Merge branch 'main' into CRAFT-1822-combobox-refactor

ByronDWall · ByronDWall · commit 312b73e675d5 · 2025-11-21T11:57:24.000-05:00
diff --git a/.github/actions/ci/action.yml b/.github/actions/ci/action.yml
@@ -14,9 +14,13 @@ runs:
     - name: Setup Node
       uses: actions/setup-node@v4
       with:
-        node-version: 20
+        node-version: 22
         cache: pnpm
 
+    - name: Update npm to latest
+      run: npm install -g npm@latest
+      shell: bash
+
     - name: Install dependencies
       run: pnpm install
       shell: bash
diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Installing dependencies and building packages
         uses: ./.github/actions/ci
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -7,6 +7,7 @@ on:
 
 permissions:
   id-token: write
+  contents: read
 
 jobs:
   release:
@@ -23,36 +24,47 @@ jobs:
           private_key: ${{ secrets.CT_CHANGESETS_APP_PEM }}
 
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           # Pass a personal access token (using our `ct-changesets` app) to be able to trigger other workflows
           # https://help.github.com/en/actions/reference/events-that-trigger-workflows#triggering-new-workflows-using-a-personal-access-token
           # https://github.community/t/action-does-not-trigger-another-on-push-tag-action/17148/8
           token: ${{ steps.generate_github_token.outputs.token }}
 
+      # Ensure we are using valid node version for npm trusted publising AFTER checkout
+      # https://docs.npmjs.com/trusted-publishers#github-actions-configuration
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "24"
+          registry-url: "https://registry.npmjs.org"
+
+      # Ensure npm 11.5.1 or later is installed for OIDC support
+      - name: Update npm
+        run: npm install -g npm@latest
+
+      - name: Verify npm version
+        run: npm --version
+
       - name: Installing dependencies and building packages
         uses: ./.github/actions/ci
 
-      - name: Setting up authorization to NPM registry (.npmrc)
-        run: |
-          cat << EOF > "$HOME/.npmrc"
-            provenance=true
-            email=npmjs@commercetools.com
-            //registry.npmjs.org/:_authToken=$NPM_TOKEN
-          EOF
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+      # Configure npm registry for trusted publishing (OIDC)
+      # This must run AFTER the CI action to override the Node setup with registry config
+      # https://docs.npmjs.com/trusted-publishers#github-actions-configuration
+      - name: Setup npm registry for publishing
+        uses: actions/setup-node@v4
+        with:
+          node-version: "22"
+          registry-url: "https://registry.npmjs.org"
 
       - name: Storing release version for changeset
         id: release_version
-        run:
-          echo "VALUE=$(./scripts/print_release_version.sh)" >> $GITHUB_OUTPUT
+        run: echo "VALUE=$(./scripts/print_release_version.sh)" >> $GITHUB_OUTPUT
         shell: bash
         env:
           GITHUB_TOKEN: ${{ steps.generate_github_token.outputs.token }}
 
-      - name:
-          Creating release pull request or publishing release to npm registry
+      - name: Creating release pull request or publishing release to npm registry
         id: changesets
         uses: changesets/action@v1.5.3
         with:
@@ -67,8 +79,7 @@ jobs:
 
       # Publish canary releases only if the packages weren't published already
       - name: Publishing canary releases to npm registry
-        if:
-          steps.changesets.outputs.published != 'true' && github.ref ==
+        if: steps.changesets.outputs.published != 'true' && github.ref ==
           'refs/heads/main'
         run: |
           git checkout main
diff --git a/.npmrc b/.npmrc
@@ -2,4 +2,14 @@
 # PNPM configuration
 ####################
 # hint: If you don't want pnpm to fail on peer dependency issues, add "strict-peer-dependencies=false" to an .npmrc file at the root of your project.
-strict-peer-dependencies=false
+strict-peer-dependencies=false
+
+####################
+# NPM Publishing
+####################
+provenance=true
+
+# Registry configuration for npm trusted publishing
+# Authentication via OIDC (no auth token needed in CI)
+registry=https://registry.npmjs.org/
+//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}
diff --git a/package.json b/package.json
@@ -1,9 +1,14 @@
 {
   "name": "nimbus",
   "private": true,
-  "workspaces": ["packages/*", "apps/*"],
+  "workspaces": [
+    "packages/*",
+    "apps/*"
+  ],
   "preconstruct": {
-    "packages": ["packages/tokens"]
+    "packages": [
+      "packages/tokens"
+    ]
   },
   "scripts": {
     "build": "pnpm build:tokens && pnpm run build:packages && pnpm run build:docs",
@@ -70,5 +75,9 @@
     "typescript-eslint": "catalog:tooling",
     "vite-bundle-analyzer": "catalog:tooling",
     "vitest": "catalog:tooling"
+  },
+  "engines": {
+    "node": ">=22.10",
+    "pnpm": ">=10"
   }
 }
