diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 92d40f5..7a268a4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,7 +3,7 @@ name: CI on: pull_request: branches: - - main + - main concurrency: group: ${{ github.workflow }}-${{ github.ref }} @@ -12,11 +12,4 @@ concurrency: jobs: test: uses: ./.github/workflows/test.yml - secrets: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - - dependabot: - uses: ./.github/workflows/dependabot-auto-merge.yml - needs: test - secrets: - GH_TOKEN: "${{ secrets.GH_DEPENDABOT_TOKEN || secrets.GH_DEPLOY_TOKEN }}" + secrets: inherit diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml deleted file mode 100644 index 05725c2..0000000 --- a/.github/workflows/dependabot-auto-merge.yml +++ /dev/null @@ -1,41 +0,0 @@ -name: Dependabot Auto-Merge -on: - workflow_call: - secrets: - GH_TOKEN: - required: true - -jobs: - dependabot: - runs-on: ubuntu-latest - if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }} - steps: - - name: Checkout - uses: actions/checkout@v3 - - name: Fetch Dependabot metadata - id: metadata - uses: dependabot/fetch-metadata@v1 - with: - github-token: "${{ secrets.GH_TOKEN }}" - - name: Determine auto-mergeability - id: auto - run: echo "enabled=${{steps.metadata.outputs.dependency-type == 'direct:development' && (steps.metadata.outputs.update-type == 'version-update:semver-patch' || steps.metadata.outputs.update-type == 'version-update:semver-minor')}}" >> $GITHUB_OUTPUT - - name: Enable auto-merge for patches - if: steps.auto.outputs.enabled == 'true' - run: gh pr merge --auto --squash "$PR_URL" - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GH_TOKEN}} - - name: Approve the PR - if: steps.auto.outputs.enabled == 'true' - run: | - gh pr checkout "$PR_URL" - if [ "$(gh pr status --json reviewDecision -q .currentBranch.reviewDecision)" != "APPROVED" ]; - then - gh pr review --approve "$PR_URL" - else - echo "PR already approved."; - fi - env: - PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GH_TOKEN}} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 66ab5fe..ca12abd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -13,23 +13,28 @@ concurrency: jobs: test: uses: ./.github/workflows/test.yml - secrets: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} + secrets: inherit release: runs-on: ubuntu-latest needs: test + permissions: + contents: write + issues: write + pull-requests: write + packages: write steps: - name: Checkout uses: actions/checkout@v4 with: + fetch-depth: 0 persist-credentials: false - name: Setup NPM token run: echo "//npm.pkg.github.com/:_authToken=${{ secrets.GITHUB_TOKEN }}" >> .npmrc - name: Install run: yarn install --frozen-lockfile --non-interactive - name: Release + run: npx semantic-release env: - GITHUB_TOKEN: ${{ secrets.GH_DEPLOY_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - run: yarn run semantic-release + GITHUB_TOKEN: ${{ secrets.GH_SEMANTIC_RELEASE_TOKEN }} + NPM_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f605e80..f8fe429 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,8 +1,4 @@ -on: - workflow_call: - secrets: - NPM_TOKEN: - required: true +on: workflow_call jobs: test: