Harden publish

.github/actions/setup-node/action.yml

@@ -0,0 +1,33 @@
+name: 'setup'
+description: 'composite for shared job setup'
+inputs:
+  node-version:
+    description: 'node version'
+    default: '24'
+  install-deps:
+    description: 'install deps'
+    default: 'true'
+
+runs:
+  using: composite
+  steps:
+    # the following 2 steps are a replacement for pnpms own setup action that contains a lot of code
+    - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      with:
+        node-version: ${{inputs.node-version}}
+        package-manager-cache: false
+    - name: install pnpm
+      shell: bash
+      run: |
+        PNPM_VER=$(jq -r '.packageManager | if .[0:5] == "pnpm@" then .[5:] else "packageManager in package.json does not start with pnpm@\n" | halt_error(1)  end' package.json)
+        echo installing pnpm version $PNPM_VER
+        npm i --ignore-scripts -g pnpm@$PNPM_VER
+    - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      if: ${{inputs.install-deps == 'true'}}
+      with:
+        node-version: ${{inputs.node-version}}
+        package-manager-cache: true
+    - name: install dependencies
+      if: ${{inputs.install-deps == 'true'}}
+      shell: bash
+      run: pnpm install --frozen-lockfile --ignore-scripts

.github/workflows/ci.yml

@@ -29,26 +29,24 @@ jobs:
     strategy:
       matrix:
         # pseudo-matrix for convenience, NEVER use more than a single combination
-        node: [22]
+        node: [24]
         os: [ubuntu-latest]
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - name: Harden the runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
-          node-version: ${{ matrix.node }}
-          package-manager-cache: false # pnpm is not installed yet
-      - name: install pnpm
-        shell: bash
-        run: |
-          PNPM_VER=$(jq -r '.packageManager | if .[0:5] == "pnpm@" then .[5:] else "packageManager in package.json does not start with pnpm@\n" | halt_error(1)  end' package.json)
-          echo installing pnpm version $PNPM_VER
-          npm i -g pnpm@$PNPM_VER
-      - uses: actions/setup-node@v5
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            registry.npmjs.org:443
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: 'false'
+      - uses: ./.github/actions/setup-node
         with:
           node-version: ${{ matrix.node }}
-          package-manager-cache: true # caches pnpm via packageManager field in package.json
-      - name: install
-        run: pnpm install --frozen-lockfile --prefer-offline --ignore-scripts
       - name: sync
         run: pnpm -r sync # required to ensure sveltekit test project have tsconfig.json which may be required by the checks below
       - name: format
@@ -100,24 +98,22 @@ jobs:
             vite: 'rolldown-vite'
             svelte: 'current'
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - name: Harden the runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
-          node-version: ${{ matrix.node }}
-          package-manager-cache: false # pnpm is not installed yet
-      - name: install pnpm
-        shell: bash
-        run: |
-          PNPM_VER=$(jq -r '.packageManager | if .[0:5] == "pnpm@" then .[5:] else "packageManager in package.json does not start with pnpm@\n" | halt_error(1)  end' package.json)
-          echo installing pnpm version $PNPM_VER
-          npm i -g pnpm@$PNPM_VER
-      - uses: actions/setup-node@v5
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            registry.npmjs.org:443
+            cdn.playwright.dev:443
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: 'false'
+      - uses: ./.github/actions/setup-node
         with:
           node-version: ${{ matrix.node }}
-          package-manager-cache: true # caches pnpm via packageManager field in package.json
-      - name: install
-        run: pnpm install --frozen-lockfile --ignore-scripts
       - name: downgrade vite to baseline
         if: matrix.vite == 'baseline'
         run: |
@@ -131,6 +127,8 @@ jobs:
       - name: update vite to rolldown-vite
         if: matrix.vite == 'rolldown-vite'
         run: |
+          # disable minimumReleaseAge as rolldown-vite often uses deps with age less than 3 days
+          sed -i 's/minimumReleaseAge:/#minimumReleaseAge:/g' pnpm-workspace.yaml
           pnpm update -r --no-save vite@npm:rolldown-vite@latest
           pnpm ls rolldown-vite
       - name: install playwright chromium
@@ -144,7 +142,7 @@ jobs:
         if: failure()
         shell: bash
         run: tar -cvf test-temp.tar  --exclude="node_modules"  temp/
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: failure()
         with:
           name: test-failure-${{github.run_id}}-os_${{ matrix.os }}-node_${{ matrix.node }}-vite_${{ matrix.vite }}-svelte_${{matrix.svelte}}

