ci: wire to coroboros/ci javascript-npm-packages.yml@v0#3
Merged
Conversation
ci.yml — calls npm-ci, commits-lint, secrets-scan reusables. release.yml — calls npm-publish reusable with use-oidc=false + NPM_TOKEN (matches the 1.0.1 token-based publish path). To migrate back to OIDC, drop the with: block and add permissions: id-token: write at the workflow level. The per-package workflow files are now thin callers; verify, publish, lint, and scan logic lives in coroboros/ci@v1 (floating major, auto-tracks non-breaking updates).
The previous ci.yml + release.yml referenced workflows that no longer exist on coroboros/ci (npm-ci.yml, npm-publish.yml, commits-lint.yml). The new port consolidates check + lint + test + build + publish into a single reusable workflow. - ci.yml: call javascript-npm-package.yml@main on push/PR/tag with provenance: false (npm Trusted Publisher not yet provisioned for @coroboros/sparkline; falls back to NPM_TOKEN). - release.yml: removed — publish runs as the deploy-package job of javascript-npm-package.yml on tag pushes. - secrets-scan: keeps the standalone call to secrets-scan.yml@main. Repo secrets configured for the workflow: NPM_CONFIG_FILE, NPM_PACKAGE_REGISTRY, NPM_PACKAGE_PROXY_REGISTRY, NPM_PACKAGE_REGISTRY_TOKEN (set to placeholders for the public npmjs.com registry) and NPM_TOKEN (pre-existing).
… tag or SHA, not branch)
- Correct workflow filename (javascript-npm-packages.yml, was missing 's') - Drop with.provenance input (workflow has zero inputs) - Drop NPM_TOKEN secret (not declared by the workflow) - Drop redundant security job (bundled inside javascript-npm-packages.yml) - Bump contents permission to write (required for publish on tag)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
coroboros/ci/.github/workflows/javascript-npm-packages.yml@v0.uses:line coverspreflight+publish+security(gitleaks+dependency-review+osv-scanner).contents: write(GitHub Release + commit-back on tag),id-token: write(npm OIDC).Repo secrets:
NPM_CONFIG_FILENPM_PACKAGE_REGISTRYNPM_PACKAGE_PROXY_REGISTRYNPM_PACKAGE_REGISTRY_TOKEN(optional — absence triggers OIDC + provenance publish)Repo settings:
dependency-review).Test plan
preflightgreen on this PR (install + lint + build + test).security/gitleaks+security/osv-scanner+security/dependency-reviewgreen.x.y.z),publishruns:pnpm publish+ GitHub Release + commit-back tomain.