chore(actions): sync actions in v3 branch to changes in main (#967)

dominikg · web-flow · commit 9fab1303820d · 2024-08-22T11:26:50.000+02:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -30,7 +30,7 @@ jobs:
     strategy:
       matrix:
         # pseudo-matrix for convenience, NEVER use more than a single combination
-        node: [18]
+        node: [20]
         os: [ubuntu-latest]
     steps:
       - uses: actions/checkout@v4
@@ -102,7 +102,7 @@ jobs:
           cache: 'pnpm'
           cache-dependency-path: '**/pnpm-lock.yaml'
       - name: install
-        run: pnpm install --frozen-lockfile --prefer-offline --ignore-scripts
+        run: pnpm install --frozen-lockfile --ignore-scripts
       #      - name: use svelte5
       #        if: (${{matrix.svelte == 5 }})
       #        run: pnpm i -Dw svelte@^5.0.0-next.1 && pnpm install
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -10,6 +10,7 @@ jobs:
   release:
     permissions:
       contents: write # to create release (changesets/action)
+      id-token: write # OpenID Connect token needed for provenance
       pull-requests: write # to create pull request (changesets/action)
     # prevents this action from running on forks
     if: github.repository == 'sveltejs/vite-plugin-svelte'
@@ -18,7 +19,7 @@ jobs:
     strategy:
       matrix:
         # pseudo-matrix for convenience, NEVER use more than a single combination
-        node: [18]
+        node: [20]
         os: [ubuntu-latest]
     steps:
       - name: checkout
@@ -55,16 +56,17 @@ jobs:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       - name: Create Release Pull Request or Publish to npm
         id: changesets
-        uses: changesets/action@v1
+        # pinned for security, always review third party action code before updating
+        uses: changesets/action@aba318e9165b45b7948c60273e0b72fce0a64eb9 #v1.4.7
         with:
           # This expects you to have a script called release which does a build for your packages and calls changeset publish
           publish: pnpm release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
-      # TODO alert discord
-      # - name: Send a Slack notification if a publish happens
-      #   if: steps.changesets.outputs.published == 'true'
-      #   # You can do something when a publish happens.
-      #   run: my-slack-bot send-notification --message "A new version of ${GITHUB_REPOSITORY} was published!"
+          NPM_CONFIG_PROVENANCE: true
+      - name: Remove .npmrc
+        if: always()
+        run: |
+          echo "#deleted" > "$HOME/.npmrc"
+          rm -f "$HOME/.npmrc"
