Skip to content

Comments

chore: upgrade deps and migrate semantic-release to npm trusted publishing#1

Open
TimoBechtel wants to merge 2 commits intomainfrom
codex/deps-upgrade-trusted-publishing
Open

chore: upgrade deps and migrate semantic-release to npm trusted publishing#1
TimoBechtel wants to merge 2 commits intomainfrom
codex/deps-upgrade-trusted-publishing

Conversation

@TimoBechtel
Copy link
Owner

Summary

  • upgraded dependencies to current latest compatible set and migrated for major changes
  • migrated ESLint config from .eslintrc.cjs to flat config (eslint.config.js) for ESLint v9+
  • migrated semantic-release workflow from NPM_TOKEN auth to npm Trusted Publishing via GitHub OIDC
  • updated package.json repository metadata to canonical GitHub URL for npm provenance validation

Dependency/Migration Notes

  • @timobechtel/style upgraded to 2.0.1 and ESLint config migrated per package migration docs (eslint.config.js, import-x resolver setup)
  • semantic-release upgraded to 25.0.3 (includes @semantic-release/npm@13.1.1, Trusted Publishing capable)
  • eslint@10 currently breaks with @timobechtel/style plugin stack; pinned to latest compatible eslint@9.39.3

CI/Release Changes

  • .github/workflows/release.yml now includes:
    • permissions with id-token: write
    • actions/checkout@v4 with fetch-depth: 0
    • removed NPM_TOKEN from release env
    • kept GITHUB_TOKEN

Validation

  • bun test passes
  • bunx tsc --noEmit passes
  • bunx eslint . passes
  • bunx semantic-release --dry-run --no-ci loads plugins successfully; full remote check is network-dependent

npm Trusted Publisher Configuration (Exact Values)

Configure this at:

Add a Trusted Publisher with:

  • Provider: GitHub Actions
  • Repository owner: TimoBechtel
  • Repository name: prmt
  • Workflow filename: release.yml
  • Workflow path: .github/workflows/release.yml
  • Branch: main
  • Environment: (none)

- Upgraded dependencies and migrated ESLint to flat config\n- Switched release workflow from NPM_TOKEN to OIDC id-token\n- Updated package repository metadata for npm provenance
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant