ci: setup trusted publishing (#19)

HiDeoo · web-flow · commit 77cbe5432437 · 2025-10-16T13:57:47.000+02:00
diff --git a/.changeset/tender-parrots-film.md b/.changeset/tender-parrots-film.md
@@ -0,0 +1,5 @@
+---
+'@hideoo/generator-starlight-plugin': patch
+---
+
+Setups trusted publishing using OpenID Connect (OIDC) authentication — no code changes.
diff --git a/.github/workflows/autofix.yml b/.github/workflows/autofix.yml
@@ -1,5 +1,7 @@
 name: autofix.ci
 
+permissions: {}
+
 on:
   push:
     branches:
@@ -9,9 +11,6 @@ on:
       - main
   workflow_call:
 
-permissions:
-  contents: read
-
 concurrency:
   cancel-in-progress: true
   group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }}
@@ -20,15 +19,19 @@ jobs:
   autofix:
     name: Format code
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
 
       - name: Install Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           cache: pnpm
           node-version: 18
@@ -40,6 +43,6 @@ jobs:
         run: pnpm format
 
       - name: Run autofix
-        uses: autofix-ci/action@ff86a557419858bb967097bfc916833f5647fa8c
+        uses: autofix-ci/action@635ffb0c9798bd160680f18fd73371e355b85f27 # v1.3.2
         with:
           fail-fast: false
diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml
@@ -1,5 +1,7 @@
 name: integration
 
+permissions: {}
+
 on:
   push:
     branches:
@@ -19,13 +21,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
 
       - name: Install Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           cache: pnpm
           node-version: 18
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,5 +1,7 @@
 name: release
 
+permissions: {}
+
 on:
   push:
     branches:
@@ -16,29 +18,30 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v4
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
 
       - name: Install Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
-          cache: pnpm
-          node-version: 18
+          node-version: 24
+          package-manager-cache: false
 
       - name: Install dependencies
         run: pnpm install
 
       - name: Create Release Pull Request or Publish
-        uses: changesets/action@v1
+        uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3
         with:
           version: pnpm run version
           publish: pnpm changeset publish
           commit: 'ci: release'
           title: 'ci: release'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TOKEN: '' # https://github.com/changesets/changesets/issues/1152#issuecomment-3190884868
diff --git a/package.json b/package.json
@@ -19,8 +19,8 @@
     "yeoman-generator": "^7.4.0"
   },
   "devDependencies": {
-    "@changesets/changelog-github": "^0.5.0",
-    "@changesets/cli": "^2.27.10",
+    "@changesets/changelog-github": "^0.5.1",
+    "@changesets/cli": "^2.29.7",
     "@hideoo/eslint-config": "^4.0.0",
     "@hideoo/prettier-config": "^2.0.0",
     "@hideoo/tsconfig": "^2.0.1",
@@ -33,8 +33,7 @@
   },
   "packageManager": "pnpm@9.9.0",
   "publishConfig": {
-    "access": "public",
-    "provenance": true
+    "access": "public"
   },
   "sideEffects": false,
   "keywords": [
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@hideoo/generator-starlight-plugin': patch
 +---
++
 +Setups trusted publishing using OpenID Connect (OIDC) authentication — no code changes.