feat(trusted-publishing): initial commit to add github actions to support OIDC trusted publishing.

ethan-ozelius-contentful · ethan-ozelius-contentful · commit 9896d20ed807 · 2025-11-07T15:04:16.000-07:00
Added github actions: main, check, build and release
Added a new channel testing-oidc-trusted-publishing for testing npmjs package deployments
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -0,0 +1,40 @@
+name: Build
+
+on:
+  workflow_call:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      # required for browser output-integration tests
+      - name: Setup Chrome
+        uses: browser-actions/setup-chrome@v2
+        with:
+          install-chromedriver: true
+
+      - name: Build
+        run: npm run build
+        env:
+          # required for browser output-integration tests
+          PUPPETEER_EXECUTABLE_PATH: /usr/bin/google-chrome
+
+      - name: Save Build folders
+        uses: actions/cache/save@v4
+        with:
+          path: |
+            dist
+          key: build-cache-${{ github.run_id }}-${{ github.run_attempt }}
diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml
@@ -0,0 +1,44 @@
+
+name: Run Checks
+
+on:
+  workflow_call:
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Restore the build folders
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            dist
+          key: build-cache-${{ github.run_id }}-${{ github.run_attempt }}
+
+      - name: Run linter
+        run: npm run lint
+
+      - name: Check prettier formatting
+        run: npm run prettier:check
+
+      - name: Run tests
+        run: npm test
+
+      - name: Test bundle size
+        run: npm run test:size
+
+      - name: Test TypeScript types
+        run: npm run test:types
diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
@@ -19,14 +19,14 @@ jobs:
       security-events: write
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v5
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
         with:
           languages: actions
 
       - name: Run CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
         with:
           category: actions
diff --git a/.github/workflows/dependabot-approve-and-request-merge.yaml b/.github/workflows/dependabot-approve-and-request-merge.yaml
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -0,0 +1,27 @@
+name: CI
+permissions:
+  contents: read
+
+on:
+  push:
+    branches: ['master', 'next']
+  pull_request:
+    branches: ['*']
+
+jobs:
+  build:
+    uses: ./.github/workflows/build.yaml
+
+  check:
+    needs: build
+    uses: ./.github/workflows/check.yaml
+
+  release:
+    # TODO: remove 'testing-oidc-trusted-publishing' branch once trusted publishing is stable
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/master' || github.ref == 'refs/heads/testing-oidc-trusted-publishing' || github.ref == 'refs/heads/next')
+    needs: [build, check]
+    permissions:
+      contents: write
+      id-token: write
+      actions: read
+    uses: ./.github/workflows/release.yaml
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,51 @@
+name: release
+
+permissions:
+  contents: read
+  # packages: read
+
+on:
+  workflow_call:
+
+jobs:
+  release:
+    name: Release
+    permissions:
+      contents: write
+      # issues: write # Required for creating issues on release failures
+      id-token: write # Required for OIDC trusted publishing
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        # with:
+        #   fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+          registry-url: 'https://registry.npmjs.org'
+          cache: 'npm'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Restore the build folders
+        uses: actions/cache/restore@v4
+        with:
+          path: |
+            dist
+          key: build-cache-${{ github.run_id }}-${{ github.run_attempt }}
+
+      - name: Setup Chrome
+        uses: browser-actions/setup-chrome@v2
+        with:
+          install-chromedriver: true
+
+      - name: Run semantic release
+        run: npm run semantic-release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
+        #   NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/package.json b/package.json
@@ -159,6 +159,11 @@
         "name": "next",
         "channel": "next",
         "prerelease": true
+      },
+      {
+        "name": "testing-oidc-trusted-publishing",
+        "channel": "testing-oidc-trusted-publishing",
+        "prerelease": true
       }
     ],
     "plugins": [
