feat(trusted-publishing): initial commit to add github actions to support OIDC trusted publishing.

ethan-ozelius-contentful · ethan-ozelius-contentful · commit 79fa9b2e7678 · 2025-11-07T13:13:17.000-07:00
Added github actions: main, check, build and release
Added a new channel testing-oidc-trusted-publishing for testing npmjs package deployments
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -0,0 +1,31 @@
+name: Build
+
+on:
+  workflow_call:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Save Build folders
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            dist
+          key: build-cache-${{ github.run_id }}-${{ github.run_attempt }}
diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
@@ -0,0 +1,47 @@
+
+name: Run Checks
+
+on:
+  workflow_call:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Restore the build folders
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            dist
+          key: build-cache-${{ github.run_id }}-${{ github.run_attempt }}
+
+      - name: Run linter
+        run: npm run lint
+
+      - name: Check prettier formatting
+        run: npm run prettier:check
+
+      - name: Check formatting
+        run: npm run format:check
+
+      - name: Run tests
+        run: npm test
+
+      - name: Test bundle size
+        run: npm run test:size
+
+      - name: Test TypeScript types
+        run: npm run test:types
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -19,14 +19,14 @@ jobs:
       security-events: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: actions
 
       - name: Run CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: actions
diff --git a/.github/workflows/dependabot-approve-and-request-merge.yaml b/.github/workflows/dependabot-approve-and-request-merge.yaml
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -0,0 +1,29 @@
+name: CI
+permissions:
+  contents: read
+
+on:
+  push:
+    branches: ['master', 'next', 'testing-oidc-trusted-publishing']
+  pull_request:
+    branches: ['*']
+
+jobs:
+  build:
+    uses: ./.github/workflows/build.yml
+
+  check:
+    needs: build
+    uses: ./.github/workflows/check.yml
+
+  release:
+    # TODO: remove 'testing-oidc-trusted-publishing' branch once trusted publishing is stable
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/testing-oidc-trusted-publishing' || github.ref == 'refs/heads/next')
+    needs: [build, check]
+    permissions:
+      contents: write
+      id-token: write
+      actions: read
+    uses: ./.github/workflows/release.yml
+    secrets:
+      VAULT_URL: ${{ secrets.VAULT_URL }}
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,54 @@
+name: release
+
+permissions:
+  contents: read
+  # packages: read
+
+on:
+  push:
+    branches:
+      - master
+      - next
+      - testing-oidc-trusted-publishing
+  pull_request:
+    branches:
+      - master
+
+jobs:
+  release:
+    name: Release
+    permissions:
+      # packages: write
+      id-token: write # Required for OIDC trusted publishing
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+          # registry-url: 'https://registry.npmjs.org'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Restore the build folders
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            dist
+          key: build-cache-${{ github.run_id }}-${{ github.run_attempt }}
+
+      - name: Setup Chrome
+        uses: browser-actions/setup-chrome@v2
+        with:
+          install-chromedriver: true
+
+      - name: Run semantic release
+        run: npm run semantic-release
+        # env:
+        #   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        #   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/package.json b/package.json
@@ -159,6 +159,11 @@
         "name": "next",
         "channel": "next",
         "prerelease": true
+      },
+      {
+        "name": "testing-oidc-trusted-publishing",
+        "channel": "testing-oidc-trusted-publishing",
+        "prerelease": true
       }
     ],
     "plugins": [
