Skip to content

chore: remove Renovate entirely #103

chore: remove Renovate entirely

chore: remove Renovate entirely #103

Workflow file for this run

name: Publish
# Renamed from `release.yml` to `publish.yml` because GitHub kept the previous
# workflow ID associated with the (now-removed) `environment: npm` declaration,
# silently throttling every run to "pending" forever without ever allocating
# a job. Renaming the file forces GitHub to mint a fresh workflow ID, breaking
# the throttle. See git log for the chain of attempts.
on:
push:
branches: [main]
workflow_dispatch:
# Manual trigger from the Actions UI or via `gh workflow run publish.yml`.
# Useful when a `push:`-triggered run got stuck in pending state without
# ever allocating jobs (rare GitHub Actions infra glitch) and force-cancel
# is needed before the next release attempt.
concurrency:
group: publish-${{ github.ref }}
cancel-in-progress: false
# OpenSSF Scorecard "Token-Permissions": top-level empty; the release job
# re-declares the write scopes it needs (contents for the version-bump commit
# and tag, pull-requests for the version-packages PR, id-token for npm
# provenance OIDC).
permissions: {}
jobs:
release:
name: Release
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
id-token: write
# NOTE: `environment: npm` was removed in 2026-04-29 because it caused
# release.yml runs to silently sit in `pending` forever without ever
# allocating a runner (5 consecutive runs stuck this way). Other workflows
# on the same commit (CI, CodeQL, Docs, Scorecard) ran fine — the only
# difference was this `environment:` declaration. GitHub treats jobs that
# declare an environment as "deployments", and on personal accounts with
# no payment method on file deployments are silently throttled (workflows
# without environments are unaffected).
#
# The CODEOWNERS gate on `main` already enforces that only the maintainer
# can land code that triggers this workflow, so the additional reviewer
# gate the env added was redundant. NPM_TOKEN now lives at repo level
# (`gh secret set NPM_TOKEN`) instead of env level.
steps:
- uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
fetch-depth: 0
# Make the version-bump commit + the GitHub release land under the maintainer's
# identity instead of the default `github-actions[bot]` author. Otherwise the
# bot accumulates in the GitHub "Contributors" panel on every release.
- name: Configure git as maintainer
run: |
git config --global user.name "José DA COSTA"
git config --global user.email "contact@josedacosta.info"
- uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
- uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version-file: .nvmrc
cache: pnpm
registry-url: https://registry.npmjs.org
# npm CLI 11.5.1 is the minimum version that fully supports OIDC trusted
# publishing on npm. Node 20 LTS bundles npm 10.x, which has incomplete
# OIDC support — upgrading the runner's npm to latest avoids subtle 404s
# and "expired token" errors observed in early-2026 npm/cli issue #8730
# and #8976. We do this only inside the publish job; CI/Test jobs keep
# the bundled npm to mirror what end-users see.
- name: Upgrade npm to support OIDC trusted publishing
run: npm install -g npm@latest
- run: pnpm install --frozen-lockfile --ignore-scripts
- run: pnpm --filter tailwindcss-obfuscator build
# Pre-flight gate (release-safety #4) : verify the tarball that's about
# to be published contains exactly the files the maintainer expects.
# Compares the file list AND size envelope against the committed
# baseline at scripts/expected-tarball.json. Fails on any drift —
# forcing the maintainer to consciously update the baseline in the
# SAME PR that changes the published surface. Catches accidental
# inclusion of secrets / test fixtures / source maps we forgot to
# ship / dist files we forgot to ship — i.e. the entire class of
# "I packed the wrong thing" bugs that are usually only caught
# post-publish on a customer's machine.
- name: Pre-flight tarball contents gate
run: bash .github/scripts/check-tarball-contents.sh
- name: Create Release Pull Request or Publish
id: changesets
uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1.7.0
with:
publish: pnpm release
version: pnpm changeset version
commit: "chore(release): version packages"
title: "chore(release): version packages"
# Don't let the action overwrite the git user we configured above.
setupGitUser: false
# Have the action create the GitHub release under the maintainer's identity.
createGithubReleases: true
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# NPM_TOKEN deliberately dropped: with Trusted Publisher (OIDC) active
# on npm for this package, an empty/missing NPM_TOKEN forces pnpm to
# fall through to OIDC-only auth, which the TP binding accepts. An
# empty NODE_AUTH_TOKEN is actively harmful (npm tries to use it and
# ignores OIDC) — the cleanest state is to not set it at all.
#
# NPM_CONFIG_PROVENANCE is also intentionally NOT set here. Per the
# official npm docs (docs.npmjs.com/generating-provenance-statements),
# publishing via OIDC trusted publishing automatically generates
# provenance — the env var is redundant. Setting it can produce
# confusing logs when the auth path falls back. Provenance is still
# signed and published to Sigstore on every successful run.