From e54816c5962c7413a36052089b3cb8e2e6d7c1cb Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 17:23:18 -0600 Subject: [PATCH 1/2] ci: harden npm trusted publishing workflow --- .github/workflows/validate.yml | 67 ++++++++++++++++++++++++---------- 1 file changed, 47 insertions(+), 20 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 1e70438..dc59168 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -11,6 +11,9 @@ on: - '!all-contributors/**' pull_request: +permissions: + contents: read + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -24,57 +27,81 @@ jobs: node: [20, 22, 24] runs-on: ubuntu-latest steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@v5 - - name: ⎔ Setup node + - name: Setup node uses: actions/setup-node@v4 with: node-version: ${{ matrix.node }} - - name: 📥 Download deps + - name: Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: ▶️ Run validate script + - name: Run validate script run: npm run validate - - name: ⬆️ Upload coverage report + - name: Upload coverage report uses: codecov/codecov-action@v5 - release: + build-release-artifact: needs: main runs-on: ubuntu-latest + permissions: + contents: read + if: ${{ github.repository == 'testing-library/cypress-testing-library' && github.event_name == 'push' }} + steps: + - name: Checkout repo + uses: actions/checkout@v5 + + - name: Setup node + uses: actions/setup-node@v4 + with: + node-version: 24 + + - name: Install dependencies + run: npm install --ignore-scripts + + - name: Run build script + run: npm run build + + - name: Upload package artifact + uses: actions/upload-artifact@v4 + with: + name: npm-package-dist + path: dist + if-no-files-found: error + retention-days: 7 + + release: + needs: build-release-artifact + runs-on: ubuntu-latest permissions: contents: write id-token: write issues: write pull-requests: write - if: - ${{ github.repository == 'testing-library/cypress-testing-library' && - contains('refs/heads/main,refs/heads/beta,refs/heads/next,refs/heads/alpha', - github.ref) && github.event_name == 'push' }} + if: ${{ github.repository == 'testing-library/cypress-testing-library' && github.event_name == 'push' }} steps: - - name: ⬇️ Checkout repo + - name: Checkout repo uses: actions/checkout@v5 - - name: ⎔ Setup node + - name: Setup node uses: actions/setup-node@v4 with: node-version: 24 registry-url: 'https://registry.npmjs.org/' - - name: 📥 Download deps - uses: bahmutov/npm-install@v1 + - name: Download package artifact + uses: actions/download-artifact@v4 with: - useLockFile: false - - - name: 🏗 Run build script - run: npm run build + name: npm-package-dist + path: dist - - name: 🚀 Release - uses: cycjimmy/semantic-release-action@v5.0.2 + - name: Release + uses: cycjimmy/semantic-release-action@v5 with: semantic_version: 25 extra_plugins: | From 0402b5433a5e4c37c171e5ada3b5368d6dedf867 Mon Sep 17 00:00:00 2001 From: "Kody (bot)" <72270156+kody-bot@users.noreply.github.com> Date: Tue, 12 May 2026 17:29:35 -0600 Subject: [PATCH 2/2] ci: preserve existing workflow labels --- .github/workflows/validate.yml | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index dc59168..8977145 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -27,23 +27,23 @@ jobs: node: [20, 22, 24] runs-on: ubuntu-latest steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v5 - - name: Setup node + - name: ⎔ Setup node uses: actions/setup-node@v4 with: node-version: ${{ matrix.node }} - - name: Download deps + - name: 📥 Download deps uses: bahmutov/npm-install@v1 with: useLockFile: false - - name: Run validate script + - name: ▶️ Run validate script run: npm run validate - - name: Upload coverage report + - name: ⬆️ Upload coverage report uses: codecov/codecov-action@v5 build-release-artifact: @@ -53,21 +53,21 @@ jobs: contents: read if: ${{ github.repository == 'testing-library/cypress-testing-library' && github.event_name == 'push' }} steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v5 - - name: Setup node + - name: ⎔ Setup node uses: actions/setup-node@v4 with: node-version: 24 - - name: Install dependencies + - name: 📥 Download deps run: npm install --ignore-scripts - - name: Run build script + - name: 🏗 Run build script run: npm run build - - name: Upload package artifact + - name: 📦 Upload package artifact uses: actions/upload-artifact@v4 with: name: npm-package-dist @@ -85,22 +85,22 @@ jobs: pull-requests: write if: ${{ github.repository == 'testing-library/cypress-testing-library' && github.event_name == 'push' }} steps: - - name: Checkout repo + - name: ⬇️ Checkout repo uses: actions/checkout@v5 - - name: Setup node + - name: ⎔ Setup node uses: actions/setup-node@v4 with: node-version: 24 registry-url: 'https://registry.npmjs.org/' - - name: Download package artifact + - name: 📦 Download package artifact uses: actions/download-artifact@v4 with: name: npm-package-dist path: dist - - name: Release + - name: 🚀 Release uses: cycjimmy/semantic-release-action@v5 with: semantic_version: 25