feat: release pipeline, packages, yarn upgrade

2026-02-06 09:45:55 +00:00 · 2025-12-06 23:33:17 +01:00
parent 58b803734d
commit 5400c02639
5 changed files with 1384 additions and 1141 deletions
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,3 +1,4 @@
+---
 name: Publish

 on:
@@ -7,6 +8,9 @@ on:

 permissions: read-all

+env:
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+
 jobs:
  Linter:
    name: Lint
@@ -14,15 +18,15 @@ jobs:
    timeout-minutes: 15
    permissions:
      statuses: write
-      contents: write
-      packages: write
+      contents: read
+      packages: read
      issues: write
      pull-requests: write

    steps:
      - name: Run PR Lint
        # https://github.com/ivuorinen/actions
-        uses: ivuorinen/actions/pr-lint@5cc7373a22402ee8985376bc713f00e09b5b2edb # v2025.11.23
+        uses: ivuorinen/actions/pr-lint@a52399cf74eac2b0963591ab2c6c8eb0f7f50b2d # v2025.12.06

  publish:
    name: Publish
@@ -33,7 +37,7 @@ jobs:
      contents: write # to be able to publish a GitHub release
      issues: write # to be able to comment on released issues
      pull-requests: write # to be able to comment on released pull requests
-      id-token: write # to enable use of OIDC for trusted publishing and npm provenance
+      id-token: write # to enable use of OIDC for npm provenance

    steps:
      - name: Checkout
@@ -44,18 +48,29 @@ jobs:
      - name: Setup Node.js Environment
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
        with:
+          always-auth: true
          node-version-file: ".nvmrc"
          registry-url: "https://registry.npmjs.org"
          scope: "@ivuorinen"

-      - name: Install dependencies
-        run: yarn
+      - name: Install and enable corepack
+        shell: sh
+        run: npm install -g corepack --force && corepack enable

-      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
-        run: yarn npm audit --environment production
+      - name: Cache Node Modules
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
+        id: cache
+        with:
+          path: node_modules
+          key: node-modules-${{ hashFiles('**/yarn.lock') }}

-      - name: Release
+      - name: Install Dependencies
+        shell: bash
+        if: steps.cache.outputs.cache-hit != 'true'
+        run: yarn install
+
+      - name: Semantic Release
+        uses: cycjimmy/semantic-release-action@b12c8f6015dc215fe37bc154d4ad456dd3833c90 # v6.0.0
        env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.PAT }}
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: yarn semantic-release