Skip to content

Commit 55af92a

Browse files
markeriksonmarkerikson
authored
Use trusted publishing and harden workflows (#5152)
* Update all Node versions to 24.x * Use trusted publishing and allow tags * Harden workflows with pinned actions * Don't actually publish from `release-it`
1 parent 92db1da commit 55af92a

File tree

8 files changed

+76
-58
lines changed

8 files changed

+76
-58
lines changed

.github/workflows/publish.yml

Lines changed: 19 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -14,21 +14,34 @@ on:
1414
- '@rtk-query/codegen-openapi'
1515
- '@rtk-query/graphql-request-base-query'
1616
- '@reduxjs/rtk-codemods'
17+
tag:
18+
description: 'NPM dist-tag (latest, alpha, beta, next)'
19+
required: true
20+
default: 'latest'
21+
type: choice
22+
options:
23+
- latest
24+
- next
25+
- alpha
26+
- beta
27+
28+
permissions: {}
29+
1730
jobs:
1831
publish:
1932
runs-on: ubuntu-latest
2033
permissions:
2134
id-token: write
2235
contents: read
2336
steps:
24-
- uses: actions/checkout@v4
25-
- uses: actions/setup-node@v4
37+
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
38+
with:
39+
persist-credentials: false
40+
- uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
2641
with:
27-
node-version: '22.x'
42+
node-version: '24.x'
2843
registry-url: 'https://registry.npmjs.org'
2944
cache: 'yarn'
3045
- run: yarn install --frozen-lockfile
3146
- run: yarn workspace ${{ inputs.package }} test
32-
- run: yarn workspace ${{ inputs.package }} exec npm publish --access public --provenance
33-
env:
34-
NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
47+
- run: yarn workspace ${{ inputs.package }} exec npm publish --access public --provenance --tag ${{ inputs.tag }}

.github/workflows/size.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,8 +12,8 @@ jobs:
1212
env:
1313
CI_JOB_NUMBER: 1
1414
steps:
15-
- uses: actions/checkout@v4
16-
- uses: EskiMojo14/size-limit-action@v2
15+
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
16+
- uses: EskiMojo14/size-limit-action@af0584be5b6cc2d056bd31a314fc2ce9c9c1a929 # v2
1717
with:
1818
directory: packages/toolkit
1919
github_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test-codegen.yml

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,8 @@ jobs:
1515
outputs:
1616
codegen: ${{ steps.filter.outputs.codegen }}
1717
steps:
18-
- uses: actions/checkout@v4
19-
- uses: dorny/paths-filter@v3
18+
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
19+
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
2020
id: filter
2121
with:
2222
filters: |
@@ -39,15 +39,15 @@ jobs:
3939

4040
strategy:
4141
matrix:
42-
node-version: ['22.x']
42+
node-version: ['24.x']
4343
os: [ubuntu-latest]
4444

4545
steps:
4646
- name: Checkout repository
47-
uses: actions/checkout@v4
47+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
4848

4949
- name: Setup Node ${{ matrix.node-version }}
50-
uses: actions/setup-node@v4
50+
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
5151
with:
5252
node-version: ${{ matrix.node-version }}
5353
cache: 'yarn'
@@ -59,7 +59,7 @@ jobs:
5959
run: yarn pack
6060

6161
- name: Upload artifact
62-
uses: actions/upload-artifact@v4
62+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
6363
id: artifact-upload-step
6464
with:
6565
name: package
@@ -79,22 +79,22 @@ jobs:
7979
strategy:
8080
fail-fast: false
8181
matrix:
82-
node-version: [22.x]
82+
node-version: [24.x]
8383
os: [ubuntu-latest]
8484

8585
steps:
8686
- name: Checkout repository
87-
uses: actions/checkout@v4
87+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
8888

8989
- name: Setup Node ${{ matrix.node-version }}
90-
uses: actions/setup-node@v4
90+
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
9191
with:
9292
node-version: ${{ matrix.node-version }}
9393
cache: 'yarn'
9494

9595
- name: Download artifact
9696
id: download-artifact
97-
uses: actions/download-artifact@v4
97+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
9898
with:
9999
path: ./packages/rtk-query-codegen-openapi
100100
name: package
@@ -125,13 +125,13 @@ jobs:
125125
strategy:
126126
fail-fast: false
127127
matrix:
128-
node-version: [22.x]
128+
node-version: [24.x]
129129
steps:
130130
- name: Checkout repo
131-
uses: actions/checkout@v4
131+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
132132

133133
- name: Use node ${{ matrix.node-version }}
134-
uses: actions/setup-node@v4
134+
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
135135
with:
136136
node-version: ${{ matrix.node-version }}
137137
cache: 'yarn'
@@ -141,7 +141,7 @@ jobs:
141141

142142
- name: Download artifact
143143
id: download-artifact
144-
uses: actions/download-artifact@v4
144+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
145145
with:
146146
path: ./packages/rtk-query-codegen-openapi
147147
name: package

.github/workflows/tests.yml

Lines changed: 27 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -11,8 +11,8 @@ jobs:
1111
outputs:
1212
toolkit: ${{ steps.filter.outputs.toolkit }}
1313
steps:
14-
- uses: actions/checkout@v4
15-
- uses: dorny/paths-filter@v3
14+
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
15+
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3
1616
id: filter
1717
with:
1818
filters: |
@@ -31,14 +31,14 @@ jobs:
3131
runs-on: ubuntu-latest
3232
strategy:
3333
matrix:
34-
node: ['22.x']
34+
node: ['24.x']
3535

3636
steps:
3737
- name: Checkout repo
38-
uses: actions/checkout@v4
38+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
3939

4040
- name: Use node ${{ matrix.node }}
41-
uses: actions/setup-node@v4
41+
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
4242
with:
4343
node-version: ${{ matrix.node }}
4444
cache: 'yarn'
@@ -56,7 +56,7 @@ jobs:
5656
- name: Pack
5757
run: yarn pack
5858

59-
- uses: actions/upload-artifact@v4
59+
- uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
6060
with:
6161
name: package
6262
path: packages/toolkit/package.tgz
@@ -68,7 +68,7 @@ jobs:
6868
strategy:
6969
fail-fast: false
7070
matrix:
71-
node: ['22.x']
71+
node: ['24.x']
7272
react:
7373
[
7474
{
@@ -85,10 +85,10 @@ jobs:
8585

8686
steps:
8787
- name: Checkout repo
88-
uses: actions/checkout@v4
88+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
8989

9090
- name: Use node ${{ matrix.node }}
91-
uses: actions/setup-node@v4
91+
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
9292
with:
9393
node-version: ${{ matrix.node }}
9494
cache: 'yarn'
@@ -97,7 +97,7 @@ jobs:
9797
run: yarn install
9898

9999
- name: Download build artifact
100-
uses: actions/download-artifact@v4
100+
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
101101
with:
102102
name: package
103103
path: packages/toolkit
@@ -137,7 +137,7 @@ jobs:
137137
strategy:
138138
fail-fast: false
139139
matrix:
140-
node: ['22.x']
140+
node: ['24.x']
141141
ts: ['5.1', '5.2', '5.3', '5.4', '5.5', '5.6', '5.7', '5.8']
142142
react:
143143
[
@@ -155,10 +155,10 @@ jobs:
155155

156156
steps:
157157
- name: Checkout repo
158-
uses: actions/checkout@v4
158+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
159159

160160
- name: Use node ${{ matrix.node }}
161-
uses: actions/setup-node@v4
161+
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
162162
with:
163163
node-version: ${{ matrix.node }}
164164
cache: 'yarn'
@@ -172,7 +172,7 @@ jobs:
172172
- name: Install TypeScript ${{ matrix.ts }}
173173
run: yarn add typescript@${{ matrix.ts }}
174174

175-
- uses: actions/download-artifact@v4
175+
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
176176
with:
177177
name: package
178178
path: packages/toolkit
@@ -201,7 +201,7 @@ jobs:
201201
strategy:
202202
fail-fast: false
203203
matrix:
204-
node: ['22.x']
204+
node: ['24.x']
205205
example:
206206
[
207207
'cra4',
@@ -220,10 +220,10 @@ jobs:
220220
YARN_ENABLE_IMMUTABLE_INSTALLS: false
221221
steps:
222222
- name: Checkout repo
223-
uses: actions/checkout@v4
223+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
224224

