ci: upgrade to trusted publishing

dargmuesli · dargmuesli · commit c06573dd2224 · 2025-11-07T05:33:17.000+01:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,51 +1,52 @@
 name: CI
 
+permissions: {}
+
 on:
   pull_request:
   push:
     branches:
       - alpha
       - beta
+      - main
       - master
       - renovate/**
 
 jobs:
-  prepare_jobs:
-    name: "Prepare: job optimization"
-    runs-on: ubuntu-latest
-    outputs:
-      pr_found: ${{ steps.pr.outputs.pr_found }}
-    steps:
-      - name: Get current PR
-        id: pr
-        uses: 8BitJonny/gh-get-current-pr@4056877062a1f3b624d5d4c2bedefa9cf51435c9 # 4.0.0
-        with:
-          filterOutClosed: true
-          filterOutDraft: true
+  ci-optimization:
+    name: CI optimization
+    uses: dargmuesli/github-actions/.github/workflows/ci-optimization.yml@a8900fcf9e9d1e7f4c1138484cb7bf8d7bd3f3cb # 3.0.0
+    permissions:
+      pull-requests: read
   release_semantic_dry:
-    needs: prepare_jobs
+    needs: ci-optimization
+    if: needs.ci-optimization.outputs.continue == 'true'
     name: Release (semantic, dry)
-    uses: dargmuesli/github-actions/.github/workflows/release-semantic.yml@4e6e3d3fa4b81be372036d8ac7b14638d27be045 # 2.7.0
-    if: needs.prepare_jobs.outputs.pr_found == 'false' || github.event_name == 'pull_request'
+    uses: dargmuesli/github-actions/.github/workflows/release-semantic.yml@a8900fcf9e9d1e7f4c1138484cb7bf8d7bd3f3cb # 3.0.0
     permissions:
       contents: write
+      id-token: write
     secrets:
       PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
     with:
       DRY_RUN: true
+      INSTALL_NODE_DEPENDENCIES: true
   build:
     name: Build
-    uses: dargmuesli/github-actions/.github/workflows/docker.yml@4e6e3d3fa4b81be372036d8ac7b14638d27be045 # 2.7.0
+    uses: dargmuesli/github-actions/.github/workflows/docker.yml@a8900fcf9e9d1e7f4c1138484cb7bf8d7bd3f3cb # 3.0.0
     needs: release_semantic_dry
     permissions:
       packages: write
-  release-semantic:
+    with:
+      TAG: ${{ needs.release_semantic_dry.outputs.new_release_version }}
+  release_semantic:
     needs: build
     name: Release (semantic)
-    uses: dargmuesli/github-actions/.github/workflows/release-semantic.yml@4e6e3d3fa4b81be372036d8ac7b14638d27be045 # 2.7.0
+    uses: dargmuesli/github-actions/.github/workflows/release-semantic.yml@a8900fcf9e9d1e7f4c1138484cb7bf8d7bd3f3cb # 3.0.0
     permissions:
       contents: write
+      id-token: write
     secrets:
       PERSONAL_ACCESS_TOKEN: ${{ secrets.PERSONAL_ACCESS_TOKEN }}
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+    with:
+      INSTALL_NODE_DEPENDENCIES: true
