From d19638a4712ab3fbc3a0ca1095cda64c65b52b6a Mon Sep 17 00:00:00 2001 From: Dusty Greif Date: Wed, 3 Jun 2026 10:47:37 -0400 Subject: [PATCH] Improve supply chain configuration Update CI and publish workflows to use Node 26, npm ci, and pinned GitHub Actions SHAs. Add npm min-release-age configuration and refresh the lockfile after npm install/audit fix.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/publish.yml | 12 ++++++------ .github/workflows/test.yml | 17 +++++++++++------ .npmrc | 1 + package-lock.json | 4 ++-- 4 files changed, 20 insertions(+), 14 deletions(-) create mode 100644 .npmrc diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index f5542ee..618d8f2 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -11,10 +11,10 @@ jobs: contents: read id-token: write steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: - node-version: 24 + node-version: 26 registry-url: https://registry.npmjs.org/ cache: npm - run: npm ci @@ -31,10 +31,10 @@ jobs: packages: write id-token: write steps: - - uses: actions/checkout@v5 - - uses: actions/setup-node@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: - node-version: 24 + node-version: 26 registry-url: https://npm.pkg.github.com cache: npm - run: npm ci diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 8770e9a..b440888 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -1,18 +1,23 @@ name: Node CI +permissions: + contents: read + on: [push] jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: Use Node.js 24.x - uses: actions/setup-node@v5 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 + - name: Use Node.js 26.x + uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e with: - node-version: 24.x - - name: npm install, build, and test + node-version: 26.x + cache: npm + - name: npm ci and test run: | - npm it + npm ci + npm test env: CI: true diff --git a/.npmrc b/.npmrc new file mode 100644 index 0000000..ec9e05d --- /dev/null +++ b/.npmrc @@ -0,0 +1 @@ +min-release-age=3 diff --git a/package-lock.json b/package-lock.json index bc4be5c..f02e4be 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@github/prettier-config", - "version": "0.0.4", + "version": "0.0.0-development", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "@github/prettier-config", - "version": "0.0.4", + "version": "0.0.0-development", "license": "MIT", "devDependencies": { "prettier": "^2.8.0"