From fe130fb0dc742eed82b4c6d0dca9d02c97dfbf70 Mon Sep 17 00:00:00 2001 From: aose-yuu Date: Fri, 19 Dec 2025 20:45:32 +0900 Subject: [PATCH 1/2] ci: migrate workflows to OIDC trusted publishing --- .github/pull_request_template.md | 3 +- .github/workflows/ci.yml | 77 ++++++++++------------------ .github/workflows/lint-workflows.yml | 18 ------- .github/workflows/publish.yml | 45 ++++++++-------- .github/workflows/semantic-pr.yml | 29 ----------- 5 files changed, 51 insertions(+), 121 deletions(-) delete mode 100644 .github/workflows/lint-workflows.yml delete mode 100644 .github/workflows/semantic-pr.yml diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md index 902ab09..9b769cf 100644 --- a/.github/pull_request_template.md +++ b/.github/pull_request_template.md @@ -9,6 +9,7 @@ ## Verification - [ ] `pnpm test` +- [ ] `pnpm typecheck` - [ ] `pnpm build` - [ ] `pnpm format` -- [ ] CI PR format check passes (title/body rules) +- [ ] CI PR title check passes (Conventional Commits) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e0b65bb..3c208ac 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,26 +1,13 @@ name: ci -on: [push, pull_request] +on: + push: + branches: [main] + pull_request: permissions: contents: read -concurrency: ci-${{ github.ref }} jobs: - typecheck: - runs-on: ubuntu-latest - strategy: - matrix: - node: [20.x, 22.x] - steps: - - uses: actions/checkout@v4 - - uses: pnpm/action-setup@v4 - - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node }} - cache: pnpm - - run: pnpm install - - run: pnpm -s typecheck - - format: + ci: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 @@ -28,37 +15,27 @@ jobs: - uses: actions/setup-node@v4 with: node-version: 20 - cache: pnpm - - run: pnpm install - - run: pnpm run format + cache: 'pnpm' - test-build: - runs-on: ubuntu-latest - needs: [typecheck, format] - strategy: - matrix: - node: [20.x, 22.x] - steps: - - uses: actions/checkout@v4 - - uses: pnpm/action-setup@v4 - - uses: actions/setup-node@v4 - with: - node-version: ${{ matrix.node }} - cache: pnpm - - run: pnpm install - - run: pnpm test - - run: pnpm build - - name: Verify packed artifacts + - name: Validate PR title (Conventional Commits) + if: github.event_name == 'pull_request' + env: + PR_TITLE: ${{ github.event.pull_request.title }} run: | - set -euo pipefail - PACK_OUTPUT=$(npm pack --silent) - echo "$PACK_OUTPUT" - TARBALL=$(printf '%s\n' "$PACK_OUTPUT" | tail -n 1 | tr -d '[:space:]') - echo "Packed tarball: $TARBALL" - LISTING=$(tar -tf "$TARBALL") - echo "Listing contents:" - printf '%s\n' "$LISTING" | sed -n '1,200p' - printf '%s\n' "$LISTING" | grep -q '^package/dist/index.mjs$' - printf '%s\n' "$LISTING" | grep -q '^package/dist/index.cjs$' - printf '%s\n' "$LISTING" | grep -q '^package/dist/index.d.ts$' - rm -f "$TARBALL" + node - <<'NODE' + const title = process.env.PR_TITLE || ""; + const ok = + /^(feat|fix|chore|docs|test|refactor|ci|build|perf|style|revert)(\(.+\))?(!)?: .+/.test( + title, + ); + if (!ok) { + console.error(`Invalid PR title (Conventional Commits required): ${title}`); + process.exit(1); + } + NODE + + - run: pnpm install + - run: pnpm -s test + - run: pnpm -s typecheck + - run: pnpm -s build + - run: pnpm -s format diff --git a/.github/workflows/lint-workflows.yml b/.github/workflows/lint-workflows.yml deleted file mode 100644 index 7089e10..0000000 --- a/.github/workflows/lint-workflows.yml +++ /dev/null @@ -1,18 +0,0 @@ -name: lint-workflows -on: - pull_request: - paths: - - ".github/workflows/**" - - ".github/*.yml" - push: - paths: - - ".github/workflows/**" - - ".github/*.yml" -permissions: - contents: read -jobs: - actionlint: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - - uses: rhysd/actionlint@27b18e36cb83de403ebcb76579385c63ef964e38 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index a734920..2699528 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,23 +1,18 @@ name: publish on: - workflow_dispatch: push: tags: - 'v*' permissions: - contents: write id-token: write - packages: write + contents: write jobs: publish: - if: startsWith(github.ref, 'refs/tags/v') || github.ref == 'refs/heads/main' runs-on: ubuntu-latest environment: release concurrency: publish-${{ github.ref }} steps: - uses: actions/checkout@v4 - with: - fetch-depth: 0 - uses: actions/setup-node@v4 with: node-version: 20 @@ -25,28 +20,32 @@ jobs: - uses: pnpm/action-setup@v4 - run: pnpm install - run: pnpm test + - run: pnpm typecheck - run: pnpm build - - name: npm publish with provenance - run: npm publish --access public --provenance - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - - name: Read version from package.json - id: ver + - name: Ensure npm CLI supports trusted publishing + run: | + npm i -g npm@11.5.1 + npm --version + + - name: Detect already-published version + id: npmcheck run: | + set -euo pipefail + NAME=$(node -p "require('./package.json').name") VERSION=$(node -p "require('./package.json').version") + echo "name=$NAME" >> "$GITHUB_OUTPUT" echo "version=$VERSION" >> "$GITHUB_OUTPUT" - - name: Create vX.Y.Z tag if missing - run: | - TAG="v${{ steps.ver.outputs.version }}" - if git rev-parse -q --verify "refs/tags/$TAG" >/dev/null; then - echo "Tag $TAG already exists. Skipping." - exit 0 + if npm view "$NAME@$VERSION" version >/dev/null 2>&1; then + echo "published=true" >> "$GITHUB_OUTPUT" + else + echo "published=false" >> "$GITHUB_OUTPUT" fi - git config user.name "github-actions[bot]" - git config user.email "41898282+github-actions[bot]@users.noreply.github.com" - git tag -a "$TAG" -m "$TAG" - git push origin "$TAG" + + - name: npm publish (OIDC trusted publishing) + if: steps.npmcheck.outputs.published != 'true' + run: npm publish --access public + - name: Sync GitHub Release notes via changelogen env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - run: pnpm dlx changelogen gh release v${{ steps.ver.outputs.version }} --token "${GITHUB_TOKEN}" + run: pnpm exec changelogen gh release ${{ github.ref_name }} --token "${GITHUB_TOKEN}" diff --git a/.github/workflows/semantic-pr.yml b/.github/workflows/semantic-pr.yml deleted file mode 100644 index 2cedee9..0000000 --- a/.github/workflows/semantic-pr.yml +++ /dev/null @@ -1,29 +0,0 @@ -name: semantic-pr -on: - pull_request_target: - types: [opened, edited, synchronize] -permissions: {} -jobs: - lint: - permissions: - contents: read - pull-requests: read - statuses: write - runs-on: ubuntu-latest - steps: - - uses: amannn/action-semantic-pull-request@v6 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - types: | - feat - fix - chore - docs - test - refactor - ci - build - perf - style - revert From f5e96d8034238a4293781463e06e29069dab9db7 Mon Sep 17 00:00:00 2001 From: aose-yuu Date: Fri, 19 Dec 2025 21:10:37 +0900 Subject: [PATCH 2/2] style: format package.json --- package.json | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/package.json b/package.json index 03d8285..67ba097 100644 --- a/package.json +++ b/package.json @@ -29,16 +29,8 @@ }, "main": "./dist/index.cjs", "types": "./dist/index.d.ts", - "files": [ - "dist" - ], - "keywords": [ - "signals", - "reactivity", - "react", - "logic", - "typescript" - ], + "files": ["dist"], + "keywords": ["signals", "reactivity", "react", "logic", "typescript"], "scripts": { "dev": "vite --config playground/vite.config.ts", "build": "unbuild", @@ -74,9 +66,6 @@ "jsdom": "^24.1.3" }, "pnpm": { - "onlyBuiltDependencies": [ - "lefthook", - "@biomejs/biome" - ] + "onlyBuiltDependencies": ["lefthook", "@biomejs/biome"] } }