diff --git a/.automaker/settings.json b/.automaker/settings.json new file mode 100644 index 0000000..61a2092 --- /dev/null +++ b/.automaker/settings.json @@ -0,0 +1,3 @@ +{ + "version": 1 +} diff --git a/.beads/issues.jsonl b/.beads/issues.jsonl new file mode 100644 index 0000000..e69de29 diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c2e4841..732508d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,7 +11,7 @@ permissions: jobs: test: - runs-on: ubuntu-latest + runs-on: namespace-profile-protolabs-linux steps: - uses: actions/checkout@v6 - uses: pnpm/action-setup@v6 diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 9e3c4b1..450f81a 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -47,6 +47,7 @@ jobs: analyze: name: Analyze (${{ matrix.category }}) if: ${{ github.event_name != 'pull_request' || !github.event.pull_request.draft }} + # workspace-config: allow-hosted-runner CodeQL default setup requires hosted runner runs-on: ubuntu-latest timeout-minutes: 20 strategy: diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index c3cfd6d..50c3502 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -16,6 +16,7 @@ jobs: dependency-review: name: Review dependency changes if: ${{ !github.event.pull_request.draft }} + # workspace-config: allow-hosted-runner dependency-review-action requires GitHub-hosted API context runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 diff --git a/.github/workflows/pages.yml b/.github/workflows/pages.yml index 90f6cb2..0e5fbbb 100644 --- a/.github/workflows/pages.yml +++ b/.github/workflows/pages.yml @@ -23,6 +23,7 @@ jobs: environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} + # workspace-config: allow-hosted-runner GitHub Pages deploy requires the hosted Pages environment runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index d715188..c1a519c 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -20,6 +20,7 @@ permissions: jobs: publish: name: publish ${{ github.ref_name }} + # workspace-config: allow-hosted-runner npm publish --provenance requires hosted OIDC runs-on: ubuntu-latest steps: - name: Checkout @@ -37,8 +38,12 @@ jobs: with: node-version: 26 cache: pnpm - # registry-url makes `npm publish` write the right .npmrc and - # consume $NODE_AUTH_TOKEN below. + # registry-url is still required so npm publish targets the + # public registry. Trusted Publishing (configured on + # npmjs.com/package/@protolabsai/protopatch/access) authenticates + # this workflow via the OIDC token issued by `id-token: write` + # below — no NPM_TOKEN secret in play. The same OIDC token also + # supplies provenance. registry-url: "https://registry.npmjs.org" - name: Install @@ -70,10 +75,16 @@ jobs: echo "OK: package.json $PKG_VERSION == tag v$TAG_VERSION" - name: Publish to npm - # --provenance attests this build came from this workflow on this - # ref — a public, tamper-evident chain of custody. id-token: write - # at the job level + setup-node writing the registry URL is what - # makes that work without extra wiring. + # Trusted Publishing: npm reads the GitHub OIDC token from + # id-token: write and exchanges it for a short-lived publish + # credential — no NPM_TOKEN secret required. --provenance attests + # this build came from this workflow on this ref, a public, + # tamper-evident chain of custody. + # + # Prerequisite (one-time, npm UI): + # npmjs.com/package/@protolabsai/protopatch/access → + # Trusted Publishers → Add → GitHub Actions + # repository: protoLabsAI/protoPatch + # workflow filename: publish.yml + # environment: (leave blank — none configured) run: npm publish --provenance --access public - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.gitignore b/.gitignore index 30ee432..051726d 100644 --- a/.gitignore +++ b/.gitignore @@ -6,3 +6,10 @@ coverage/ .clawpatch/patches/ .clawpatch/reports/ .clawpatch/locks/ + +# protoLabs workspace-config standard +.beads/beads.db +.worktrees/ +.automaker/features/ +.automaker/checkpoints/ +.automaker/trajectory/