diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..ca79ca5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,6 @@ +version: 2 +updates: + - package-ecosystem: github-actions + directory: / + schedule: + interval: weekly diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index ac13283..083703c 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -3,12 +3,15 @@ on: - push - pull_request - workflow_call +permissions: + contents: read + jobs: lint: - uses: adonisjs/.github/.github/workflows/lint.yml@next + uses: adonisjs/.github/.github/workflows/lint.yml@616f1f5863b4a3a73eb49cd0d16e8719bcd34e7a # next typecheck: - uses: adonisjs/.github/.github/workflows/typecheck.yml@next + uses: adonisjs/.github/.github/workflows/typecheck.yml@616f1f5863b4a3a73eb49cd0d16e8719bcd34e7a # next test-postgres: runs-on: ubuntu-latest @@ -27,8 +30,8 @@ jobs: ports: - 5432:5432 steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} - name: Install Playwright Browsers @@ -57,8 +60,8 @@ jobs: ports: - '3306:3306' steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} - name: Install @@ -83,8 +86,8 @@ jobs: ports: - '1433:1433' steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} - name: Install @@ -102,8 +105,8 @@ jobs: lib: ['sqlite'] node-version: [24] steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: ${{ matrix.node-version }} - name: Install diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c585c42..4489ef3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,36 +1,45 @@ name: release on: workflow_dispatch + permissions: - contents: write - id-token: write + contents: read + +concurrency: + group: release + cancel-in-progress: false + jobs: checks: + permissions: + contents: read uses: ./.github/workflows/checks.yml + release: needs: checks runs-on: ubuntu-latest + environment: npm-publish + permissions: + contents: write + id-token: write steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: fetch-depth: 0 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 with: node-version: 24 + registry-url: 'https://registry.npmjs.org' - name: git config run: | git config user.name "${GITHUB_ACTOR}" git config user.email "${GITHUB_ACTOR}@users.noreply.github.com" - - name: Init npm config - run: npm config set //registry.npmjs.org/:_authToken $NPM_TOKEN - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - - run: npm install + - run: npm install --ignore-scripts + + - run: npm audit signatures - run: npm run release -- --ci env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}