From 01e1179c893fbb9898bd4d6864918adadaa2e513 Mon Sep 17 00:00:00 2001 From: Stephane Moser Date: Thu, 21 May 2026 14:39:43 +0100 Subject: [PATCH 1/6] CICDL-347: enable public npm publishing via trusted publishers (OIDC) Switches from token-based npm auth to OIDC trusted publishers, adds publish workflow, and registers repo as a library for org ruleset. Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/ci.yml | 6 +++--- .github/workflows/publish.yml | 16 ++++++++++++++++ package.json | 3 +++ repository.json | 7 +++++++ 4 files changed, 29 insertions(+), 3 deletions(-) create mode 100644 .github/workflows/publish.yml create mode 100644 repository.json diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 29ade7f..954ecec 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -10,10 +10,10 @@ jobs: ci: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v4 + - uses: actions/checkout@v6 + - uses: actions/setup-node@v6 with: - node-version: 20 + node-version-file: .nvmrc cache: npm - run: npm ci - run: npm run lint diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..b91f130 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,16 @@ +name: NPM Publish +on: + pull_request: + types: [labeled] + branches: [master] +jobs: + npm-publish: + if: contains(github.event.label.name, 'npm-version') + uses: pipedrive-actions/github-actions-workflows/.github/workflows/reusable_cicd-npm-publish.yml@master + with: + skip_functional_tests: true + use_trusted_publisher: true + permissions: + id-token: write + contents: read + secrets: inherit \ No newline at end of file diff --git a/package.json b/package.json index c92783d..956b849 100644 --- a/package.json +++ b/package.json @@ -38,5 +38,8 @@ "typescript": "^5.4.0", "typescript-eslint": "^8.0.0", "vitest": "^1.6.0" + }, + "publishConfig": { + "access": "public" } } diff --git a/repository.json b/repository.json new file mode 100644 index 0000000..8c0a40d --- /dev/null +++ b/repository.json @@ -0,0 +1,7 @@ +{ + "name": "create-pipedrive-app", + "description": "Scaffold a production-ready Pipedrive Marketplace app", + "owner": "Gravity", + "type": "library", + "status": "released" +} \ No newline at end of file From 77651a6b9a52491e4a5136ba89bec7d77d5710e0 Mon Sep 17 00:00:00 2001 From: Stephane Moser Date: Thu, 21 May 2026 14:47:20 +0100 Subject: [PATCH 2/6] CICDL-347: fix publish workflow trigger to match npm-ready-for-publish label Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index b91f130..6687097 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,7 +5,7 @@ on: branches: [master] jobs: npm-publish: - if: contains(github.event.label.name, 'npm-version') + if: ${{ github.event.label.name == 'npm-ready-for-publish' }} uses: pipedrive-actions/github-actions-workflows/.github/workflows/reusable_cicd-npm-publish.yml@master with: skip_functional_tests: true From 8d9ba7464303b4ef14f37afcf8b4978bab0e334f Mon Sep 17 00:00:00 2001 From: Stephane Moser Date: Thu, 21 May 2026 14:50:06 +0100 Subject: [PATCH 3/6] CICDL-347: fix publish workflow: trigger on npm-ready-for-publish, add revision input Co-Authored-By: Claude Sonnet 4.6 --- .github/workflows/publish.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 6687097..2756199 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -8,6 +8,7 @@ jobs: if: ${{ github.event.label.name == 'npm-ready-for-publish' }} uses: pipedrive-actions/github-actions-workflows/.github/workflows/reusable_cicd-npm-publish.yml@master with: + revision: ${{ github.event.pull_request.head.ref }} skip_functional_tests: true use_trusted_publisher: true permissions: From 2029ae50f7dd50296c01d931e2f91cfa4265e838 Mon Sep 17 00:00:00 2001 From: Stephane Moser Date: Thu, 21 May 2026 14:56:08 +0100 Subject: [PATCH 4/6] CICDL-347: Revert to placeholder version --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 956b849..125e7c4 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "create-pipedrive-app", - "version": "0.1.0", + "version": "0.0.1", "description": "Scaffold a production-ready Pipedrive Marketplace app", "license": "MIT", "type": "module", From 12e76f4df19442524f10dbfca4f8e7d7b1db07f4 Mon Sep 17 00:00:00 2001 From: Stephane Moser Date: Thu, 21 May 2026 15:12:47 +0100 Subject: [PATCH 5/6] CICDL-347: update permissions --- .github/workflows/publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2756199..4d602dd 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -13,5 +13,5 @@ jobs: use_trusted_publisher: true permissions: id-token: write - contents: read + contents: write secrets: inherit \ No newline at end of file From 321c8bc7b43f5ab1b28f9c12660bed9ac3d8a164 Mon Sep 17 00:00:00 2001 From: Stephane Moser Date: Thu, 21 May 2026 15:25:25 +0100 Subject: [PATCH 6/6] =?UTF-8?q?CICDL-347:=20scope=20vitest=20to=20src/=20?= =?UTF-8?q?=E2=80=94=20publish=20workflow=20checks=20out=20gha-setup=20whi?= =?UTF-8?q?ch=20has=20its=20own=20tests?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 --- vitest.config.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/vitest.config.ts b/vitest.config.ts index b664da7..7e8a280 100644 --- a/vitest.config.ts +++ b/vitest.config.ts @@ -3,6 +3,7 @@ import { defineConfig } from 'vitest/config'; export default defineConfig({ test: { environment: 'node', + include: ['src/**/*.test.ts'], exclude: ['**/node_modules/**', '**/.claude/**'], }, });