From 0bc33c69af7809a6dfce4a76c9b73729cff52ab1 Mon Sep 17 00:00:00 2001 From: "Daniel D. Beck" Date: Wed, 1 Apr 2026 16:45:07 +0200 Subject: [PATCH 1/5] Move `web-features` to trusted publishing --- .../workflows/publish_next_web-features.yml | 116 ------------------ .github/workflows/publish_web-features.yml | 99 ++++++++++++++- 2 files changed, 93 insertions(+), 122 deletions(-) delete mode 100644 .github/workflows/publish_next_web-features.yml diff --git a/.github/workflows/publish_next_web-features.yml b/.github/workflows/publish_next_web-features.yml deleted file mode 100644 index 8a3731ab44c..00000000000 --- a/.github/workflows/publish_next_web-features.yml +++ /dev/null @@ -1,116 +0,0 @@ -name: Publish web-features@next - -on: - push: - branches: - - "main" - paths: - - features/** - - groups/** - - packages/web-features/** - - snapshots/** - - index.ts - - scripts/build.ts - -permissions: {} - -env: - package: "web-features" - package_dir: "packages/web-features" - dist_tag: "next" - -jobs: - test: - runs-on: ubuntu-latest - permissions: - contents: read - steps: - - uses: actions/checkout@v6 - - uses: actions/setup-node@v6 - with: - node-version-file: .node-version - cache: npm - - run: npm ci - - run: npm test - publish: - if: github.repository == 'web-platform-dx/web-features' - runs-on: ubuntu-latest - needs: "test" - permissions: - contents: write - # Required for OIDC and trusted publishing. See: - # - https://docs.npmjs.com/trusted-publishers - # - https://docs.github.com/en/actions/concepts/security/openid-connect - id-token: write - steps: - - uses: actions/checkout@v6 - - name: Get timestamp and short hash - id: timestamp_and_hash - run: | - echo "TIMESTAMP=$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT - echo "SHORT_HASH=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT - - - uses: actions/setup-node@v6 - with: - node-version-file: .node-version - cache: npm - registry-url: "https://registry.npmjs.org" - - - run: npm install -g 'npm@>=11.5.1' # required for trusted publishing - - run: npm ci - - - run: npm run build - - - name: Get package.json version - id: version - run: echo "VERSION=$(npm version --json | jq --raw-output '.["${{ env.package }}"]')" >> $GITHUB_OUTPUT - working-directory: ${{ env.package_dir }} - - run: npm install - working-directory: ${{ env.package_dir }} - - run: npm version --no-git-tag-version "$VERSION-dev-$TIMESTAMP-$SHORT_HASH" - # The version string template is: -dev-- - # Why not use SemVer build metadata with a plus sign for some of this? - # Because npm completely ignores it. 😒 - working-directory: ${{ env.package_dir }} - env: - VERSION: ${{ steps.version.outputs.VERSION }} - TIMESTAMP: ${{ steps.timestamp_and_hash.outputs.TIMESTAMP }} - SHORT_HASH: ${{ steps.timestamp_and_hash.outputs.SHORT_HASH }} - - run: npm publish --tag ${{ env.dist_tag }} - working-directory: ${{ env.package_dir }} - - - name: Set existing release to draft - run: gh release edit --draft "$TAG" - env: - GH_TOKEN: ${{ github.token }} - TAG: ${{ env.dist_tag }} - - - name: Update the tag - run: | - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git tag --force "$TAG" - git push --force origin "$TAG" - env: - GH_TOKEN: ${{ github.token }} - TAG: ${{ env.dist_tag }} - - - name: Publish pre-release on GitHub - run: | - gh release edit \ - --verify-tag \ - --title "$PACKAGE@$TAG" \ - --notes "$NOTES" \ - --prerelease \ - --draft=false \ - "$TAG" - gh release upload --clobber "$TAG" $ARTIFACTS - env: - GH_TOKEN: ${{ github.token }} - PACKAGE: ${{ env.package }} - TAG: ${{ env.dist_tag }} - NOTES: This is a continuously-updated prerelease generated from `main` (currently at ${{ steps.timestamp_and_hash.outputs.SHORT_HASH }}). - ARTIFACTS: > - ${{ env.package_dir }}/data.json - data.extended.json - schemas/data.schema.json diff --git a/.github/workflows/publish_web-features.yml b/.github/workflows/publish_web-features.yml index 63d286e074c..683a5e4ccbb 100644 --- a/.github/workflows/publish_web-features.yml +++ b/.github/workflows/publish_web-features.yml @@ -2,28 +2,46 @@ name: Publish web-features on: push: + branches: + - "main" # Tags on the form v1.2.3 are for releases. Any other tags are ignored. tags: - 'v[0-9]+.[0-9]+.[0-9]+' +permissions: {} + env: + package: "web-features" package_dir: "packages/web-features" + # Publish @next for main, @latest for tags + dist_tag: ${{ startsWith(github.ref, 'refs/tags/') && 'latest' || 'next' }} jobs: test: runs-on: ubuntu-latest + permissions: + contents: read steps: - uses: actions/checkout@v6 - uses: actions/setup-node@v6 with: node-version-file: .node-version cache: npm + - run: npm install -g 'npm@>=11.5.1' # required for trusted publishing - run: npm ci - run: npm test - artifacts: - if: github.repository == 'web-platform-dx/web-features' + + publish_latest: + name: Publish release + if: github.repository == 'web-platform-dx/web-features' && env.dist_tag == 'latest' runs-on: ubuntu-latest needs: "test" + permissions: + contents: write + # Required for OIDC and trusted publishing. See: + # - https://docs.npmjs.com/trusted-publishers + # - https://docs.github.com/en/actions/concepts/security/openid-connect + id-token: write steps: - uses: actions/checkout@v6 - uses: actions/setup-node@v6 @@ -33,23 +51,92 @@ jobs: registry-url: "https://registry.npmjs.org" - run: npm ci - run: npm run build + - run: npm publish + working-directory: ${{ env.package_dir }} - run: gh release upload ${{ github.ref_name }} packages/web-features/data.json data.extended.json schemas/data.schema.json env: GH_TOKEN: ${{ github.token }} - publish: - if: github.repository == 'web-platform-dx/web-features' + + publish_next: + name: Publish prerelease + if: github.repository == 'web-platform-dx/web-features' && env.dist_tag == 'next' runs-on: ubuntu-latest needs: "test" + permissions: + contents: write + # Required for OIDC and trusted publishing. See: + # - https://docs.npmjs.com/trusted-publishers + # - https://docs.github.com/en/actions/concepts/security/openid-connect + id-token: write steps: - uses: actions/checkout@v6 + - name: Get timestamp and short hash + id: timestamp_and_hash + run: | + echo "TIMESTAMP=$(date +'%Y%m%d%H%M%S')" >> $GITHUB_OUTPUT + echo "SHORT_HASH=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT + - uses: actions/setup-node@v6 with: node-version-file: .node-version cache: npm registry-url: "https://registry.npmjs.org" + + - run: npm install -g 'npm@>=11.5.1' # required for trusted publishing - run: npm ci + - run: npm run build - - run: npm publish + + - name: Get package.json version + id: version + run: echo "VERSION=$(npm version --json | jq --raw-output '.["${{ env.package }}"]')" >> $GITHUB_OUTPUT + working-directory: ${{ env.package_dir }} + - run: npm install working-directory: ${{ env.package_dir }} + - run: npm version --no-git-tag-version "$VERSION-dev-$TIMESTAMP-$SHORT_HASH" + # The version string template is: -dev-- + # Why not use SemVer build metadata with a plus sign for some of this? + # Because npm completely ignores it. 😒 + working-directory: ${{ env.package_dir }} + env: + VERSION: ${{ steps.version.outputs.VERSION }} + TIMESTAMP: ${{ steps.timestamp_and_hash.outputs.TIMESTAMP }} + SHORT_HASH: ${{ steps.timestamp_and_hash.outputs.SHORT_HASH }} + - run: npm publish --tag ${{ env.dist_tag }} + working-directory: ${{ env.package_dir }} + + - name: Set existing release to draft + run: gh release edit --draft "$TAG" env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + GH_TOKEN: ${{ github.token }} + TAG: ${{ env.dist_tag }} + + - name: Update the tag + run: | + git config user.name "github-actions[bot]" + git config user.email "41898282+github-actions[bot]@users.noreply.github.com" + git tag --force "$TAG" + git push --force origin "$TAG" + env: + GH_TOKEN: ${{ github.token }} + TAG: ${{ env.dist_tag }} + + - name: Publish pre-release on GitHub + run: | + gh release edit \ + --verify-tag \ + --title "$PACKAGE@$TAG" \ + --notes "$NOTES" \ + --prerelease \ + --draft=false \ + "$TAG" + gh release upload --clobber "$TAG" $ARTIFACTS + env: + GH_TOKEN: ${{ github.token }} + PACKAGE: ${{ env.package }} + TAG: ${{ env.dist_tag }} + NOTES: This is a continuously-updated prerelease generated from `main` (currently at ${{ steps.timestamp_and_hash.outputs.SHORT_HASH }}). + ARTIFACTS: > + ${{ env.package_dir }}/data.json + data.extended.json + schemas/data.schema.json From 348325c42a5a57a94f2fed6749a409586f932d94 Mon Sep 17 00:00:00 2001 From: "Daniel D. Beck" Date: Wed, 1 Apr 2026 17:07:51 +0200 Subject: [PATCH 2/5] Avoid template expansion in shell scripts --- .github/workflows/publish_web-features.yml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish_web-features.yml b/.github/workflows/publish_web-features.yml index 683a5e4ccbb..61177b46c21 100644 --- a/.github/workflows/publish_web-features.yml +++ b/.github/workflows/publish_web-features.yml @@ -53,7 +53,7 @@ jobs: - run: npm run build - run: npm publish working-directory: ${{ env.package_dir }} - - run: gh release upload ${{ github.ref_name }} packages/web-features/data.json data.extended.json schemas/data.schema.json + - run: gh release upload "$GITHUB_REF_NAME" packages/web-features/data.json data.extended.json schemas/data.schema.json env: GH_TOKEN: ${{ github.token }} @@ -89,8 +89,11 @@ jobs: - name: Get package.json version id: version - run: echo "VERSION=$(npm version --json | jq --raw-output '.["${{ env.package }}"]')" >> $GITHUB_OUTPUT + run: echo "VERSION=$(npm version --json | jq --arg package "$PACKAGE" --raw-output '.[$package]')" >> $GITHUB_OUTPUT working-directory: ${{ env.package_dir }} + env: + PACKAGE: ${{ env.package }} + PACKAGE_DIR: ${{ env.package_dir }} - run: npm install working-directory: ${{ env.package_dir }} - run: npm version --no-git-tag-version "$VERSION-dev-$TIMESTAMP-$SHORT_HASH" @@ -102,8 +105,10 @@ jobs: VERSION: ${{ steps.version.outputs.VERSION }} TIMESTAMP: ${{ steps.timestamp_and_hash.outputs.TIMESTAMP }} SHORT_HASH: ${{ steps.timestamp_and_hash.outputs.SHORT_HASH }} - - run: npm publish --tag ${{ env.dist_tag }} + - run: npm publish --tag "$DIST_TAG" working-directory: ${{ env.package_dir }} + env: + DIST_TAG: ${{ env.dist_tag }} - name: Set existing release to draft run: gh release edit --draft "$TAG" From 4b8492ec67ad319501558f22ba8c120d74521811 Mon Sep 17 00:00:00 2001 From: "Daniel D. Beck" Date: Wed, 1 Apr 2026 17:21:49 +0200 Subject: [PATCH 3/5] Make permissions more explicit --- .github/workflows/publish_web-features.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/publish_web-features.yml b/.github/workflows/publish_web-features.yml index 61177b46c21..12f8f407cd8 100644 --- a/.github/workflows/publish_web-features.yml +++ b/.github/workflows/publish_web-features.yml @@ -23,6 +23,8 @@ jobs: contents: read steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-node@v6 with: node-version-file: .node-version @@ -37,6 +39,7 @@ jobs: runs-on: ubuntu-latest needs: "test" permissions: + # Required to modify the release and upload release artifacts contents: write # Required for OIDC and trusted publishing. See: # - https://docs.npmjs.com/trusted-publishers @@ -44,6 +47,8 @@ jobs: id-token: write steps: - uses: actions/checkout@v6 + with: + persist-credentials: false - uses: actions/setup-node@v6 with: node-version-file: .node-version @@ -63,6 +68,7 @@ jobs: runs-on: ubuntu-latest needs: "test" permissions: + # Required to modify the release and upload release artifacts contents: write # Required for OIDC and trusted publishing. See: # - https://docs.npmjs.com/trusted-publishers @@ -70,6 +76,9 @@ jobs: id-token: write steps: - uses: actions/checkout@v6 + with: + # Required for `git tag` + persist-credentials: true - name: Get timestamp and short hash id: timestamp_and_hash run: | From d5e9a4fb1644a93e8cffaa4e962edb61a5ebf2a0 Mon Sep 17 00:00:00 2001 From: "Daniel D. Beck" Date: Wed, 1 Apr 2026 18:38:29 +0200 Subject: [PATCH 4/5] Duplicate `dist_tag` in `if`, since `env` is unavailable --- .github/workflows/publish_web-features.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish_web-features.yml b/.github/workflows/publish_web-features.yml index 12f8f407cd8..5c6c3178445 100644 --- a/.github/workflows/publish_web-features.yml +++ b/.github/workflows/publish_web-features.yml @@ -35,7 +35,7 @@ jobs: publish_latest: name: Publish release - if: github.repository == 'web-platform-dx/web-features' && env.dist_tag == 'latest' + if: github.repository == 'web-platform-dx/web-features' && ${{ startsWith(github.ref, 'refs/tags/') && 'latest' || 'next' }} == 'latest' runs-on: ubuntu-latest needs: "test" permissions: @@ -64,7 +64,7 @@ jobs: publish_next: name: Publish prerelease - if: github.repository == 'web-platform-dx/web-features' && env.dist_tag == 'next' + if: github.repository == 'web-platform-dx/web-features' && ${{ startsWith(github.ref, 'refs/tags/') && 'latest' || 'next' }} == 'next' runs-on: ubuntu-latest needs: "test" permissions: From fee2e9c2cd807ab2bec05b9a80fd77e232f11128 Mon Sep 17 00:00:00 2001 From: "Daniel D. Beck" Date: Wed, 1 Apr 2026 18:41:20 +0200 Subject: [PATCH 5/5] Avoid `npm install` in CI --- .github/workflows/publish_web-features.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish_web-features.yml b/.github/workflows/publish_web-features.yml index 5c6c3178445..e1d21ce6e67 100644 --- a/.github/workflows/publish_web-features.yml +++ b/.github/workflows/publish_web-features.yml @@ -103,7 +103,7 @@ jobs: env: PACKAGE: ${{ env.package }} PACKAGE_DIR: ${{ env.package_dir }} - - run: npm install + - run: npm ci working-directory: ${{ env.package_dir }} - run: npm version --no-git-tag-version "$VERSION-dev-$TIMESTAMP-$SHORT_HASH" # The version string template is: -dev--