From 63e2baedf55296256f748ca556c3195151775ece Mon Sep 17 00:00:00 2001 From: Cody Olsen Date: Thu, 24 Aug 2023 00:08:36 +0200 Subject: [PATCH] fix: add provenance --- renovate.json => .github/renovate.json | 0 .github/workflows/format-if-needed.yml | 41 ++++++++++++++++++++++++++ .github/workflows/main.yml | 38 ++++++++++++++++++++---- package.json | 3 +- 4 files changed, 75 insertions(+), 7 deletions(-) rename renovate.json => .github/renovate.json (100%) create mode 100644 .github/workflows/format-if-needed.yml diff --git a/renovate.json b/.github/renovate.json similarity index 100% rename from renovate.json rename to .github/renovate.json diff --git a/.github/workflows/format-if-needed.yml b/.github/workflows/format-if-needed.yml new file mode 100644 index 0000000..7a85c72 --- /dev/null +++ b/.github/workflows/format-if-needed.yml @@ -0,0 +1,41 @@ +--- +name: Auto format + +on: + push: + branches: [main] + +concurrency: + group: ${{ github.workflow }} + cancel-in-progress: true + +permissions: + contents: read # for checkout + +jobs: + run: + name: Can the code be formatted? 🤔 + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: lts/* + - run: corepack enable && pnpm --version + - run: pnpm install --ignore-scripts + - run: pnpm format + - run: git restore .github/workflows + - uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1 + id: generate-token + with: + app_id: ${{ secrets.ECOSCRIPT_APP_ID }} + private_key: ${{ secrets.ECOSCRIPT_APP_PRIVATE_KEY }} + - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5 + with: + author: github-actions <41898282+github-actions[bot]@users.noreply.github.com> + body: I ran `pnpm format` 🧑‍💻 + branch: actions/format + commit-message: 'chore(format): 🤖 ✨' + labels: 🤖 bot + title: 'chore(format): 🤖 ✨' + token: ${{ steps.generate-token.outputs.token }} diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 1866ea2..d03b8f8 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -8,18 +8,34 @@ on: - beta - main +permissions: + contents: read # for checkout + jobs: + build: + runs-on: ubuntu-latest + name: Lint & Build + steps: + - uses: actions/checkout@v3 + - uses: actions/setup-node@v3 + with: + node-version: lts/* + - run: corepack enable && pnpm --version + - run: pnpm install + - run: pnpm lint + - run: pnpm build + test: runs-on: ${{ matrix.platform }} name: Node.js ${{ matrix.node-version }} / ${{ matrix.platform }} strategy: fail-fast: false matrix: - platform: [ubuntu-latest] - node-version: [lts/*, current] + platform: [macos-latest, ubuntu-latest, windows-latest] + node-version: [lts/*] include: - - platform: macos-latest - node-version: lts/* + - platform: ubuntu-latest + node-version: current steps: - uses: actions/checkout@v3 - uses: actions/setup-node@v3 @@ -30,8 +46,13 @@ jobs: - run: pnpm test release: + permissions: + contents: write # to be able to publish a GitHub release + issues: write # to be able to comment on released issues + pull-requests: write # to be able to comment on released pull requests + id-token: write # to enable use of OIDC for npm provenance name: 'Semantic release' - needs: test + needs: [build, test] runs-on: ubuntu-latest steps: - uses: actions/checkout@v3 @@ -52,8 +73,13 @@ jobs: # Build docs - run: npm run docs:build # Deploy docs + - uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1 + id: generate-token + with: + app_id: ${{ secrets.ECOSCRIPT_APP_ID }} + private_key: ${{ secrets.ECOSCRIPT_APP_PRIVATE_KEY }} - uses: peaceiris/actions-gh-pages@373f7f263a76c20808c831209c920827a82a2847 # v3 if: ${{ github.ref == 'refs/heads/main' }} with: - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.generate-token.outputs.token }} publish_dir: ./docs diff --git a/package.json b/package.json index 26eab4b..47f902c 100644 --- a/package.json +++ b/package.json @@ -126,6 +126,7 @@ "node": "^14.13.1 || >=16.0.0 || >=18.0.0" }, "publishConfig": { - "access": "public" + "access": "public", + "provenance": true } }