diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 212e8c7..08b1e25 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -1,48 +1,62 @@ -name: Release - -on: - push: - branches: - - main - -jobs: - release: - name: Release - runs-on: ubuntu-latest - permissions: - contents: write - pull-requests: write - actions: write - id-token: write - steps: - - name: Checkout Repo - uses: actions/checkout@v3 - - - name: Install pnpm - uses: pnpm/action-setup@v4 - - - name: Setup Node.js - uses: actions/setup-node@v3 - with: - node-version-file: "package.json" - - - name: Install Dependencies - run: pnpm install - - # - name: 🔐 Setup npm auth - # run: | - # echo "registry=https://registry.npmjs.org" >> ~/.npmrc - # echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" >> ~/.npmrc - - - name: Create Release Pull Request or Publish to npm - id: changesets - uses: changesets/action@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - with: - title: "🚀 Release PR" - commit: "chore: release" - version: pnpm run version - publish: pnpm run release - createGithubReleases: true +name: Release + +on: + push: + branches: + - main + # Manual safety valve: re-run publish for a version that was bumped but never + # published. Guarded below so a dispatch can only ever publish from main. + workflow_dispatch: + +concurrency: + # Never cancel an in-progress release; queue concurrent runs instead. + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: false + +permissions: + contents: write # push the version PR branch, create tags + GitHub releases + pull-requests: write # open/update the changesets "Release PR" + id-token: write # npm Trusted Publishing (OIDC) — no long-lived NPM_TOKEN needed + +jobs: + release: + name: Release + # Don't run on forks; only ever publish from main (incl. workflow_dispatch). + if: github.repository_owner == 'code-forge-io' && github.ref == 'refs/heads/main' + runs-on: ubuntu-latest + steps: + - name: Checkout Repo + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: 0 + # Required so changesets/action can push the version PR branch. Only the + # ephemeral GITHUB_TOKEN is persisted (auto-expires at job end) — no PAT. + persist-credentials: true + + - name: Install pnpm + uses: pnpm/action-setup@739bfe42ca9233c5e6aca07c1a25a9d34aca49b0 # v6.0.7 + + - name: Setup Node.js + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 + with: + # Pin to Node 24 (ships npm 11.x) so OIDC Trusted Publishing works even + # if pnpm delegates publishing to npm. npm OIDC needs >= 11.5.1. + node-version: "24" + + - name: Install Dependencies + run: pnpm install + + - name: Create Release Pull Request or Publish to npm + id: changesets + uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1.7.0 + env: + # Only used to open/update the Release PR and create GitHub releases. + # npm authentication is handled by OIDC Trusted Publishing (.npmrc + # provenance=true + id-token:write) — there is intentionally no NPM_TOKEN. + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + title: "🚀 Release PR" + commit: "chore: release" + version: pnpm run version + publish: pnpm run release + createGithubReleases: true diff --git a/.npmrc b/.npmrc new file mode 100644 index 0000000..268c392 --- /dev/null +++ b/.npmrc @@ -0,0 +1 @@ +provenance=true diff --git a/packages/react-router-devtools/package.json b/packages/react-router-devtools/package.json index e1a7d36..208a7d5 100644 --- a/packages/react-router-devtools/package.json +++ b/packages/react-router-devtools/package.json @@ -55,9 +55,7 @@ "default": "./dist/server.js" } }, - "files": [ - "dist" - ], + "files": ["dist"], "repository": { "type": "git", "url": "git+https://github.com/forge-42/react-router-devtools.git"