fix: move to trusted publishing (#1551)

* fix: move to trusted publishing

Also moves the CI workflow to npm and updates CI in general. Moves the release workflow to a separate one that is called when we want to do a release. This manual action is in line with how we do `@sequelize/*` releases, I have removed the tests from it since tests need to pass before we merge.

* build(deps): update lockfile

* ci: use npm 7 on Node 10

Author: WikiRik

.github/workflows/ci.yml

@@ -1,96 +1,67 @@
 name: CI
-on:
-  push:
-    branches:
-      - main
-      - v6
-      - v7
-  pull_request:
+on: pull_request
 
 jobs:
   test-postgres:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [10, 16]
+        node-version: [10, 24]
         sequelize-version: [5, latest]
     name: Postgres (Node ${{ matrix.node-version }}, Sequelize ${{ matrix.sequelize-version }})
     runs-on: ubuntu-latest
     env:
       DIALECT: postgres
       SEQ_PORT: 54320
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node-version }}
-      - run: yarn install --frozen-lockfile --ignore-engines
-      - run: yarn add sequelize@${{ matrix.sequelize-version }} --ignore-engines
+      - run: if [ "${{ matrix.node-version }}" = "10" ]; then npm install -g npm@7; fi
+      - run: npm ci
+      - run: npm install sequelize@${{ matrix.sequelize-version }}
       - run: docker compose up -d ${DIALECT}
       - run: docker run --link ${DIALECT}:db --net cli_default jwilder/dockerize -wait tcp://${DIALECT}:${SEQ_PORT::-1} -timeout 2m
-      - run: yarn test
+      - run: npm test
   test-mysql:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [10, 16]
+        node-version: [10, 24]
         sequelize-version: [5, latest]
     name: MySQL (Node ${{ matrix.node-version }}, Sequelize ${{ matrix.sequelize-version }})
     runs-on: ubuntu-latest
     env:
       DIALECT: mysql
       SEQ_PORT: 33060
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node-version }}
-      - run: yarn install --frozen-lockfile --ignore-engines
-      - run: yarn add sequelize@${{ matrix.sequelize-version }} --ignore-engines
+      - run: if [ "${{ matrix.node-version }}" = "10" ]; then npm install -g npm@7; fi
+      - run: npm ci
+      - run: npm install sequelize@${{ matrix.sequelize-version }}
       - run: docker compose up -d ${DIALECT}
       - run: docker run --link ${DIALECT}:db --net cli_default jwilder/dockerize -wait tcp://${DIALECT}:${SEQ_PORT::-1} -timeout 2m
-      - run: yarn test
+      - run: npm test
   test-sqlite:
     strategy:
       fail-fast: false
       matrix:
-        node-version: [10, 16]
+        node-version: [10, 24]
         sequelize-version: [5, latest]
     name: SQLite (Node ${{ matrix.node-version }}, Sequelize ${{ matrix.sequelize-version }})
     runs-on: ubuntu-latest
     env:
       DIALECT: sqlite
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node-version }}
-      - run: yarn install --frozen-lockfile --ignore-engines
-      - run: yarn add sequelize@${{ matrix.sequelize-version }} --ignore-engines
-      - run: yarn test
-  release:
-    name: Release
-    runs-on: ubuntu-latest
-    needs:
-      [
-        test-sqlite,
-        test-postgres,
-        test-mysql
-      ]
-    if: github.event_name == 'push' && (github.ref == 'refs/heads/v6' || github.ref == 'refs/heads/v7')
-    env:
-      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 18.x
-      - run: yarn install --frozen-lockfile
-      - run: npx semantic-release
-      - id: sequelize
-        uses: sdepold/github-action-get-latest-release@master
-        with:
-          repository: sequelize/cli
-      - run: |
-          curl -XPOST -u "sdepold:${{ secrets.GH_TOKEN }}" -H "Accept: application/vnd.github.v3+json" -H "Content-Type: application/json" https://api.github.com/repos/sequelize/cli/dispatches --data '{"event_type":"Release notifier","client_payload":{"release-id": ${{ steps.sequelize.outputs.id }}}}'
+      - run: if [ "${{ matrix.node-version }}" = "10" ]; then npm install -g npm@7; fi
+      - run: npm ci
+      - run: npm install sequelize@${{ matrix.sequelize-version }}
+      - run: npm test

.github/workflows/notify.yml

@@ -0,0 +1,60 @@
+name: Release
+on: workflow_dispatch
+
+permissions:
+  contents: read # for checkout
+
+jobs:
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for trusted publishing and npm provenance
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+        with:
+          fetch-depth: 0
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: 'lts/*'
+      - name: Install dependencies
+        run: npm clean-install
+      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+        run: npm audit signatures
+      - name: Release
+        id: release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: npm run release
+      - name: Post release notes to OpenCollective
+        if: steps.release.outputs.new_release_published == 'true'
+        env:
+          OPENCOLLECTIVE_TOKEN: ${{ secrets.OPEN_COLLECTIVE_KEY }}
+          OPENCOLLECTIVE_SLUG: sequelize
+          RELEASE_VERSION: ${{ steps.release.outputs.new_release_version }}
+          RELEASE_NOTES: ${{ steps.release.outputs.new_release_notes }}
+          PACKAGE_NAME: sequelize-cli
+        run: |
+          curl -X POST "https://api.opencollective.com/graphql/v2" \
+            -H "Content-Type: application/json" \
+            # TODO: use OAuth instead of Personal-Token so we can create the updates from the organization instead of a user
+            -H "Personal-Token: $OPENCOLLECTIVE_TOKEN" \
+            -d "{
+              \"query\": \"mutation CreateUpdate(\$update: UpdateCreateInput!) { createUpdate(update: \$update) { id legacyId slug title html publishedAt } }\",
+              \"variables\": {
+                \"update\": {
+                  \"account\": {
+                    \"slug\": \"$OPENCOLLECTIVE_SLUG\"
+                  },
+                  \"title\": \"Release of $PACKAGE_NAME $RELEASE_VERSION\",
+                  \"html\": \"<h2>Release of $PACKAGE_NAME $RELEASE_VERSION</h2><p>We've just released version $RELEASE_VERSION of $PACKAGE_NAME!</p><h3>Changes:</h3><pre>$RELEASE_NOTES</pre><p>Install it with: <code>npm install $PACKAGE_NAME@$RELEASE_VERSION</code></p>\",
+                  \"isPrivate\": false,
+                  \"notificationAudience\": \"ALL\"
+                }
+              }
+            }"

.github/workflows/release.yml

@@ -27,5 +27,5 @@ test/support/tmp/*
 !test/support/tmp/.gitkeep
 
 # Extra files
-package-lock.json
+yarn.lock
 npm-debug.log