From 7e096796adec7d8002b3a1c994c29bc042997667 Mon Sep 17 00:00:00 2001 From: tmm Date: Wed, 27 May 2026 01:06:15 -0400 Subject: [PATCH 1/2] ci: harden changesets workflow --- .github/workflows/changesets.yml | 91 ++++++++++++++++++++++---------- .gitignore | 1 - packages/abitype/package.json | 1 - scripts/genJsrJson.ts | 35 ------------ scripts/updateVersion.ts | 21 -------- 5 files changed, 63 insertions(+), 86 deletions(-) delete mode 100644 scripts/genJsrJson.ts diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml index af0046f7..f6e89c40 100644 --- a/.github/workflows/changesets.yml +++ b/.github/workflows/changesets.yml @@ -3,27 +3,32 @@ on: push: branches: [main] +permissions: {} # each job should declare only the permissions it needs + concurrency: group: ${{ github.workflow }}-${{ github.ref }} - cancel-in-progress: true + cancel-in-progress: false jobs: verify: name: Verify + permissions: + contents: write # commit formatting updates in the reusable workflow uses: ./.github/workflows/verify.yml secrets: inherit changesets: - name: Publish + name: Changesets needs: verify # prevents this action from running on forks if: github.repository == 'wevm/abitype' permissions: - contents: write # to create release (changesets/action) - id-token: write # OpenID Connect token needed for provenance - pull-requests: write # to create pull request (changesets/action) + contents: write # commit version/changelog updates to the release pull request + pull-requests: write # create or update the Changesets release pull request runs-on: ubuntu-latest timeout-minutes: 5 + outputs: + hasChangesets: ${{ steps.changesets.outputs.hasChangesets }} steps: - name: Clone repository @@ -33,48 +38,78 @@ jobs: fetch-depth: 0 - name: Install dependencies - uses: wevm/actions/.github/actions/pnpm@f7ad7f00e16e73322562922c241f21f0c7ffbbec + uses: wevm/actions/.github/actions/pnpm@f95dc1dadcba18fe3f02b8205e653e98e4a93516 with: node-version: 24.5 + skip-cache: true # avoid cache poisoning attacks - - name: PR or publish + - name: Create version pull request + id: changesets uses: changesets/action@c48e67d110a68bc90ccf1098e9646092baacaa87 # v1.6.0 with: title: 'chore: version packages' commit: 'chore: version packages' - createGithubReleases: ${{ github.ref == 'refs/heads/main' }} - publish: pnpm changeset:publish version: pnpm changeset:version env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - name: Publish prerelease - run: | - git reset --hard origin/main - pnpm clean - pnpm changeset:prepublish - pnpx pkg-pr-new publish --pnpm --compact './packages/abitype' + release: + name: Release + needs: [verify, changesets] + # prevents this action from running on forks + if: github.repository == 'wevm/abitype' && needs.changesets.outputs.hasChangesets == 'false' + permissions: + contents: write # create GitHub releases and tags after npm publish + id-token: write # authenticate to npm via trusted publishing + runs-on: ubuntu-latest + timeout-minutes: 5 + outputs: + published: ${{ steps.publish.outputs.published }} + + steps: + - name: Clone repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Install dependencies + uses: wevm/actions/.github/actions/pnpm@f95dc1dadcba18fe3f02b8205e653e98e4a93516 + with: + node-version: 24.5 + skip-cache: true # avoid cache poisoning attacks + + - name: Publish to npm + id: publish + uses: changesets/action@c48e67d110a68bc90ccf1098e9646092baacaa87 # v1.6.0 + with: + createGithubReleases: true + publish: pnpm changeset:publish env: - PKG_PR_NEW: true + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - jsr: - name: JSR - needs: verify + prerelease: + name: Prerelease + needs: [verify, changesets] + # prevents this action from running on forks + if: github.repository == 'wevm/abitype' && needs.changesets.outputs.hasChangesets == 'true' + permissions: + contents: