From cbd6080c71dd4b313285a67acf0af90a76cbf63f Mon Sep 17 00:00:00 2001 From: bluwy Date: Tue, 9 Jun 2026 15:10:43 +0800 Subject: [PATCH 1/3] Sync ci and publish workflows --- .github/workflows/ci.yml | 78 +++++++++++++++++++++++------------ .github/workflows/publish.yml | 16 +++---- package.json | 6 ++- 3 files changed, 63 insertions(+), 37 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4dd58e6..3f2c075 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -7,6 +7,8 @@ on: merge_group: branches: - main + - next + - "maintenance/v[0-9]+" permissions: contents: read @@ -16,39 +18,24 @@ concurrency: cancel-in-progress: true jobs: - build: - name: Build + lint-workflows: + name: Lint workflows runs-on: ubuntu-latest + permissions: + actions: read # only required in private repos + security-events: write # allow writing security events steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: ./.github/actions/ci-setup - - - name: Build - run: pnpm build - - lint: - name: Lint - runs-on: ubuntu-latest - steps: - - name: Check out repo - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Run zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 with: - persist-credentials: false - - - uses: ./.github/actions/ci-setup - - - name: Codegen - run: pnpm codegen:github - - - name: Lint - run: pnpm lint - - - name: Format - run: pnpm format + persona: pedantic + annotations: true + advanced-security: false test: name: Test @@ -81,12 +68,49 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + typecheck: + name: Typecheck + runs-on: ubuntu-latest + timeout-minutes: 20 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: ./.github/actions/ci-setup + + - name: Codegen + run: pnpm codegen:github + + - name: Typecheck + run: pnpm typecheck + + lint: + name: Lint + runs-on: ubuntu-latest + timeout-minutes: 20 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: ./.github/actions/ci-setup + + - name: Codegen + run: pnpm codegen:github + + - name: Lint + run: pnpm lint + + - name: Format + run: pnpm format + ci-ok: name: CI OK runs-on: ubuntu-latest if: always() - needs: [build, lint, test] + needs: [lint-workflows, test, typecheck, lint] steps: - name: Exit with error if some jobs are not successful - if: ${{ always() && (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) }} run: exit 1 + if: ${{ always() && (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) }} diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index dd3b80b..3626d9e 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -4,13 +4,15 @@ on: push: branches: - main + - next + - 'maintenance/v[0-9]+' concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: false queue: max -permissions: {} +permissions: {} # each job should define its own permission explicitly jobs: version: @@ -21,8 +23,7 @@ jobs: outputs: hasChangesets: ${{ steps.changesets.outputs.hasChangesets }} permissions: - contents: write # to create version commits (changesets/action) - pull-requests: write # to create pull request (changesets/action) + contents: read # to check out repo (actions/checkout) steps: - name: Check out repo uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -33,11 +34,13 @@ jobs: with: skip-cache: true # avoid cache poisoning attacks - - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 id: app-token with: client-id: ${{ vars.APP_CLIENT_ID }} private-key: ${{ secrets.APP_PRIVATE_KEY }} + permission-contents: write # to create version commits (changesets/action) + permission-pull-requests: write # to create pull request (changesets/action) - name: Create or update release pull request id: changesets @@ -66,11 +69,8 @@ jobs: with: skip-cache: true # avoid cache poisoning attacks - - name: Build - run: pnpm build - - name: Publish to npm uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0 with: - publish: pnpm changeset publish + publish: pnpm release commitMode: github-api diff --git a/package.json b/package.json index d538180..37b5a89 100644 --- a/package.json +++ b/package.json @@ -48,13 +48,15 @@ "access": "public" }, "scripts": { - "build": "pnpm codegen:github && tsc && tsdown", + "build": "pnpm codegen:github && tsdown", "codegen:github": "graphql-codegen --config src/github/codegen.ts", + "typecheck": "tsc", "format": "oxfmt --check", "format:fix": "oxfmt", "lint": "oxlint", "test:integration": "vitest -c vitest.integration.config.ts", - "version-packages": "pnpm changeset version && pnpm format:fix" + "version-packages": "changeset version && pnpm format:fix", + "release": "pnpm build && changeset publish" }, "dependencies": { "isomorphic-git": "^1.36.3" From c9e12da58437d64a1719648db8e799c3d6f1a41e Mon Sep 17 00:00:00 2001 From: bluwy Date: Tue, 9 Jun 2026 15:22:22 +0800 Subject: [PATCH 2/3] Format --- .github/workflows/ci.yml | 2 +- .github/workflows/publish.yml | 2 +- .vscode/settings.json | 4 ++++ 3 files changed, 6 insertions(+), 2 deletions(-) create mode 100644 .vscode/settings.json diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3f2c075..426a250 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -81,7 +81,7 @@ jobs: - name: Codegen run: pnpm codegen:github - + - name: Typecheck run: pnpm typecheck diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 3626d9e..cad3a47 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,7 +5,7 @@ on: branches: - main - next - - 'maintenance/v[0-9]+' + - "maintenance/v[0-9]+" concurrency: group: ${{ github.workflow }}-${{ github.ref }} diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..b6a93fc --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,4 @@ +{ + "js/ts.tsdk.path": "node_modules/typescript/lib", + "editor.defaultFormatter": "oxc.oxc-vscode" +} From 61ec452d96b3df31b9badd1d1f8e41b4e0636c7d Mon Sep 17 00:00:00 2001 From: Bjorn Lu Date: Tue, 9 Jun 2026 16:32:24 +0800 Subject: [PATCH 3/3] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Mateusz BurzyƄski --- .github/workflows/ci.yml | 3 ++- .github/workflows/publish.yml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 426a250..ece157d 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,8 @@ on: branches: - main - next - - "maintenance/v[0-9]+" + # merge group rulesets don't allow wildcards so in settings each maintenance branch needs to be added separately + - "maintenance/v*" # branch rulesets don't support v[0-9]+ permissions: contents: read diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index cad3a47..785e54f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,7 +5,7 @@ on: branches: - main - next - - "maintenance/v[0-9]+" + - "maintenance/v*" # branch rulesets don't support v[0-9]+ concurrency: group: ${{ github.workflow }}-${{ github.ref }}