From 7003526d912a6da77f2026cec6252ea966829190 Mon Sep 17 00:00:00 2001 From: Ricardo Amaral Date: Wed, 8 Apr 2026 12:34:33 +0100 Subject: [PATCH 1/2] ci: improve release workflow and CI validation --- .github/workflows/check-ci-validation.yml | 18 +++++++++------ .github/workflows/publish-package-release.yml | 23 +++++++++++++------ release.config.js | 6 +++-- 3 files changed, 31 insertions(+), 16 deletions(-) diff --git a/.github/workflows/check-ci-validation.yml b/.github/workflows/check-ci-validation.yml index 643c0164..10ba64d6 100644 --- a/.github/workflows/check-ci-validation.yml +++ b/.github/workflows/check-ci-validation.yml @@ -5,10 +5,14 @@ on: pull_request: types: - opened + - reopened - synchronize -env: - GH_PACKAGES_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN }} +# Restrict permissions to read-only since validation jobs only need to checkout +# and analyse the code. This limits the blast radius when called from workflows +# that have broader permissions (e.g., the release workflow). +permissions: + contents: read concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -18,7 +22,7 @@ jobs: prepare-workflow: name: Prepare Workflow runs-on: ubuntu-latest - timeout-minutes: 60 + timeout-minutes: 15 steps: - name: Checkout repository @@ -45,7 +49,7 @@ jobs: static-code-analysis: name: Static Code Analysis runs-on: ubuntu-latest - timeout-minutes: 60 + timeout-minutes: 15 needs: - prepare-workflow @@ -87,7 +91,7 @@ jobs: unit-testing: name: Unit Testing runs-on: ubuntu-latest - timeout-minutes: 60 + timeout-minutes: 15 needs: - prepare-workflow @@ -114,14 +118,14 @@ jobs: run: | npm ci - - name: Test codebase correctnesss + - name: Test codebase correctness run: | npm run test build-package: name: Build Package runs-on: ubuntu-latest - timeout-minutes: 60 + timeout-minutes: 15 needs: - prepare-workflow diff --git a/.github/workflows/publish-package-release.yml b/.github/workflows/publish-package-release.yml index 26f561c6..8d545cc2 100644 --- a/.github/workflows/publish-package-release.yml +++ b/.github/workflows/publish-package-release.yml @@ -14,7 +14,7 @@ permissions: id-token: write # Enable the use of GitHub Packages registry packages: write - # Enable `semantic-release` to publish a GitHub release + # Enable `semantic-release` to publish a GitHub release and push commits contents: write # Enable `semantic-release` to post comments on issues issues: write @@ -32,20 +32,29 @@ jobs: ci-validation: name: CI Validation uses: ./.github/workflows/check-ci-validation.yml - secrets: inherit release-and-publish: name: Release & Publish runs-on: ubuntu-latest - timeout-minutes: 60 + timeout-minutes: 30 needs: ci-validation steps: + - name: Generate release bot token + id: release-bot + uses: actions/create-github-app-token@v3 + with: + app-id: ${{ secrets.DOIST_RELEASE_BOT_ID }} + private-key: ${{ secrets.DOIST_RELEASE_BOT_PRIVATE_KEY }} + permission-contents: write + permission-issues: write + permission-pull-requests: write + - name: Checkout repository uses: actions/checkout@v6 with: - token: ${{ secrets.GH_REPO_TOKEN }} + token: ${{ steps.release-bot.outputs.token }} fetch-depth: 0 - name: Prepare Node.js environment @@ -80,7 +89,7 @@ jobs: run: | npx semantic-release env: - GITHUB_TOKEN: ${{ secrets.GH_REPO_TOKEN }} + GITHUB_TOKEN: ${{ steps.release-bot.outputs.token }} GIT_AUTHOR_EMAIL: doistbot@users.noreply.github.com GIT_AUTHOR_NAME: Doist Bot GIT_COMMITTER_EMAIL: doistbot@users.noreply.github.com @@ -92,8 +101,8 @@ jobs: npm config delete @doist:registry --location=project - name: Prepare Node.js environment for GitHub Packages registry - uses: actions/setup-node@v6 if: ${{ steps.semantic-release.outputs.package-published == 'true' }} + uses: actions/setup-node@v6 with: cache: npm node-version-file: .node-version @@ -101,8 +110,8 @@ jobs: scope: '@doist' - name: Determine npm dist-tag for GitHub Packages - if: ${{ steps.semantic-release.outputs.package-published == 'true' }} id: dist-tag + if: ${{ steps.semantic-release.outputs.package-published == 'true' }} run: | if [[ "${{ github.ref_name }}" == "next" ]]; then echo "tag=next" >> $GITHUB_OUTPUT diff --git a/release.config.js b/release.config.js index 13e36285..bc3f10a9 100644 --- a/release.config.js +++ b/release.config.js @@ -35,8 +35,10 @@ export default { [ '@semantic-release/exec', { - verifyConditionsCmd: 'echo "package-published=false" >> $GITHUB_OUTPUT', - successCmd: 'echo "package-published=true" >> $GITHUB_OUTPUT', + verifyConditionsCmd: + 'if [ -n "$GITHUB_OUTPUT" ]; then echo "package-published=false" >> "$GITHUB_OUTPUT"; fi', + successCmd: + 'if [ -n "$GITHUB_OUTPUT" ]; then echo "package-published=true" >> "$GITHUB_OUTPUT"; fi', }, ], ], From 2a56a474adba3f13c290023a36a254b08efac6a7 Mon Sep 17 00:00:00 2001 From: Ricardo Amaral Date: Wed, 8 Apr 2026 13:21:20 +0100 Subject: [PATCH 2/2] ci: drop unnecessary workflow-level permissions semantic-release now uses the GitHub App token for all write operations, so the workflow's default GITHUB_TOKEN only needs id-token (OIDC provenance) and packages (GitHub Packages publish). --- .github/workflows/publish-package-release.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/.github/workflows/publish-package-release.yml b/.github/workflows/publish-package-release.yml index 8d545cc2..b0b25992 100644 --- a/.github/workflows/publish-package-release.yml +++ b/.github/workflows/publish-package-release.yml @@ -14,12 +14,6 @@ permissions: id-token: write # Enable the use of GitHub Packages registry packages: write - # Enable `semantic-release` to publish a GitHub release and push commits - contents: write - # Enable `semantic-release` to post comments on issues - issues: write - # Enable `semantic-release` to post comments on pull requests - pull-requests: write # The release workflow involves many crucial steps that once triggered shouldn't be cancelled until # finished, otherwise we might end up in an inconsistent state (e.g., published to GitHub Packages