chore: remove Renovate entirely #103
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish | |
| # Renamed from `release.yml` to `publish.yml` because GitHub kept the previous | |
| # workflow ID associated with the (now-removed) `environment: npm` declaration, | |
| # silently throttling every run to "pending" forever without ever allocating | |
| # a job. Renaming the file forces GitHub to mint a fresh workflow ID, breaking | |
| # the throttle. See git log for the chain of attempts. | |
| on: | |
| push: | |
| branches: [main] | |
| workflow_dispatch: | |
| # Manual trigger from the Actions UI or via `gh workflow run publish.yml`. | |
| # Useful when a `push:`-triggered run got stuck in pending state without | |
| # ever allocating jobs (rare GitHub Actions infra glitch) and force-cancel | |
| # is needed before the next release attempt. | |
| concurrency: | |
| group: publish-${{ github.ref }} | |
| cancel-in-progress: false | |
| # OpenSSF Scorecard "Token-Permissions": top-level empty; the release job | |
| # re-declares the write scopes it needs (contents for the version-bump commit | |
| # and tag, pull-requests for the version-packages PR, id-token for npm | |
| # provenance OIDC). | |
| permissions: {} | |
| jobs: | |
| release: | |
| name: Release | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| pull-requests: write | |
| id-token: write | |
| # NOTE: `environment: npm` was removed in 2026-04-29 because it caused | |
| # release.yml runs to silently sit in `pending` forever without ever | |
| # allocating a runner (5 consecutive runs stuck this way). Other workflows | |
| # on the same commit (CI, CodeQL, Docs, Scorecard) ran fine — the only | |
| # difference was this `environment:` declaration. GitHub treats jobs that | |
| # declare an environment as "deployments", and on personal accounts with | |
| # no payment method on file deployments are silently throttled (workflows | |
| # without environments are unaffected). | |
| # | |
| # The CODEOWNERS gate on `main` already enforces that only the maintainer | |
| # can land code that triggers this workflow, so the additional reviewer | |
| # gate the env added was redundant. NPM_TOKEN now lives at repo level | |
| # (`gh secret set NPM_TOKEN`) instead of env level. | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| fetch-depth: 0 | |
| # Make the version-bump commit + the GitHub release land under the maintainer's | |
| # identity instead of the default `github-actions[bot]` author. Otherwise the | |
| # bot accumulates in the GitHub "Contributors" panel on every release. | |
| - name: Configure git as maintainer | |
| run: | | |
| git config --global user.name "José DA COSTA" | |
| git config --global user.email "contact@josedacosta.info" | |
| - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0 | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 | |
| with: | |
| node-version-file: .nvmrc | |
| cache: pnpm | |
| registry-url: https://registry.npmjs.org | |
| # npm CLI 11.5.1 is the minimum version that fully supports OIDC trusted | |
| # publishing on npm. Node 20 LTS bundles npm 10.x, which has incomplete | |
| # OIDC support — upgrading the runner's npm to latest avoids subtle 404s | |
| # and "expired token" errors observed in early-2026 npm/cli issue #8730 | |
| # and #8976. We do this only inside the publish job; CI/Test jobs keep | |
| # the bundled npm to mirror what end-users see. | |
| - name: Upgrade npm to support OIDC trusted publishing | |
| run: npm install -g npm@latest | |
| - run: pnpm install --frozen-lockfile --ignore-scripts | |
| - run: pnpm --filter tailwindcss-obfuscator build | |
| # Pre-flight gate (release-safety #4) : verify the tarball that's about | |
| # to be published contains exactly the files the maintainer expects. | |
| # Compares the file list AND size envelope against the committed | |
| # baseline at scripts/expected-tarball.json. Fails on any drift — | |
| # forcing the maintainer to consciously update the baseline in the | |
| # SAME PR that changes the published surface. Catches accidental | |
| # inclusion of secrets / test fixtures / source maps we forgot to | |
| # ship / dist files we forgot to ship — i.e. the entire class of | |
| # "I packed the wrong thing" bugs that are usually only caught | |
| # post-publish on a customer's machine. | |
| - name: Pre-flight tarball contents gate | |
| run: bash .github/scripts/check-tarball-contents.sh | |
| - name: Create Release Pull Request or Publish | |
| id: changesets | |
| uses: changesets/action@6a0a831ff30acef54f2c6aa1cbbc1096b066edaf # v1.7.0 | |
| with: | |
| publish: pnpm release | |
| version: pnpm changeset version | |
| commit: "chore(release): version packages" | |
| title: "chore(release): version packages" | |
| # Don't let the action overwrite the git user we configured above. | |
| setupGitUser: false | |
| # Have the action create the GitHub release under the maintainer's identity. | |
| createGithubReleases: true | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| # NPM_TOKEN deliberately dropped: with Trusted Publisher (OIDC) active | |
| # on npm for this package, an empty/missing NPM_TOKEN forces pnpm to | |
| # fall through to OIDC-only auth, which the TP binding accepts. An | |
| # empty NODE_AUTH_TOKEN is actively harmful (npm tries to use it and | |
| # ignores OIDC) — the cleanest state is to not set it at all. | |
| # | |
| # NPM_CONFIG_PROVENANCE is also intentionally NOT set here. Per the | |
| # official npm docs (docs.npmjs.com/generating-provenance-statements), | |
| # publishing via OIDC trusted publishing automatically generates | |
| # provenance — the env var is redundant. Setting it can produce | |
| # confusing logs when the auth path falls back. Provenance is still | |
| # signed and published to Sigstore on every successful run. |