From 9d1c34818650510411da0607583f5e0e0ad42838 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:28:11 -0600 Subject: [PATCH 1/9] ci: harden npm release workflow --- .github/workflows/validate.yml | 65 +++++++++++++++++++++++++--------- 1 file changed, 49 insertions(+), 16 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 1f1a3434..6b9d48a8 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -25,28 +25,61 @@ jobs: node: [lts/-1, lts/*, latest] runs-on: ${{ matrix.os }} steps: - - name: ⬇️ Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v4 - - name: ⎔ Setup node + - name: ⎔ Setup node uses: actions/setup-node@v4 with: node-version: ${{ matrix.node }} - - name: 📥 Download deps + - name: 📥 Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: ▶️ Run validate script + - name: ▶️ Run validate script run: npm run validate - - name: ⬆️ Upload coverage report + - name: ⬆️ Upload coverage report uses: codecov/codecov-action@v3 - release: + build-release-artifact: needs: main runs-on: ubuntu-latest + permissions: + contents: read + if: + ${{ github.repository == 'kentcdodds/kcd-scripts' && + contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha', + github.ref) && github.event_name == 'push' }} + steps: + - name: ⬇️ Checkout repo + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + + - name: ⎔ Setup node + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 + with: + node-version: lts/* + package-manager-cache: false + + - name: 📥 Install deps + run: npm install --ignore-scripts + + - name: 🏗 Run build script + run: npm run build + + - name: 📦 Upload package artifact + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: npm-package-dist + path: dist + if-no-files-found: error + retention-days: 1 + + release: + needs: build-release-artifact + runs-on: ubuntu-latest permissions: contents: write # to be able to publish a GitHub release id-token: write # to enable use of OIDC for npm provenance @@ -60,23 +93,23 @@ jobs: github.ref) && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: ⎔ Setup node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: - node-version: lts/* + node-version: 24 + registry-url: https://registry.npmjs.org + package-manager-cache: false - - name: 📥 Download deps - uses: bahmutov/npm-install@v1 + - name: 📦 Download package artifact + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: - useLockFile: false - - - name: 🏗 Run build script - run: npm run build + name: npm-package-dist + path: dist - name: 🚀 Release - uses: cycjimmy/semantic-release-action@v5.0.2 + uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 with: semantic_version: 25 branches: | From e41917538da157f4480cdd4a237b977643ffef89 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:47:07 -0600 Subject: [PATCH 2/9] ci: fix workflow utf-8 encoding --- .github/workflows/validate.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 6b9d48a8..87611a22 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -25,23 +25,23 @@ jobs: node: [lts/-1, lts/*, latest] runs-on: ${{ matrix.os }} steps: - - name: ⬇️ Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v4 - - name: ⎔ Setup node + - name: ⎔ Setup node uses: actions/setup-node@v4 with: node-version: ${{ matrix.node }} - - name: 📥 Download deps + - name: 📥 Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: ▶️ Run validate script + - name: ▶️ Run validate script run: npm run validate - - name: ⬆️ Upload coverage report + - name: ⬆️ Upload coverage report uses: codecov/codecov-action@v3 build-release-artifact: @@ -57,7 +57,7 @@ jobs: - name: ⬇️ Checkout repo uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: ⎔ Setup node + - name: ⎄ Setup node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: lts/* @@ -95,7 +95,7 @@ jobs: - name: ⬇️ Checkout repo uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: ⎔ Setup node + - name: ⎄ Setup node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 24 From c1bd7a3647e6378caa9f8c70f1ca02f02916f942 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:50:57 -0600 Subject: [PATCH 3/9] ci: address workflow review feedback --- .github/workflows/validate.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 87611a22..eacfd040 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -75,7 +75,7 @@ jobs: name: npm-package-dist path: dist if-no-files-found: error - retention-days: 1 + retention-days: 7 release: needs: build-release-artifact @@ -98,7 +98,7 @@ jobs: - name: ⎄ Setup node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: - node-version: 24 + node-version: lts/* registry-url: https://registry.npmjs.org package-manager-cache: false From a84975f8cba6bf6d47e1e6fbd3d41f7037ba876d Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:51:55 -0600 Subject: [PATCH 4/9] ci: pin validation workflow actions --- .github/workflows/validate.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index eacfd040..2ccf42e1 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -26,15 +26,15 @@ jobs: runs-on: ${{ matrix.os }} steps: - name: ⬇️ Checkout repo - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - name: ⎔ Setup node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node }} - name: 📥 Download deps - uses: bahmutov/npm-install@v1 + uses: bahmutov/npm-install@20216767ca67f0f7b4d095dc5859c5700a6581cb # v1 with: useLockFile: false @@ -42,7 +42,7 @@ jobs: run: npm run validate - name: ⬆️ Upload coverage report - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3 build-release-artifact: needs: main From a6134e16934b929b62a020bd2ba77676bf20123d Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:59:29 -0600 Subject: [PATCH 5/9] ci: include next-major in release gate --- .github/workflows/validate.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 2ccf42e1..d2f9bc68 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -51,7 +51,7 @@ jobs: contents: read if: ${{ github.repository == 'kentcdodds/kcd-scripts' && - contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha', + contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/next-major,refs/heads/alpha', github.ref) && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo @@ -89,7 +89,7 @@ jobs: NPM_CONFIG_PROVENANCE: 'true' if: ${{ github.repository == 'kentcdodds/kcd-scripts' && - contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha', + contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/next-major,refs/heads/alpha', github.ref) && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo From a9e9496aabf05d3801e43ed1405ba97c824cd82c Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 13:08:12 -0600 Subject: [PATCH 6/9] ci: align release workflow guards --- .github/workflows/validate.