From 0f2b97bf2ba990ad68d2eeb6038d7d045c20f6fb Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:40:21 -0600 Subject: [PATCH 1/8] ci: harden npm release workflow --- .github/workflows/release.yml | 87 ++++++++++++++++++++++++----------- 1 file changed, 61 insertions(+), 26 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d7876c9..f42d493 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,80 +6,114 @@ concurrency: cancel-in-progress: true permissions: - contents: write # to be able to publish a GitHub release - id-token: write # to enable use of OIDC for npm provenance - issues: write # to be able to comment on released issues - pull-requests: write # to be able to comment on released pull requests + contents: read jobs: test: - name: 🧪 Test + name: 🧪 Test runs-on: ubuntu-latest steps: - - name: ⬇️ Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v5 - - name: ⎔ Setup node + - name: ⎔ Setup node uses: actions/setup-node@v6 with: node-version: 24 - - name: 📥 Download deps + - name: 📥 Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: 🧪 Test + - name: 🧪 Test run: npm run test typecheck: - name: 💪 Typecheck + name: 💪 Typecheck runs-on: ubuntu-latest steps: - - name: ⬇️ Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v5 - - name: ⎔ Setup node + - name: ⎔ Setup node uses: actions/setup-node@v6 with: node-version: 24 - - name: 📥 Download deps + - name: 📥 Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: 💪 Typecheck + - name: 💪 Typecheck run: npm run typecheck - release: - name: 🚀 Release + build-release-artifact: + name: 📦 Build release artifact needs: [test, typecheck] runs-on: ubuntu-latest - environment: - name: production + permissions: + contents: read if: ${{ github.repository == 'epicweb-dev/epicli' && contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha', github.ref) && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - name: ⎔ Setup node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 + package-manager-cache: false - - name: 📥 Download deps - uses: bahmutov/npm-install@v1 - with: - useLockFile: false + - name: 📥 Install deps + run: npm install --ignore-scripts - - name: 🏗️ Build + - name: 📦 Prepare package run: npm run build + - name: 📦 Upload package artifact + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 + with: + name: npm-package-artifact + path: dist + if-no-files-found: error + retention-days: 1 + + release: + name: 🚀 Release + needs: [build-release-artifact] + runs-on: ubuntu-latest + permissions: + contents: write # to be able to publish a GitHub release + id-token: write # to enable use of OIDC for npm provenance + issues: write # to be able to comment on released issues + pull-requests: write # to be able to comment on released pull requests + if: + ${{ github.repository == 'epicweb-dev/epicli' && + contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha', + github.ref) && github.event_name == 'push' }} + steps: + - name: ⬇️ Checkout repo + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + + - name: ⎔ Setup node + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 + with: + node-version: 24 + registry-url: https://registry.npmjs.org + package-manager-cache: false + + - name: 📦 Download package artifact + uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 + with: + name: npm-package-artifact + path: . + - name: 🚀 Release - uses: cycjimmy/semantic-release-action@v5.0.2 + uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 with: semantic_version: 25 branches: | @@ -94,3 +128,4 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} NPM_CONFIG_PROVENANCE: true + NPM_CONFIG_IGNORE_SCRIPTS: true From e563a2183f93b22faf29973458b55648c6aae3d1 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:48:09 -0600 Subject: [PATCH 2/8] ci: fix workflow utf-8 encoding --- .github/workflows/release.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f42d493..036a1cf 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,42 +10,42 @@ permissions: jobs: test: - name: 🧪 Test + name: 🧪 Test runs-on: ubuntu-latest steps: - - name: ⬇️ Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v5 - - name: ⎔ Setup node + - name: ⎔ Setup node uses: actions/setup-node@v6 with: node-version: 24 - - name: 📥 Download deps + - name: 📥 Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: 🧪 Test + - name: 🧪 Test run: npm run test typecheck: - name: 💪 Typecheck + name: 💪 Typecheck runs-on: ubuntu-latest steps: - - name: ⬇️ Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v5 - - name: ⎔ Setup node + - name: ⎔ Setup node uses: actions/setup-node@v6 with: node-version: 24 - - name: 📥 Download deps + - name: 📥 Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: 💪 Typecheck + - name: 💪 Typecheck run: npm run typecheck build-release-artifact: @@ -62,7 +62,7 @@ jobs: - name: ⬇️ Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: ⎔ Setup node + - name: ⎄ Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 @@ -99,7 +99,7 @@ jobs: - name: ⬇️ Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: ⎔ Setup node + - name: ⎄ Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 From 8002b9ae6cd6541d76a9a1a03d391622e978534e Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:51:02 -0600 Subject: [PATCH 3/8] ci: address workflow review feedback --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 036a1cf..f013c52 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -80,7 +80,7 @@ jobs: name: npm-package-artifact path: dist if-no-files-found: error - retention-days: 1 + retention-days: 7 release: name: 🚀 Release From 1464596d5d7544ce1016991d5c97c328bf9f14b8 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 12:59:34 -0600 Subject: [PATCH 4/8] ci: include next-major in release gate --- .github/workflows/release.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f013c52..adaf491 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -56,7 +56,7 @@ jobs: contents: read if: ${{ github.repository == 'epicweb-dev/epicli' && - contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha', + contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/next-major,refs/heads/alpha', github.ref) && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo @@ -93,7 +93,7 @@ jobs: pull-requests: write # to be able to comment on released pull requests if: ${{ github.repository == 'epicweb-dev/epicli' && - contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha', + contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/next-major,refs/heads/alpha', github.ref) && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo From 87c1e1f7121aa72128641752d65f6f26977f67f7 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 13:08:18 -0600 Subject: [PATCH 5/8] ci: align release workflow guards --- .github/workflows/release.yml | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index adaf491..b70bb7e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -54,10 +54,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - if: - ${{ github.repository == 'epicweb-dev/epicli' && - contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/next-major,refs/heads/alpha', - github.ref) && github.event_name == 'push' }} + if: ${{ github.repository == 'epicweb-dev/epicli' && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 @@ -91,10 +88,7 @@ jobs: id-token: write # to enable use of OIDC for npm provenance issues: write # to be able to comment on released issues pull-requests: write # to be able to comment on released pull requests - if: - ${{ github.repository == 'epicweb-dev/epicli' && - contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/next-major,refs/heads/alpha', - github.ref) && github.event_name == 'push' }} + if: ${{ github.repository == 'epicweb-dev/epicli' && github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 From f1062ef4493fdf6a3a96400ec046091e177f852b Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 17:15:18 -0600 Subject: [PATCH 6/8] ci: remove emoji from workflow step names --- .github/workflows/release.yml | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index b70bb7e..217b877 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,39 +13,39 @@ jobs: name: 🧪 Test runs-on: ubuntu-latest steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@v5 - - name: ⎔ Setup node + - name: Setup node uses: actions/setup-node@v6 with: node-version: 24 - - name: 📥 Download deps + - name: Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: 🧪 Test + - name: Test run: npm run test typecheck: name: 💪 Typecheck runs-on: ubuntu-latest steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@v5 - - name: ⎔ Setup node + - name: Setup node uses: actions/setup-node@v6 with: node-version: 24 - - name: 📥 Download deps + - name: Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: 💪 Typecheck + - name: Typecheck run: npm run typecheck build-release-artifact: @@ -56,22 +56,22 @@ jobs: contents: read if: ${{ github.repository == 'epicweb-dev/epicli' && github.event_name == 'push' }} steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: ⎄ Setup node + - name: Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 package-manager-cache: false - - name: 📥 Install deps + - name: Install deps run: npm install --ignore-scripts - - name: 📦 Prepare package + - name: Prepare package run: npm run build - - name: 📦 Upload package artifact + - name: Upload package artifact uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 with: name: npm-package-artifact @@ -90,23 +90,23 @@ jobs: pull-requests: write # to be able to comment on released pull requests if: ${{ github.repository == 'epicweb-dev/epicli' && github.event_name == 'push' }} steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: ⎄ Setup node + - name: Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 registry-url: https://registry.npmjs.org package-manager-cache: false - - name: 📦 Download package artifact + - name: Download package artifact uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4 with: name: npm-package-artifact path: . - - name: 🚀 Release + - name: Release uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 with: semantic_version: 25 From 014d4e94e33a2f4ac2ea2c536b5a391156a5e2ef Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 18:06:10 -0600 Subject: [PATCH 7/8] ci: preserve existing workflow labels --- .github/workflows/release.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 217b877..6aee221 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: release +name: 🚀 Release on: [push, pull_request] concurrency: @@ -13,39 +13,39 @@ jobs: name: 🧪 Test runs-on: ubuntu-latest steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v5 - - name: Setup node + - name: ⎔ Setup node uses: actions/setup-node@v6 with: node-version: 24 - - name: Download deps + - name: 📥 Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: Test + - name: 🧪 Test run: npm run test typecheck: name: 💪 Typecheck runs-on: ubuntu-latest steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v5 - - name: Setup node + - name: ⎔ Setup node uses: actions/setup-node@v6 with: node-version: 24 - - name: Download deps + - name: 📥 Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: Typecheck + - name: 💪 Typecheck run: npm run typecheck build-release-artifact: @@ -56,10 +56,10 @@ jobs: contents: read if: ${{ github.repository == 'epicweb-dev/epicli' && github.event_name == 'push' }} steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: Setup node + - name: ⎔ Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 @@ -90,10 +90,10 @@ jobs: pull-requests: write # to be able to comment on released pull requests if: ${{ github.repository == 'epicweb-dev/epicli' && github.event_name == 'push' }} steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 - - name: Setup node + - name: ⎔ Setup node uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 with: node-version: 24 @@ -106,7 +106,7 @@ jobs: name: npm-package-artifact path: . - - name: Release + - name: 🚀 Release uses: cycjimmy/semantic-release-action@ba330626c4750c19d8299de843f05c7aa5574f62 # v5.0.2 with: semantic_version: 25 From b072fef5e94d776534deb1085675cd4f50b2a5a6 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 18:07:49 -0600 Subject: [PATCH 8/8] ci: preserve workflow label context --- .github/workflows/release.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6aee221..12ab740 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,4 +1,4 @@ -name: 🚀 Release +name: release on: [push, pull_request] concurrency: