ci: support provenance (#135)

Himenon · web-flow · commit 5f42501c5a21 · 2024-12-22T12:11:40.000+09:00
diff --git a/.github/actions/initialize/action.yml b/.github/actions/initialize/action.yml
@@ -0,0 +1,12 @@
+name: "initialize"
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup Git Config
+      run: |
+        git config --global core.autocrlf false
+        git config --global core.eol lf
+        git config --global user.email "actions@gihub.com"
+        git config --global user.name "gh-actions"
+      shell: bash
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,29 +7,29 @@ jobs:
   build:
     runs-on: ${{ matrix.os }}
 
+    # @see https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#concurrency
+    concurrency:
+      group: ${{ github.workflow }}-${{ matrix.os }}-${{ github.ref }}
+      cancel-in-progress: true
+
     strategy:
       matrix:
-        node-version: [20.x]
+        node-version: [22.x]
         os: [windows-latest, ubuntu-latest]
 
     steps:
-      - name: Setup Git Config
-        run: |
-          git config --global core.autocrlf false
-          git config --global core.eol lf
-          git config --global user.email "actions@gihub.com"
-          git config --global user.name "gh-actions"
       - uses: actions/checkout@v3
+      - uses: ./.github/actions/initialize
       - uses: pnpm/action-setup@v4
         with:
           version: 9.10.0
       - uses: actions/setup-node@v4
         with:
-          node-version: "20.x"
+          node-version: "22.x"
           cache: "pnpm"
       - run: pnpm i --frozen-lockfile
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
       - name: Test & Build
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -8,61 +8,50 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - name: Setup Git Config
-        run: |
-          git config --global core.autocrlf false
-          git config --global core.eol lf
-          git config --global user.email "actions@gihub.com"
-          git config --global user.name "gh-actions"
       - uses: actions/checkout@v3
         with:
           ref: main
+      - uses: ./.github/actions/initialize
       - uses: pnpm/action-setup@v4
         with:
           version: 9.10.0
       - uses: actions/setup-node@v4
         with:
-          node-version: "20.x"
+          node-version: "22.x"
           registry-url: https://npm.pkg.github.com
           scope: "@Himenon"
           cache: "pnpm"
       - run: pnpm i --frozen-lockfile
       - run: |
           pnpm build
-        env:
-          CI: true
 
   release-github-registry:
     runs-on: ubuntu-latest
     steps:
-      - name: Setup Git Config
-        run: |
-          git config --global core.autocrlf false
-          git config --global core.eol lf
-          git config --global user.email "actions@gihub.com"
-          git config --global user.name "gh-actions"
       - uses: actions/checkout@v3
         with:
           ref: main
+      - uses: ./.github/actions/initialize
       - uses: pnpm/action-setup@v4
         with:
           version: 9.10.0
       - uses: actions/setup-node@v4
         with:
-          node-version: "20.x"
+          node-version: "22.x"
           registry-url: https://npm.pkg.github.com
           scope: "@Himenon"
           cache: "pnpm"
       - run: pnpm install
       - run: |
           pnpm build
-          pnpm release:github:registry
+          pnpm run release:github:registry
         env:
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          CI: true
 
   release-npm-registry:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@v2
         with:
@@ -72,13 +61,11 @@ jobs:
           version: 9.10.0
       - uses: actions/setup-node@v4
         with:
-          node-version: "20.x"
+          node-version: "22.x"
           registry-url: "https://registry.npmjs.org"
           cache: "pnpm"
       - run: pnpm install
       - run: pnpm build
-        env:
-          CI: true
-      - run: pnpm release:npm:registry
+      - run: NPM_CONFIG_PROVENANCE=true pnpm run release:npm:registry
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/versionUp.yml b/.github/workflows/versionUp.yml
@@ -9,21 +9,16 @@ jobs:
     if: github.event_name != 'pull_request'
     runs-on: ubuntu-latest
     steps:
-      - name: Setup Git Config
-        run: |
-          git config --global core.autocrlf false
-          git config --global core.eol lf
-          git config --global user.email "actions@gihub.com"
-          git config --global user.name "gh-actions"
       - uses: actions/checkout@v3
         with:
           ref: main
+      - uses: ./.github/actions/initialize
       - uses: pnpm/action-setup@v4
         with:
           version: 9.10.0
       - uses: actions/setup-node@v4
         with:
-          node-version: "20.x"
+          node-version: "22.x"
           cache: "pnpm"
       - run: pnpm i --frozen-lockfile
       - name: Auto version update