225225
- name: Use node ${{ matrix.node }}
226-
uses: actions/setup-node@v4
226+
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
227227
with:
228228
node-version: ${{ matrix.node }}
229229
cache: 'yarn'
@@ -234,7 +234,7 @@ jobs:
234234
- name: Remove existing RTK
235235
run: yarn remove @reduxjs/toolkit
236236

237-
- uses: actions/download-artifact@v4
237+
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
238238
with:
239239
name: package
240240
path: ./examples/publish-ci/${{ matrix.example }}
@@ -250,7 +250,7 @@ jobs:
250250

251251
- name: Set up JDK 21 for React Native build
252252
if: matrix.example == 'react-native' || matrix.example == 'expo'
253-
uses: actions/setup-java@v4
253+
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4
254254
with:
255255
java-version: '21.x'
256256
distribution: 'temurin'
@@ -272,21 +272,21 @@ jobs:
272272
strategy:
273273
fail-fast: false
274274
matrix:
275-
node: ['22.x']
275+
node: ['24.x']
276276
steps:
277277
- name: Checkout repo
278-
uses: actions/checkout@v4
278+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
279279

280280
- name: Use node ${{ matrix.node }}
281-
uses: actions/setup-node@v4
281+
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
282282
with:
283283
node-version: ${{ matrix.node }}
284284
cache: 'yarn'
285285

286286
- name: Install deps
287287
run: yarn install
288288

289-
- uses: actions/download-artifact@v4
289+
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
290290
with:
291291
name: package
292292
path: packages/toolkit
@@ -304,7 +304,7 @@ jobs:
304304
strategy:
305305
fail-fast: false
306306
matrix:
307-
node: ['22.x']
307+
node: ['24.x']
308308
ts: ['5.3', '5.4', '5.5', '5.6', '5.7', '5.8', '5.9', 'next']
309309
example:
310310
[
@@ -314,18 +314,18 @@ jobs:
314314
]
315315
steps:
316316
- name: Checkout repo
317-
uses: actions/checkout@v4
317+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
318318

319319
- name: Use node ${{ matrix.node }}
320-
uses: actions/setup-node@v4
320+
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
321321
with:
322322
node-version: ${{ matrix.node }}
323323
cache: 'yarn'
324324

325325
- name: Install deps
326326
run: yarn install
327327

328-
- uses: actions/download-artifact@v4
328+
- uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
329329
with:
330330
name: package
331331
path: packages/toolkit

packages/rtk-codemods/.github/workflows/ci.yml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -18,10 +18,10 @@ jobs:
1818
runs-on: ubuntu-latest
1919

2020
steps:
21-
- uses: actions/checkout@v4
22-
- uses: actions/setup-node@v4
21+
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
22+
- uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
2323
with:
24-
node-version: 12.x
24+
node-version: 24.x
2525
- name: install dependencies
2626
run: yarn install --frozen-lockfile
2727
- name: linting
@@ -33,11 +33,11 @@ jobs:
3333

3434
strategy:
3535
matrix:
36-
node: ['10', '12', '14']
36+
node: ['24.x']
3737

3838
steps:
39-
- uses: actions/checkout@v4
40-
- uses: actions/setup-node@v4
39+
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
40+
- uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
4141
with:
4242
node-version: ${{ matrix.node }}
4343
- name: install dependencies
@@ -50,10 +50,10 @@ jobs:
5050
runs-on: ubuntu-latest
5151

5252
steps:
53-
- uses: actions/checkout@v4
54-
- uses: actions/setup-node@v4
53+
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
54+
- uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
5555
with:
56-
node-version: '12.x'
56+
node-version: '24.x'
5757
- name: install dependencies
5858
run: yarn install --no-lockfile
5959
- name: test

packages/rtk-codemods/.release-it.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,5 +5,8 @@
55
"git": {
66
"commitMessage": "Release @reduxjs/rtk-codemods ${version}",
77
"tagName": "@reduxjs/rtk-codemods@${version}"
8+
},
9+
"npm": {
10+
"publish": false
811
}
912
}

0 commit comments

Comments
 (0)