read # checkout repository contents + id-token: write # authenticate to npm via trusted publishing runs-on: ubuntu-latest timeout-minutes: 5 - permissions: - contents: read - id-token: write steps: - name: Clone repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Install dependencies - uses: wevm/actions/.github/actions/pnpm@f7ad7f00e16e73322562922c241f21f0c7ffbbec - - - name: Prepare - run: pnpm node scripts/genJsrJson.ts && pnpm version:update && cd packages/abitype && cp ../../LICENSE LICENSE + uses: wevm/actions/.github/actions/pnpm@f95dc1dadcba18fe3f02b8205e653e98e4a93516 + with: + node-version: 24.5 + skip-cache: true # avoid cache poisoning attacks - - name: Publish to JSR - run: cd packages/abitype && pnpx jsr publish --allow-slow-types --allow-dirty + - name: Publish prerelease + run: | + pnpm clean + pnpm changeset:prepublish + pnpx pkg-pr-new publish --pnpm --compact './packages/abitype' + env: + PKG_PR_NEW: true diff --git a/.gitignore b/.gitignore index ba7d7263..0beeb4af 100644 --- a/.gitignore +++ b/.gitignore @@ -11,7 +11,6 @@ coverage dist node_modules packages/abitype/abis -packages/abitype/jsr.json packages/abitype/zod playgrounds/performance/out tsconfig*.tsbuildinfo diff --git a/packages/abitype/package.json b/packages/abitype/package.json index 0d74fec9..6dc0b33e 100644 --- a/packages/abitype/package.json +++ b/packages/abitype/package.json @@ -19,7 +19,6 @@ "/zod", "src/**/*.ts", "!dist/**/*.tsbuildinfo", - "!jsr.json", "!src/**/*.bench.ts", "!src/**/*.bench-d.ts", "!src/**/*.test.ts", diff --git a/scripts/genJsrJson.ts b/scripts/genJsrJson.ts deleted file mode 100644 index 43406216..00000000 --- a/scripts/genJsrJson.ts +++ /dev/null @@ -1,35 +0,0 @@ -import fs from 'node:fs/promises' - -// Generates jsr.json - -console.log('Generating jsr.json') - -await fs.writeFile( - 'packages/abitype/jsr.json', - `${JSON.stringify( - { - name: '@wevm/abitype', - version: '1.1.0', - license: 'MIT', - exports: { - '.': './src/exports/index.ts', - './abis': './src/exports/abis.ts', - './zod': './src/exports/zod.ts', - }, - publish: { - include: ['LICENSE', 'README.md', 'CHANGELOG.md', 'src/**/*.ts'], - exclude: [ - 'src/**/*.bench.ts', - 'src/**/*.bench-d.ts', - 'src/**/*.test.ts', - 'src/**/*.test-d.ts', - ], - }, - }, - undefined, - 2, - )}\n`, - 'utf-8', -) - -console.log('Done.') diff --git a/scripts/updateVersion.ts b/scripts/updateVersion.ts index 5a241a18..6cf10c51 100644 --- a/scripts/updateVersion.ts +++ b/scripts/updateVersion.ts @@ -54,27 +54,6 @@ for await (const packagePath of packagePaths) { 'utf-8', ) - try { - const jsrFilePath = path.resolve(path.dirname(packagePath), 'jsr.json') - const jsrJson = JSON.parse( - await fs.readFile(jsrFilePath, 'utf-8'), - ) as Package - jsrJson.version = version - await fs.writeFile( - jsrFilePath, - `${JSON.stringify(jsrJson, null, 2)}\n`, - 'utf-8', - ) - } catch (error) { - if ( - error && - typeof error === 'object' && - 'code' in error && - error.code !== 'ENOENT' - ) - throw error - } - if (process.env.PKG_PR_NEW) { packageJson.version = version await fs.writeFile( From f5007e1be4dcd9bc428b414937990eac1e24ae2d Mon Sep 17 00:00:00 2001 From: tmm Date: Wed, 27 May 2026 01:11:13 -0400 Subject: [PATCH 2/2] ci: add typescript 6.0 to matrix --- .github/workflows/verify.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 61c2e8a4..3c1a356c 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -50,7 +50,7 @@ jobs: timeout-minutes: 5 strategy: matrix: - version: ['5.0.4', '5.2.2', '5.3.3', '5.4.5', '5.5.4', '5.6.3', '5.7.3', '5.8.3', '5.9.3', 'latest'] + version: ['5.0.4', '5.2.2', '5.3.3', '5.4.5', '5.5.4', '5.6.3', '5.7.3', '5.8.3', '5.9.3', '6.0.3', 'latest'] steps: - name: Clone repository @@ -93,4 +93,3 @@ jobs: uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2 with: token: ${{ secrets.CODECOV_TOKEN }} -