chore(deps): update dependency jsdom to v29 #642
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| # OpenSSF Scorecard "Token-Permissions": top-level grants no scopes | |
| # (`permissions: {}` is stricter than `read-all`), so every job MUST | |
| # re-declare the minimum scope it needs — including read access. | |
| permissions: {} | |
| jobs: | |
| lint: | |
| name: Lint & Format | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile --ignore-scripts | |
| - run: pnpm lint | |
| - run: pnpm format:check | |
| typecheck: | |
| name: Typecheck | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile --ignore-scripts | |
| - run: pnpm --filter tailwindcss-obfuscator typecheck | |
| test: | |
| name: Test (Node ${{ matrix.node }}) | |
| runs-on: ${{ matrix.os }} | |
| permissions: | |
| contents: read | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| os: [ubuntu-latest, macos-latest, windows-latest] | |
| node: [20, 22] | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version: ${{ matrix.node }} | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile --ignore-scripts | |
| - run: pnpm --filter tailwindcss-obfuscator build | |
| - run: pnpm --filter tailwindcss-obfuscator test | |
| build: | |
| name: Build Package | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile --ignore-scripts | |
| - run: pnpm --filter tailwindcss-obfuscator build | |
| - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: dist | |
| path: packages/tailwindcss-obfuscator/dist | |
| retention-days: 7 | |
| dependency-review: | |
| # Pull-request-only gate. Reads the diff of pnpm-lock.yaml against | |
| # the merge base and refuses any PR that introduces a NEW dep with | |
| # a known advisory of severity moderate-or-higher. Complements the | |
| # `audit` job below : audit runs on the resolved tree at any time ; | |
| # dep-review runs only on the diff and is much faster + more | |
| # targeted (catches the introduction, not the steady state). | |
| # | |
| # OSSF Scorecard recognises dep-review as a top-tier supply-chain | |
| # control. Cost : ~5 seconds per PR. | |
| name: Dependency review (PR-only) | |
| if: github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - uses: actions/dependency-review-action@67d4f4bd7a9b17a0db54d2a7519187c65e339de8 # v4.3.4 | |
| with: | |
| fail-on-severity: moderate | |
| # Allow the same MIT/Apache/BSD permissive licenses the project | |
| # already ships ; reject GPL family transitively (would force the | |
| # whole package into GPL on republish). | |
| allow-licenses: MIT, Apache-2.0, BSD-2-Clause, BSD-3-Clause, ISC, 0BSD, Unlicense, CC0-1.0, CC-BY-4.0, BlueOak-1.0.0, Python-2.0 | |
| comment-summary-in-pr: on-failure | |
| tests-existence: | |
| # Release-safety v2 (2026-04-30) : enforce the "every feature ships | |
| # with tests" rule by failing CI if any src file under | |
| # packages/tailwindcss-obfuscator/src/** has zero test references | |
| # (and is not on the explicit allowlist with a justification). | |
| # See scripts/check-tests-coverage.mjs for the full heuristic. | |
| name: Tests-existence gate | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version-file: .nvmrc | |
| - name: Verify every src file is referenced by at least one test | |
| run: node scripts/check-tests-coverage.mjs | |
| audit: | |
| # Belt-and-suspenders: Renovate already opens PRs for vulnerable transitive | |
| # deps and `pnpm.overrides` patches them on the spot, but we also want a | |
| # blocking CI gate so that any PR which would re-introduce a high/critical | |
| # advisory cannot land. Threshold matches the project security rule in | |
| # CLAUDE.md ("Never ship a PR that increases the audit count"). | |
| name: Dependency audit | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile --ignore-scripts | |
| - name: pnpm audit (high+critical fail the build) | |
| run: pnpm audit --audit-level=high | |
| tarball-smoke: | |
| # 2026 release-safety guarantee #1: pack the package exactly as it would | |
| # be uploaded to npm, install it into a fresh `node_modules`, and verify | |
| # that EVERY entry of `package.json#exports` (./vite, ./webpack, ./rollup, | |
| # ./esbuild, ./rspack, ./farm, ./nuxt, ./internals, ./cli, root) resolves | |
| # cleanly via both ESM (import) and CJS (require). Also runs the published | |
| # CLI binary `tw-obfuscator --version` to ensure the bin entry is wired. | |
| # | |
| # Catches: missing dist/ files, exports map drift, broken bin path, dual- | |
| # package-hazard regressions. Without this job, those bugs only surface | |
| # at first install on a downstream consumer's machine. | |
| name: Tarball smoke test (every exports entry, ESM + CJS) | |
| runs-on: ubuntu-latest | |
| needs: [build] | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile --ignore-scripts | |
| - name: Run tarball smoke test | |
| run: bash .github/scripts/test-tarball.sh | |
| coverage: | |
| # Coverage reporting (release-safety nice-to-have) — runs the unit tests | |
| # with v8 coverage instrumentation and uploads the lcov.info to Codecov. | |
| # NOT a blocking gate (no minimum-coverage threshold enforced here, since | |
| # the repo intentionally excludes plugin adapters / CLI bin from the | |
| # numerator — those are exercised by verify-obfuscation.mjs + tarball | |
| # smoke tests, not unit tests). The number is purely informational and | |
| # surfaced as a Codecov badge in the README. | |
| name: Coverage report | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile --ignore-scripts | |
| - name: Run vitest with v8 coverage | |
| run: pnpm --filter tailwindcss-obfuscator exec vitest run --coverage | |
| - name: Upload coverage to Codecov | |
| uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6.0.0 | |
| with: | |
| files: packages/tailwindcss-obfuscator/coverage/lcov.info | |
| flags: unittests | |
| name: tailwindcss-obfuscator | |
| fail_ci_if_error: false | |
| env: | |
| # Codecov public-repo upload — token optional for OSS repos but | |
| # required to silence rate-limit warnings on busy days. | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} |