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index d2f9bc68..cd92d44e 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -49,10 +49,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - if: - ${{ github.repository == 'kentcdodds/kcd-scripts' && - contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/next-major,refs/heads/alpha', - github.ref) && github.event_name == 'push' }} + if: ${{ github.repository == 'kentcdodds/kcd-scripts' && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 @@ -61,7 +58,6 @@ jobs: uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: lts/* - package-manager-cache: false - name: 📥 Install deps run: npm install --ignore-scripts @@ -87,10 +83,7 @@ jobs: pull-requests: write # to be able to comment on released pull requests env: NPM_CONFIG_PROVENANCE: 'true' - if: - ${{ github.repository == 'kentcdodds/kcd-scripts' && - contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/next-major,refs/heads/alpha', - github.ref) && github.event_name == 'push' }} + if: ${{ github.repository == 'kentcdodds/kcd-scripts' && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 @@ -100,7 +93,6 @@ jobs: with: node-version: lts/* registry-url: https://registry.npmjs.org - package-manager-cache: false - name: 📦 Download package artifact uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 From 5523febc079af35cd6b2a2267877ff8e29c93111 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 13:13:00 -0600 Subject: [PATCH 7/9] ci: default workflow token to read-only --- .github/workflows/validate.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index cd92d44e..ca2be632 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -11,6 +11,9 @@ on: - '!all-contributors/**' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true From a9a9957337e2294ad966885d4ac6fc5eda954228 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 17:15:03 -0600 Subject: [PATCH 8/9] ci: remove emoji from workflow step names --- .github/workflows/validate.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index ca2be632..b50b977b 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -28,23 +28,23 @@ jobs: node: [lts/-1, lts/*, latest] runs-on: ${{ matrix.os }} steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: ⎔ Setup node + - name: Setup node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node }} - - name: 📥 Download deps + - name: Download deps uses: bahmutov/npm-install@20216767ca67f0f7b4d095dc5859c5700a6581cb # v1 with: useLockFile: false - - name: ▶️ Run validate script + - name: Run validate script run: npm run validate - - name: ⬆️ Upload coverage report + - name: Upload coverage report uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3 build-release-artifact: @@ -54,21 +54,21 @@ jobs: contents: read if: ${{ github.repository == 'kentcdodds/kcd-scripts' && github.event_name == 'push' }} steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: ⎄ Setup node + - name: Setup node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: lts/* - - name: 📥 Install deps + - name: Install deps run: npm install --ignore-scripts - - name: 🏗 Run build script + - name: Run build script run: npm run build - - name: 📦 Upload package artifact + - name: Upload package artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: npm-package-dist @@ -88,22 +88,22 @@ jobs: NPM_CONFIG_PROVENANCE: 'true' if: ${{ github.repository == 'kentcdodds/kcd-scripts' && github.event_name == 'push' }} steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: ⎄ Setup node + - name: Setup node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: lts/* registry-url: https://registry.npmjs.org - - name: 📦 Download package artifact + - name: Download package artifact uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: npm-package-dist path: dist - - name: 🚀 Release + - name: Release uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 with: semantic_version: 25 From 36322eac7107e553d19c6719bd7d31bd71830771 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 18:06:23 -0600 Subject: [PATCH 9/9] ci: preserve existing workflow labels --- .github/workflows/validate.yml | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index b50b977b..655fec1f 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -28,23 +28,23 @@ jobs: node: [lts/-1, lts/*, latest] runs-on: ${{ matrix.os }} steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: Setup node + - name: ⎔ Setup node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node }} - - name: Download deps + - name: 📥 Download deps uses: bahmutov/npm-install@20216767ca67f0f7b4d095dc5859c5700a6581cb # v1 with: useLockFile: false - - name: Run validate script + - name: ▶️ Run validate script run: npm run validate - - name: Upload coverage report + - name: ⬆️ Upload coverage report uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3 build-release-artifact: @@ -54,10 +54,10 @@ jobs: contents: read if: ${{ github.repository == 'kentcdodds/kcd-scripts' && github.event_name == 'push' }} steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: Setup node + - name: ⎔ Setup node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: lts/* @@ -65,7 +65,7 @@ jobs: - name: Install deps run: npm install --ignore-scripts - - name: Run build script + - name: 🏗 Run build script run: npm run build - name: Upload package artifact @@ -88,10 +88,10 @@ jobs: NPM_CONFIG_PROVENANCE: 'true' if: ${{ github.repository == 'kentcdodds/kcd-scripts' && github.event_name == 'push' }} steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - - name: Setup node + - name: ⎔ Setup node uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: lts/* @@ -103,7 +103,7 @@ jobs: name: npm-package-dist path: dist - - name: Release + - name: 🚀 Release uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 with: semantic_version: 25