ci: Fix release workflow and update configuration (#1119)

Author: rfgamaral

.github/workflows/check-ci-validation.yml

@@ -13,7 +13,7 @@ env:
     GH_PACKAGES_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN }}
 
 concurrency:
-    group: check-ci-validation-${{ github.ref }}
+    group: ${{ github.workflow }}-${{ github.ref }}
     cancel-in-progress: true
 
 jobs:
@@ -24,17 +24,17 @@ jobs:
 
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v4
+              uses: actions/checkout@v5
 
             - name: Prepare Node.js environment
-              uses: actions/setup-node@v3
+              uses: actions/setup-node@v6
               with:
                   cache: npm
                   node-version-file: .node-version
 
             - name: Cache project 'node_modules' directory
-              uses: actions/cache@v4
               id: node-modules-cache
+              uses: actions/cache@v4
               with:
                   key: node-modules-cache-${{ hashFiles('**/package-lock.json', '**/.node-version') }}
                   path: node_modules/
@@ -54,17 +54,17 @@ jobs:
 
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v4
+              uses: actions/checkout@v5
 
             - name: Prepare Node.js environment
-              uses: actions/setup-node@v3
+              uses: actions/setup-node@v6
               with:
                   cache: npm
                   node-version-file: .node-version
 
             - name: Cache project 'node_modules' directory
-              uses: actions/cache@v4
               id: node-modules-cache
+              uses: actions/cache@v4
               with:
                   key: node-modules-cache-${{ hashFiles('**/package-lock.json', '**/.node-version') }}
                   path: node_modules/
@@ -96,17 +96,17 @@ jobs:
 
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v4
+              uses: actions/checkout@v5
 
             - name: Prepare Node.js environment
-              uses: actions/setup-node@v3
+              uses: actions/setup-node@v6
               with:
                   cache: npm
                   node-version-file: .node-version
 
             - name: Cache project 'node_modules' directory
-              uses: actions/cache@v4
               id: node-modules-cache
+              uses: actions/cache@v4
               with:
                   key: node-modules-cache-${{ hashFiles('**/package-lock.json', '**/.node-version') }}
                   path: node_modules/
@@ -130,17 +130,17 @@ jobs:
 
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v4
+              uses: actions/checkout@v5
 
             - name: Prepare Node.js environment
-              uses: actions/setup-node@v3
+              uses: actions/setup-node@v6
               with:
                   cache: npm
                   node-version-file: .node-version
 
             - name: Cache project 'node_modules' directory
-              uses: actions/cache@v4
               id: node-modules-cache
+              uses: actions/cache@v4
               with:
                   key: node-modules-cache-${{ hashFiles('**/package-lock.json', '**/.node-version') }}
                   path: node_modules/

.github/workflows/check-semantic-pull-request.yml

@@ -7,9 +7,6 @@ on:
             - opened
             - synchronize
 
-env:
-    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
 jobs:
     validate-title:
         name: Validate Title
@@ -19,3 +16,5 @@ jobs:
         steps:
             - name: Validate pull request title
               uses: amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/publish-typist-package-release.yml renamed to .github/workflows/publish-package-release.yml

@@ -1,4 +1,4 @@
-name: Typist Package Release
+name: Package Release
 
 on:
     workflow_run:
@@ -9,23 +9,26 @@ on:
         types:
             - completed
 
+env:
+    GH_PACKAGES_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN }}
+
 permissions:
-    # Enable the use of OIDC for npm provenance
+    # Enable the use of OIDC for trusted publishing and npm provenance
     id-token: write
     # Enable the use of GitHub Packages registry
     packages: write
-    # Enable `semantic-release` to publish a GitHub release and post comments on issues/PRs
+    # Enable `semantic-release` to publish a GitHub release
     contents: write
+    # Enable `semantic-release` to post comments on issues
     issues: write
+    # Enable `semantic-release` to post comments on pull requests
     pull-requests: write
 
-# The release workflow involves many crucial steps that once triggered it shouldn't be cancelled
-# until it's finished, otherwise we might end up in an inconsistent state (e.g., a new release
-# published to npm but not GitHub Packages). To prevent this, concurrency is disabled with
-# `cancel-in-progress: false`, and new workflow runs will be queued to be started only when the
-# previous one has completely finished.
+# The release workflow involves many crucial steps that once triggered shouldn't be cancelled until
+# finished, otherwise we might end up in an inconsistent state (e.g., published to GitHub Packages
+# but not npm), so new workflow runs are queued until the previous one has completely finished.
 concurrency:
-    group: typist-package-release
+    group: ${{ github.workflow }}
     cancel-in-progress: false
 
 jobs:
@@ -38,19 +41,19 @@ jobs:
 
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v4
+              uses: actions/checkout@v5
               with:
                   token: ${{ secrets.GH_REPO_TOKEN }}
 
             - name: Prepare Node.js environment
-              uses: actions/setup-node@v3
+              uses: actions/setup-node@v6
               with:
                   cache: npm
                   node-version-file: .node-version
 
             - name: Cache project 'node_modules' directory
-              uses: actions/cache@v4
               id: node-modules-cache
+              uses: actions/cache@v4
               with:
                   key: node-modules-cache-${{ hashFiles('**/package-lock.json', '**/.node-version') }}
                   path: node_modules/
@@ -64,7 +67,14 @@ jobs:
               run: |
                   npm run build
 
-            - name: Run automated package publishing
+            # The Node.js environment is prepared based on the `.npmrc` file in the repo, which
+            # configures Doist scoped packages to use the GitHub Packages registry for the initial
+            # `semantic-release` publish, after which we remove the Doist registry configuration,
+            # prepare the Node.js environment for the public npm registry with OIDC authentication,
+            # and update npm to the latest version (required for trusted publishing support),
+            # providing a predictable release workflow for both registries.
+
+            - name: Publish package to private GitHub Packages registry
               id: semantic-release
               run: |
                   npx semantic-release
@@ -80,23 +90,20 @@ jobs:
               run: |
                   npm config delete @doist:registry --location=project
 
-            - name: Prepare Node.js environment for GitHub Packages
-              uses: actions/setup-node@v3
+            - name: Prepare Node.js environment for npm registry
+              uses: actions/setup-node@v6
               if: ${{ steps.semantic-release.outputs.package-published == 'true' }}
               with:
                   cache: npm
                   node-version-file: .node-version
-                  registry-url: https://npm.pkg.github.com/
+                  registry-url: https://registry.npmjs.org/
                   scope: '@doist'
 
-            - name: Disable npm package provenance (unsupported by GitHub Packages)
+            - name: Update npm for trusted publishing (requires 11.5.1 or later)
               if: ${{ steps.semantic-release.outputs.package-published == 'true' }}
-              run: |
-                  npm config set provenance false --location=project
+              run: npm install -g npm@latest
 
-            - name: Publish package to GitHub Packages
+            - name: Publish package to public npm registry
               if: ${{ steps.semantic-release.outputs.package-published == 'true' }}
               run: |
                   npm publish
-              env:
-                  NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/update-license-copyright-year.yml

@@ -12,7 +12,7 @@ jobs:
 
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v4
+              uses: actions/checkout@v5
               with:
                   token: ${{ secrets.GH_REPO_TOKEN }}
 

.node-version

@@ -1 +1 @@
-v22
+22.14

.npmrc

@@ -1,15 +1,11 @@
-# Ensure dependencies are installed from the npm Registry instead of GitHub Packages in case you
-# have changed the default registry for the `@doist` scope in a parent `.npmrc` file
-@doist:registry=https://registry.npmjs.org/
+# Set the base URL for Doist's scoped package registry
+@doist:registry=https://npm.pkg.github.com/
 
-# Force npm to always require authentication when accessing the registry
-always-auth=true
+# Authenticate to GitHub Packages with a personal access token
+//npm.pkg.github.com/:_authToken=${GH_PACKAGES_TOKEN}
 
 # Refuse to install any package incompatible with the current Node.js version
 engine-strict=true
 
 # Save dependencies with an exact version rather than the semver range
 save-exact=true
-
-# Generate provenance statements for published packages
-provenance=true