Merge pull request #61 from codedbychavez/trusted-publishing

codedbychavez · web-flow · commit 0d5e88b3846e · 2025-11-18T07:07:25.000-04:00
Configure GitHub workflow to use trusted publishing
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,17 +1,13 @@
 name: CI
-permissions:
-  contents: read
 
 on:
   schedule:
     - cron: "0 0 * * *"
   push:
-    branches:
-      - "main"
-    tags: ["v[0-9]+.[0-9]+.[0-9]+"]
+    branches: [main]
+    tags: ['v[0-9]+.[0-9]+.[0-9]+']
   pull_request:
-    branches:
-      - "main"
+    branches: [main]
 
   workflow_dispatch:
     inputs:
@@ -26,42 +22,63 @@ on:
           - debug
 
 jobs:
-  test:
+  build_and_test:
     runs-on: ubuntu-latest
-    name: Run unit and integration tests
-    strategy:
-      matrix:
-        version: [20, 22]
+    name: Build and test
     steps:
-      - uses: actions/checkout@v4
-      - name: Using Node.js ${{ matrix.version }}
-        uses: actions/setup-node@v4
+      - uses: actions/checkout@v5
+
+      - uses: actions/setup-node@v5
         with:
-          node-version: ${{ matrix.version }}
+          node-version: 22
+
       - name: Install dependencies
-        run: npm install
-      - name: Run tests
+        run: npm ci
+
+      - name: Build
+        run: npm run build
+
+      - name: Test
         run: npm test
 
-  build_and_publish:
-    needs: [test]
+      - name: Upload dist artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+  publish:
+    needs: [build_and_test]
+    if: startsWith(github.ref, 'refs/tags/')
     runs-on: ubuntu-latest
-    if: startsWith(github.ref, 'refs/tags')
+    permissions:
+      contents: read
+      id-token: write
     steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v5
         with:
-          node-version: 22
-          registry-url: "https://registry.npmjs.org"
+          node-version: "22"
 
-      - name: Install dependencies
-        run: npm install
+      # Ensure npm 11.5.1 or later is installed
+      - name: Update npm
+        run: npm install -g npm@latest
 
-      - name: Build
-        run: npm run build
+      - name: Download build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: dist
+          path: dist/
+
+      - name: Pack
+        run: npm pack
+        
+      - name: Upload package
+        uses: actions/upload-artifact@v4
+        with:
+          name: package-tarball
+          path: '*.tgz'
+          retention-days: 7
 
-      - name: Publish
-        run: npm publish
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - name: Publish (trusted publishing)
+        run: npm publish --dry-run
