a20e15..3a0a5c8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -53,7 +53,7 @@ jobs: name: npm-package-artifact path: index.d.ts if-no-files-found: error - retention-days: 1 + retention-days: 7 release: name: πŸš€ Release From d3a99a6fe03e0e3685cf6fcb17cd56e4c73b2dab Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:59:35 -0600 Subject: [PATCH 4/9] ci: include next-major in release gate --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3a0a5c8..4f89ae8 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,7 +29,7 @@ jobs: contents: read if: ${{ github.repository == 'epicweb-dev/remember' && - contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha', + contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/next-major,refs/heads/alpha', github.ref) && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo @@ -66,7 +66,7 @@ jobs: pull-requests: write # to be able to comment on released pull requests if: ${{ github.repository == 'epicweb-dev/remember' && - contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha', + contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/next-major,refs/heads/alpha', github.ref) && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo From a7fad58700cb38d35fbee2cb4e1be538f0a2be48 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 13:08:19 -0600 Subject: [PATCH 5/9] ci: align release workflow guards --- .github/workflows/release.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4f89ae8..d5b407d 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,10 +27,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - if: - ${{ github.repository == 'epicweb-dev/remember' && - contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/next-major,refs/heads/alpha', - github.ref) && github.event_name == 'push' }} + if: ${{ github.repository == 'epicweb-dev/remember' && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 @@ -64,10 +61,7 @@ jobs: id-token: write # to enable use of OIDC for npm provenance issues: write # to be able to comment on released issues pull-requests: write # to be able to comment on released pull requests - if: - ${{ github.repository == 'epicweb-dev/remember' && - contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/next-major,refs/heads/alpha', - github.ref) && github.event_name == 'push' }} + if: ${{ github.repository == 'epicweb-dev/remember' && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 From d53000f34662af089d1bf09c4f9d34e5267a1dff Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 13:13:02 -0600 Subject: [PATCH 6/9] ci: default workflow token to read-only --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d5b407d..4228c62 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,5 +1,8 @@ name: release on: [push, pull_request] +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true From f016d4e055dfa0eeb09f871f541aac75d6a649b0 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 17:15:08 -0600 Subject: [PATCH 7/9] ci: remove emoji from workflow step names --- .github/workflows/release.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 4228c62..951b765 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -12,16 +12,16 @@ jobs: name: πŸ§ͺ Test runs-on: ubuntu-latest steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@v5 - - name: πŸ” Setup bun + - name: Setup bun uses: oven-sh/setup-bun@v1 - - name: πŸ“₯ Download deps + - name: Download deps run: bun install - - name: πŸ§ͺ Test + - name: Test run: bun test build-release-artifact: @@ -32,22 +32,22 @@ jobs: contents: read if: ${{ github.repository == 'epicweb-dev/remember' && github.event_name == 'push' }} steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: βŽ„ Setup node + - name: Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: lts/* package-manager-cache: false - - name: πŸ“₯ Install deps + - name: Install deps run: npm install --ignore-scripts - - name: πŸ“¦ Prepare package + - name: Prepare package run: npx -p typescript tsc --declaration --emitDeclarationOnly --allowJs --checkJs --downlevelIteration --module nodenext --moduleResolution nodenext --target es2022 --outDir . index.js - - name: πŸ“¦ Upload package artifact + - name: Upload package artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: npm-package-artifact @@ -66,23 +66,23 @@ jobs: pull-requests: write # to be able to comment on released pull requests if: ${{ github.repository == 'epicweb-dev/remember' && github.event_name == 'push' }} steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: βŽ„ Setup node + - name: Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 registry-url: https://registry.npmjs.org package-manager-cache: false - - name: πŸ“¦ Download package artifact + - name: Download package artifact uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: npm-package-artifact path: . - - name: πŸš€ Release + - name: Release uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 with: semantic_version: 25 From d8fade892d9656dbf7ed18297a52799e8d43203b Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 18:06:17 -0600 Subject: [PATCH 8/9] ci: preserve existing workflow labels --- .github/workflows/release.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 951b765..39ffa7e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: release +name: πŸš€ Release on: [push, pull_request] permissions: contents: read @@ -12,16 +12,16 @@ jobs: name: πŸ§ͺ Test runs-on: ubuntu-latest steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v5 - - name: Setup bun + - name: πŸ” Setup bun uses: oven-sh/setup-bun@v1 - - name: Download deps + - name: πŸ“₯ Download deps run: bun install - - name: Test + - name: πŸ§ͺ Test run: bun test build-release-artifact: @@ -32,10 +32,10 @@ jobs: contents: read if: ${{ github.repository == 'epicweb-dev/remember' && github.event_name == 'push' }} steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: Setup node + - name: βŽ” Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: lts/* @@ -66,10 +66,10 @@ jobs: pull-requests: write # to be able to comment on released pull requests if: ${{ github.repository == 'epicweb-dev/remember' && github.event_name == 'push' }} steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: Setup node + - name: βŽ” Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 @@ -82,7 +82,7 @@ jobs: name: npm-package-artifact path: . - - name: Release + - name: πŸš€ Release uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 with: semantic_version: 25 From b733ffc9074be1c83d2155005a8e2fb619e3411c Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 18:07:55 -0600 Subject: [PATCH 9/9] ci: preserve workflow label context --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 39ffa7e..21b0b36 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: πŸš€ Release +name: release on: [push, pull_request] permissions: contents: read