From 9506933b5f7395486181981bc30a9daa3ff87871 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:40:14 -0600 Subject: [PATCH 1/7] ci: harden npm release workflow --- .github/workflows/release.yml | 36 +++++++++++++++++------------------ 1 file changed, 18 insertions(+), 18 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5e1724b..067c6b3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,56 +6,55 @@ concurrency: cancel-in-progress: true permissions: - contents: write # to be able to publish a GitHub release - issues: write # to be able to comment on released issues - pull-requests: write # to be able to comment on released pull requests - id-token: write # to enable use of OIDC for npm provenance + contents: read jobs: validate: - name: πŸ” Validate + name: Γ°ΒŸΒ”Β Validate runs-on: ubuntu-latest steps: - - name: ⬇️ Checkout repo + - name: Ò¬‡ï¸ Checkout repo uses: actions/checkout@v5 - - name: βŽ” Setup node + - name: Γ’ΒŽΒ” Setup node uses: actions/setup-node@v6 with: node-version: lts/* - - name: πŸ“₯ Download deps + - name: Γ°ΒŸΒ“Β₯ Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: πŸ” Validate + - name: Γ°ΒŸΒ”Β Validate run: npm run validate release: name: πŸš€ Release needs: [validate] runs-on: ubuntu-latest + permissions: + contents: write # to be able to publish a GitHub release + id-token: write # to enable use of OIDC for npm provenance + issues: write # to be able to comment on released issues + pull-requests: write # to be able to comment on released pull requests if: ${{ github.repository == 'epicweb-dev/config' && contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha', github.ref) && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: βŽ” Setup node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: - node-version: lts/* - - - name: πŸ“₯ Download deps - uses: bahmutov/npm-install@v1 - with: - useLockFile: false + node-version: 24 + registry-url: https://registry.npmjs.org + package-manager-cache: false - name: πŸš€ Release - uses: cycjimmy/semantic-release-action@v5.0.2 + uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 with: semantic_version: 25 branches: | @@ -70,3 +69,4 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} NPM_CONFIG_PROVENANCE: true + NPM_CONFIG_IGNORE_SCRIPTS: true From 62e46b657949c14f1ad286247043ff70ef75e6f5 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:48:07 -0600 Subject: [PATCH 2/7] ci: fix workflow utf-8 encoding --- .github/workflows/release.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 067c6b3..55a5d1e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,23 +10,23 @@ permissions: jobs: validate: - name: Γ°ΒŸΒ”Β Validate + name: πŸ” Validate runs-on: ubuntu-latest steps: - - name: Ò¬‡ï¸ Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v5 - - name: Γ’ΒŽΒ” Setup node + - name: βŽ” Setup node uses: actions/setup-node@v6 with: node-version: lts/* - - name: Γ°ΒŸΒ“Β₯ Download deps + - name: πŸ“₯ Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: Γ°ΒŸΒ”Β Validate + - name: πŸ” Validate run: npm run validate release: @@ -46,7 +46,7 @@ jobs: - name: ⬇️ Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: βŽ” Setup node + - name: βŽ„ Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 From 3b850fdca5585ad575391502f04ede270535edc5 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:59:33 -0600 Subject: [PATCH 3/7] ci: include next-major in release gate --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 55a5d1e..078e174 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,7 +40,7 @@ jobs: pull-requests: write # to be able to comment on released pull requests if: ${{ github.repository == 'epicweb-dev/config' && - contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha', + contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/next-major,refs/heads/alpha', github.ref) && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo From fea3efaf504cdbc440f1707482950705d4bbce6b Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 13:08:17 -0600 Subject: [PATCH 4/7] ci: align release workflow guards --- .github/workflows/release.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 078e174..acd997f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,10 +38,7 @@ jobs: id-token: write # to enable use of OIDC for npm provenance issues: write # to be able to comment on released issues pull-requests: write # to be able to comment on released pull requests - if: - ${{ github.repository == 'epicweb-dev/config' && - contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/next-major,refs/heads/alpha', - github.ref) && github.event_name == 'push' }} + if: ${{ github.repository == 'epicweb-dev/config' && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 From 4cb3b06f05f707df2cf620dbaf44e31b09849988 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 17:15:10 -0600 Subject: [PATCH 5/7] ci: remove emoji from workflow step names --- .github/workflows/release.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index acd997f..cd69a99 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,20 +13,20 @@ jobs: name: πŸ” Validate runs-on: ubuntu-latest steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@v5 - - name: βŽ” Setup node + - name: Setup node uses: actions/setup-node@v6 with: node-version: lts/* - - name: πŸ“₯ Download deps + - name: Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: πŸ” Validate + - name: Validate run: npm run validate release: @@ -40,17 +40,17 @@ jobs: pull-requests: write # to be able to comment on released pull requests if: ${{ github.repository == 'epicweb-dev/config' && github.event_name == 'push' }} steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: βŽ„ Setup node + - name: Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 registry-url: https://registry.npmjs.org package-manager-cache: false - - name: πŸš€ Release + - name: Release uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 with: semantic_version: 25 From e635ad1faefef6b74bb6b711d0ba6b5a10d3cb89 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 18:06:08 -0600 Subject: [PATCH 6/7] ci: preserve existing workflow labels --- .github/workflows/release.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index cd69a99..08ffc76 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: release +name: πŸš€ Release on: [push, pull_request] concurrency: @@ -13,20 +13,20 @@ jobs: name: πŸ” Validate runs-on: ubuntu-latest steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v5 - - name: Setup node + - name: βŽ” Setup node uses: actions/setup-node@v6 with: node-version: lts/* - - name: Download deps + - name: πŸ“₯ Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: Validate + - name: πŸ” Validate run: npm run validate release: @@ -40,17 +40,17 @@ jobs: pull-requests: write # to be able to comment on released pull requests if: ${{ github.repository == 'epicweb-dev/config' && github.event_name == 'push' }} steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: Setup node + - name: βŽ” Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 registry-url: https://registry.npmjs.org package-manager-cache: false - - name: Release + - name: πŸš€ Release uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 with: semantic_version: 25 From a2ba6c33bbdf6f129ceb723b671713a96b05ce23 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 18:07:47 -0600 Subject: [PATCH 7/7] ci: preserve workflow label context --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 08ffc76..4d6b946 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: πŸš€ Release +name: release on: [push, pull_request] concurrency: