From e0379a9495f354054e87bbc693ab3907d6aa08fa Mon Sep 17 00:00:00 2001
From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com>
Date: Tue, 12 May 2026 17:23:13 -0600
Subject: [PATCH 1/2] ci: harden npm trusted publishing workflow

---
 .github/workflows/ci.yml | 74 ++++++++++++++++++++++++++++++++++------
 1 file changed, 64 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7d54d5b1..8005800e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -8,20 +8,16 @@ on:
   pull_request: {}
   workflow_dispatch:
 
-permissions: {}
-
+permissions:
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
-  build_test_release:
+  build_test:
     permissions:
-      id-token: write # to enable use of OIDC (npm trusted publishing and provenance)
-      actions: write #  to cancel/stop running workflows (styfle/cancel-workflow-action)
-      contents: write #  to create release tags (cycjimmy/semantic-release-action)
-      issues: write # to post release that resolves an issue (cycjimmy/semantic-release-action)
-      pull-requests: write # to be able to comment on released pull requests
+      contents: read
 
     strategy:
       matrix:
@@ -58,8 +54,66 @@ jobs:
       - name: lint
         run: npm run lint
         timeout-minutes: 5
-      - name: 🚀 Release
-        if: github.repository == 'testing-library/angular-testing-library' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/beta')
+
+  build-release-artifact:
+    needs: build_test
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    if: ${{ github.repository == 'testing-library/angular-testing-library' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/beta') && github.event_name == 'push' }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v6
+
+      - name: Setup node
+        uses: actions/setup-node@v5
+        with:
+          node-version: 24
+
+      - name: Update npm
+        run: npm install -g npm@latest
+
+      - name: Install dependencies
+        run: npm install --force --ignore-scripts
+
+      - name: Build package
+        run: npm run build
+        timeout-minutes: 5
+
+      - name: Upload package artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: npm-package-dist
+          path: dist/@testing-library/angular
+          if-no-files-found: error
+          retention-days: 7
+
+  release:
+    needs: build-release-artifact
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # to enable use of OIDC (npm trusted publishing and provenance)
+      contents: write # to create release tags (cycjimmy/semantic-release-action)
+      issues: write # to post release that resolves an issue (cycjimmy/semantic-release-action)
+      pull-requests: write # to be able to comment on released pull requests
+    if: ${{ github.repository == 'testing-library/angular-testing-library' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/beta') && github.event_name == 'push' }}
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v6
+
+      - name: Setup node
+        uses: actions/setup-node@v5
+        with:
+          node-version: 24
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Download package artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: npm-package-dist
+          path: dist/@testing-library/angular
+
+      - name: Release
         uses: cycjimmy/semantic-release-action@v6
         with:
           semantic_version: 25

From 827f2dcc15367f7c7e4902d699165baa1ccfa819 Mon Sep 17 00:00:00 2001
From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com>
Date: Tue, 12 May 2026 17:29:33 -0600
Subject: [PATCH 2/2] ci: preserve existing workflow labels

---
 .github/workflows/ci.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 8005800e..abcafb00 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -76,11 +76,11 @@ jobs:
       - name: Install dependencies
         run: npm install --force --ignore-scripts
 
-      - name: Build package
+      - name: 📦 Prepare package
         run: npm run build
         timeout-minutes: 5
 
-      - name: Upload package artifact
+      - name: 📦 Upload package artifact
         uses: actions/upload-artifact@v4
         with:
           name: npm-package-dist
@@ -107,13 +107,13 @@ jobs:
           node-version: 24
           registry-url: 'https://registry.npmjs.org'
 
-      - name: Download package artifact
+      - name: 📦 Download package artifact
         uses: actions/download-artifact@v4
         with:
           name: npm-package-dist
           path: dist/@testing-library/angular
 
-      - name: Release
+      - name: 🚀 Release
         uses: cycjimmy/semantic-release-action@v6
         with:
           semantic_version: 25