.github/workflows/release.yml

@@ -4,57 +4,112 @@ on:
   push:
     branches:
       - main
+
 permissions: {}
 
 jobs:
-  release:
+  checks:
     permissions:
-      contents: write # to create release (changesets/action)
-      id-token: write # OpenID Connect token needed for provenance
-      pull-requests: write # to create pull request (changesets/action)
-    # prevents this action from running on forks
+      contents: read
     if: github.repository == 'sveltejs/vite-plugin-svelte'
-    name: Release
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        # pseudo-matrix for convenience, NEVER use more than a single combination
-        node: [24]
-        os: [ubuntu-latest]
+    name: Checks
+    runs-on: ubuntu-latest
     steps:
-      - name: checkout
-        uses: actions/checkout@v5
+      - name: Harden the runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
-          # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
-          fetch-depth: 0
-      - uses: actions/setup-node@v5
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            registry.npmjs.org:443
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
-          node-version: ${{ matrix.node }}
-          package-manager-cache: false # pnpm is not installed yet
-      - name: install pnpm
-        shell: bash
-        run: |
-          PNPM_VER=$(jq -r '.packageManager | if .[0:5] == "pnpm@" then .[5:] else "packageManager in package.json does not start with pnpm@\n" | halt_error(1)  end' package.json)
-          echo installing pnpm version $PNPM_VER
-          npm i -g pnpm@$PNPM_VER
-      - uses: actions/setup-node@v5
-        with:
-          node-version: ${{ matrix.node }}
-          package-manager-cache: true # caches pnpm via packageManager field in package.json
-      - name: install
-        run: pnpm install --frozen-lockfile --prefer-offline --ignore-scripts
+          persist-credentials: 'false'
+      - uses: ./.github/actions/setup-node
       - name: generated types are up to date
         run: pnpm generate:types && [ "`git status --porcelain=v1`" == "" ]
       - name: publint
         run: pnpm check:publint
 
-      - name: Create Release Pull Request or Publish to npm
+  changesets:
+    needs: checks
+    permissions:
+      contents: write # to create releases (changesets/action)
+      pull-requests: write # to create version pull requests (changesets/action)
+    name: Changesets
+    runs-on: ubuntu-latest
+    outputs:
+      published: ${{steps.changesets.outputs.published}}
+      publishedPackages: ${{steps.changesets.outputs.publishedPackages}}
+    steps:
+      - name: Harden the runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            registry.npmjs.org:443
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: 'false'
+      - uses: ./.github/actions/setup-node
+      - uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3
         id: changesets
-        # pinned for security, always review third party action code before updating
-        uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3
         with:
-          # This expects you to have a script called release which does a build for your packages and calls changeset publish
-          publish: pnpm release
+          publish: pnpm exec changeset tag #only create git tag, publish to registry happens later
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_CONFIG_PROVENANCE: true
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # needed for some github api calls changesets makes
+
+  publish:
+    needs: changesets
+    if: needs.changesets.outputs.published == 'true'
+    permissions:
+      contents: read
+      id-token: write
+    environment: release
+    name: Publish
+    runs-on: ubuntu-latest
+    steps:
+      - name: Harden the runner
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            release-assets.githubusercontent.com:443
+            registry.npmjs.org:443
+            *.sigstore.dev:443
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: 'false'
+      - uses: ./.github/actions/setup-node
+        with:
+          install-deps: 'false'
+      - name: publish
+        shell: bash
+        run: |
+          echo 'publishing ${{needs.changesets.outputs.publishedPackages}}'
+
+          # generate "--filter package1 --filter package2"
+          PUBLISH_PACKAGES_FILTER=$(echo '${{needs.changesets.outputs.publishedPackages}}' | jq -r '.[] | " --filter " + "\"" + .name+ "\""' | xargs)
+
+          if [[ -f .changeset/pre.json ]]; then
+            TAG=$(jq -r '.tag' .changeset/pre.json)
+          else
+            TAG=latest
+          fi
+
+          GIT_STATUS=$(git status --porcelain=v1)
+          if [[ "$GIT_STATUS" != "" ]]; then
+            echo "dirty git state, aborting publish"
+            echo "$GIT_STATUS";
+            exit 1
+          fi
+
+          # publish
+          pnpm -r --no-bail $PUBLISH_PACKAGES_FILTER publish --no-git-checks --tag $TAG --access public

package.json

@@ -17,7 +17,6 @@
     "lint": "pnpm check:lint --fix",
     "format": "pnpm check:format --write",
     "fixup": "run-s lint format",
-    "release": "pnpm changeset publish",
     "prepare": "husky",
     "playwright": "playwright-core",
     "generate:types": "pnpm --filter \"./packages/*\" --parallel generate:types",

pnpm-workspace.yaml

@@ -12,10 +12,6 @@ minimumReleaseAgeExclude:
   - '@vitejs/*'
   - 'svelte'
   - '@sveltejs/*'
-  - 'rolldown-vite'
-  - 'rolldown'
-  - '@rolldown/*'
-  - '@oxc-project/*'
 
 onlyBuiltDependencies:
   - esbuild