Skip to content

ci: wire to coroboros/ci javascript-npm-packages.yml@v0#3

Merged
ob-aion merged 15 commits into
mainfrom
ci/use-coroboros-ci-reusables
May 14, 2026
Merged

ci: wire to coroboros/ci javascript-npm-packages.yml@v0#3
ob-aion merged 15 commits into
mainfrom
ci/use-coroboros-ci-reusables

Conversation

@ob-aion

@ob-aion ob-aion commented May 11, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Wire CI to coroboros/ci/.github/workflows/javascript-npm-packages.yml@v0.
  • One uses: line covers preflight + publish + security (gitleaks + dependency-review + osv-scanner).
  • Permissions: contents: write (GitHub Release + commit-back on tag), id-token: write (npm OIDC).

Repo secrets:

  • NPM_CONFIG_FILE
  • NPM_PACKAGE_REGISTRY
  • NPM_PACKAGE_PROXY_REGISTRY
  • NPM_PACKAGE_REGISTRY_TOKEN (optional — absence triggers OIDC + provenance publish)

Repo settings:

  • Dependency graph enabled (required by dependency-review).

Test plan

  • preflight green on this PR (install + lint + build + test).
  • security/gitleaks + security/osv-scanner + security/dependency-review green.
  • After merge + tag push (x.y.z), publish runs: pnpm publish + GitHub Release + commit-back to main.

ob-aion added 2 commits May 11, 2026 15:57
ci.yml — calls npm-ci, commits-lint, secrets-scan reusables.
release.yml — calls npm-publish reusable with use-oidc=false + NPM_TOKEN
(matches the 1.0.1 token-based publish path). To migrate back to OIDC,
drop the with: block and add permissions: id-token: write at the workflow
level.

The per-package workflow files are now thin callers; verify, publish, lint,
and scan logic lives in coroboros/ci@v1 (floating major, auto-tracks
non-breaking updates).
The previous ci.yml + release.yml referenced workflows that no longer
exist on coroboros/ci (npm-ci.yml, npm-publish.yml, commits-lint.yml).
The new port consolidates check + lint + test + build + publish into
a single reusable workflow.

- ci.yml: call javascript-npm-package.yml@main on push/PR/tag with
  provenance: false (npm Trusted Publisher not yet provisioned for
  @coroboros/sparkline; falls back to NPM_TOKEN).
- release.yml: removed — publish runs as the deploy-package job of
  javascript-npm-package.yml on tag pushes.
- secrets-scan: keeps the standalone call to secrets-scan.yml@main.

Repo secrets configured for the workflow:
  NPM_CONFIG_FILE, NPM_PACKAGE_REGISTRY, NPM_PACKAGE_PROXY_REGISTRY,
  NPM_PACKAGE_REGISTRY_TOKEN (set to placeholders for the public
  npmjs.com registry) and NPM_TOKEN (pre-existing).
@ob-aion ob-aion changed the title ci: consume coroboros/ci@v1 reusable workflows ci: wire to coroboros/ci javascript-npm-package.yml reusable workflow May 12, 2026
@ob-aion ob-aion changed the title ci: wire to coroboros/ci javascript-npm-package.yml reusable workflow ci: wire to coroboros/ci javascript-npm-packages.yml@v0 May 14, 2026
@ob-aion ob-aion merged commit 18fa2e8 into main May 14, 2026
12 of 15 checks passed
@ob-aion ob-aion deleted the ci/use-coroboros-ci-reusables branch May 14, 2026 10:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant