From 954d2182041f21ee447d73f48de315a2c9c5aa1a Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 17:23:22 -0600 Subject: [PATCH 1/3] ci: harden npm trusted publishing workflow --- .github/workflows/validate.yml | 75 ++++++++++++++++++++++------------ 1 file changed, 50 insertions(+), 25 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 3fe8d7c5..8af854f7 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -15,8 +15,8 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -permissions: {} - +permissions: + contents: read jobs: main: permissions: @@ -30,18 +30,18 @@ jobs: node: [18, 24] runs-on: ubuntu-latest steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@v3 with: # required by codecov/codecov-action fetch-depth: 0 - - name: ⎔ Setup node + - name: Setup node uses: actions/setup-node@v3 with: node-version: ${{ matrix.node }} - - name: 📥 Download deps + - name: Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false @@ -50,46 +50,71 @@ jobs: - name: Verify format (`npm run format` committed?) run: npm run format -- --check --no-write - - name: ▶️ Run validate script + - name: Run validate script run: npm run validate - - name: ⬆️ Upload coverage report + - name: Upload coverage report uses: codecov/codecov-action@v4 with: fail_ci_if_error: true flags: node-${{ matrix.node }} token: ${{ secrets.CODECOV_TOKEN }} # required - release: - environment: production - permissions: - id-token: write # Required for OIDC - contents: write # to create release tags (cycjimmy/semantic-release-action) - issues: write # to post release that resolves an issue - + build-release-artifact: needs: main runs-on: ubuntu-latest - if: - ${{ github.repository == 'testing-library/dom-testing-library' && - github.event_name == 'push' }} + permissions: + contents: read + if: ${{ github.repository == 'testing-library/dom-testing-library' && github.event_name == 'push' }} steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@v3 - - name: ⎔ Setup node + - name: Setup node uses: actions/setup-node@v3 with: node-version: 24 - - name: 📥 Download deps - uses: bahmutov/npm-install@v1 - with: - useLockFile: false + - name: Install dependencies + run: npm install --ignore-scripts - - name: 🏗 Run build script + - name: Run build script run: npm run build - - name: 🚀 Release + - name: Upload package artifact + uses: actions/upload-artifact@v4 + with: + name: npm-package-dist + path: dist + if-no-files-found: error + retention-days: 7 + + release: + needs: build-release-artifact + runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + issues: write + pull-requests: write + if: ${{ github.repository == 'testing-library/dom-testing-library' && github.event_name == 'push' }} + steps: + - name: Checkout repo + uses: actions/checkout@v3 + + - name: Setup node + uses: actions/setup-node@v3 + with: + node-version: 24 + registry-url: 'https://registry.npmjs.org/' + + - name: Download package artifact + uses: actions/download-artifact@v4 + with: + name: npm-package-dist + path: dist + + - name: Release uses: cycjimmy/semantic-release-action@v5 with: semantic_version: 25 From e623b5a286a8b706d12de4ce096d2e3b82a10d32 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 17:29:37 -0600 Subject: [PATCH 2/3] ci: preserve existing workflow labels --- .github/workflows/validate.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 8af854f7..93739bff 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -30,18 +30,18 @@ jobs: node: [18, 24] runs-on: ubuntu-latest steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v3 with: # required by codecov/codecov-action fetch-depth: 0 - - name: Setup node + - name: ⎔ Setup node uses: actions/setup-node@v3 with: node-version: ${{ matrix.node }} - - name: Download deps + - name: 📥 Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false @@ -50,10 +50,10 @@ jobs: - name: Verify format (`npm run format` committed?) run: npm run format -- --check --no-write - - name: Run validate script + - name: ▶️ Run validate script run: npm run validate - - name: Upload coverage report + - name: ⬆️ Upload coverage report uses: codecov/codecov-action@v4 with: fail_ci_if_error: true @@ -67,21 +67,21 @@ jobs: contents: read if: ${{ github.repository == 'testing-library/dom-testing-library' && github.event_name == 'push' }} steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v3 - - name: Setup node + - name: ⎔ Setup node uses: actions/setup-node@v3 with: node-version: 24 - - name: Install dependencies + - name: 📥 Download deps run: npm install --ignore-scripts - - name: Run build script + - name: 🏗 Run build script run: npm run build - - name: Upload package artifact + - name: 📦 Upload package artifact uses: actions/upload-artifact@v4 with: name: npm-package-dist @@ -99,22 +99,22 @@ jobs: pull-requests: write if: ${{ github.repository == 'testing-library/dom-testing-library' && github.event_name == 'push' }} steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v3 - - name: Setup node + - name: ⎔ Setup node uses: actions/setup-node@v3 with: node-version: 24 registry-url: 'https://registry.npmjs.org/' - - name: Download package artifact + - name: 📦 Download package artifact uses: actions/download-artifact@v4 with: name: npm-package-dist path: dist - - name: Release + - name: 🚀 Release uses: cycjimmy/semantic-release-action@v5 with: semantic_version: 25 From dee9c45fa4f1364031060def04a3ff9e274c59f8 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 17:32:39 -0600 Subject: [PATCH 3/3] ci: format workflow conditions --- .github/workflows/validate.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 93739bff..4515c410 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -65,7 +65,9 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - if: ${{ github.repository == 'testing-library/dom-testing-library' && github.event_name == 'push' }} + if: + ${{ github.repository == 'testing-library/dom-testing-library' && + github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo uses: actions/checkout@v3 @@ -97,7 +99,9 @@ jobs: id-token: write issues: write pull-requests: write - if: ${{ github.repository == 'testing-library/dom-testing-library' && github.event_name == 'push' }} + if: + ${{ github.repository == 'testing-library/dom-testing-library' && + github.event_name == 'push' }} steps: - name: ⬇️ Checkout repo uses: actions/checkout@v3