diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 800f1d4..ae27ec9 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -7,19 +7,19 @@ on: permissions: contents: read - id-token: write jobs: verify-jsr: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true + persist-credentials: false - name: setup deno - uses: denoland/setup-deno@v2 + uses: denoland/setup-deno@667a34cdef165d8d2b2e98dde39547c9daac7282 # v2.0.4 with: deno-version: v2.x @@ -28,10 +28,12 @@ jobs: - name: Get Version id: vars - run: echo ::set-output name=version::$(echo ${{github.ref_name}} | sed 's/^v//') + run: echo "version=$(echo ${GITHUB_REF_NAME} | sed 's/^v//')" >> $GITHUB_OUTPUT - name: Build JSR - run: deno task build:jsr ${{steps.vars.outputs.version}} + run: deno task build:jsr ${STEPS_VARS_OUTPUTS_VERSION} + env: + STEPS_VARS_OUTPUTS_VERSION: ${{steps.vars.outputs.version}} - name: dry run publish run: deno publish --dry-run --allow-dirty @@ -40,12 +42,13 @@ jobs: runs-on: ubuntu-latest steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true + persist-credentials: false - name: setup deno - uses: denoland/setup-deno@v2 + uses: denoland/setup-deno@667a34cdef165d8d2b2e98dde39547c9daac7282 # v2.0.4 with: deno-version: v2.x @@ -54,22 +57,26 @@ jobs: - name: Get Version id: vars - run: echo ::set-output name=version::$(echo ${{github.ref_name}} | sed 's/^v//') + run: echo "version=$(echo ${GITHUB_REF_NAME} | sed 's/^v//')" >> $GITHUB_OUTPUT - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 + package-manager-cache: false + cache: '' - name: Build NPM - run: deno task build:npm ${{steps.vars.outputs.version}} + run: deno task build:npm ${STEPS_VARS_OUTPUTS_VERSION} + env: + STEPS_VARS_OUTPUTS_VERSION: ${{steps.vars.outputs.version}} - name: dry run publish run: npm publish --dry-run --tag=verify working-directory: ./build/npm - name: upload build - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: npm-build path: ./build/npm @@ -77,15 +84,20 @@ jobs: publish-npm: needs: [verify-jsr, verify-npm] runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - name: Setup Node - uses: actions/setup-node@v6 + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: node-version: 24 + package-manager-cache: false + cache: '' - name: download build - uses: actions/download-artifact@v4 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: npm-build path: ./build/npm @@ -97,15 +109,19 @@ jobs: publish-jsr: needs: [verify-jsr, verify-npm] runs-on: ubuntu-latest + permissions: + contents: read + id-token: write steps: - name: checkout - uses: actions/checkout@v4 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: submodules: true + persist-credentials: false - name: setup deno - uses: denoland/setup-deno@v2 + uses: denoland/setup-deno@667a34cdef165d8d2b2e98dde39547c9daac7282 # v2.0.4 with: deno-version: v2.x @@ -114,10 +130,12 @@ jobs: - name: Get Version id: vars - run: echo ::set-output name=version::$(echo ${{github.ref_name}} | sed 's/^v//') + run: echo "version=$(echo ${GITHUB_REF_NAME} | sed 's/^v//')" >> $GITHUB_OUTPUT - name: Build JSR - run: deno task build:jsr ${{steps.vars.outputs.version}} + run: deno task build:jsr ${STEPS_VARS_OUTPUTS_VERSION} + env: + STEPS_VARS_OUTPUTS_VERSION: ${{steps.vars.outputs.version}} - name: Publish JSR - run: deno publish --allow-dirty --token=${{ secrets.JSR_TOKEN }} + run: deno publish --allow-dirty