ci: rehaul the pipeline (update + new steps)

Author: JulianCataldo

.github/workflows/release.yaml

@@ -1,40 +1,72 @@
 # https://help.github.com/en/categories/automating-your-workflow-with-github-actions
-# TODO: Clean-up
 # See: https://github.com/JulianCataldo/gh-actions
 
-name: 'Release'
+# For matrix setup:
+# https://github.com/withastro/astro/blob/main/.github/workflows/ci.yml
+# https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow
+
+name: CI / Release
 
 on:
+  workflow_dispatch:
   push:
+    paths-ignore:
+      - .github/**
+      - '!.github/workflows/release.yaml'
+      - '**/*.md'
     branches:
       - '([0-9])?(.{+([0-9]),x}).x'
-      - 'main'
-      - 'next'
-      - 'next-major'
-      - 'alpha'
-      - 'beta'
+      - main
+      - next
+      - next-major
+      - alpha
+      - beta
+      - 'feat/*'
+      - 'fix/*'
+      # - to-integrate
+      # - to-integrate-next
 
 permissions:
-  contents: 'read' # for checkout
+  contents: read # for checkout
 
 jobs:
   release:
-    name: 'Release'
-    runs-on: 'ubuntu-latest'
+    name: CI / Release
+
     permissions:
-      contents: 'write' # to be able to publish a GitHub release
-      issues: 'write' # to be able to comment on released issues
-      pull-requests: 'write' # to be able to comment on released pull requests
-      id-token: 'write' # to enable use of OIDC for npm provenance
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
+
+    runs-on: ubuntu-latest
+    # TODO:
+    # runs-on: ${{ matrix.os }}
+    # timeout-minutes: 25
+    # # needs: build
+    # strategy:
+    #   matrix:
+    #     OS: [ubuntu-latest]
+    #     NODE_VERSION: [18, 20]
+    #     include:
+    #       - os: macos-14
+    #         NODE_VERSION: 18
+    #       - os: windows-latest
+    #         NODE_VERSION: 18
+    #   fail-fast: false
+    # env:
+    #   NODE_VERSION: ${{ matrix.NODE_VERSION }}
 
     steps:
-      # - name: "Harden Runner"
-      #   uses: "step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09" # v2.5.1
-      #   with:
-      #     egress-policy: "audit"
+      # MARK: Setup GH Action
+
+      - name: 'Harden Runner'
+        uses: 'step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142' # v2.7.0
+        with:
+          egress-policy: 'audit'
 
-      - name: 'Git checkout'
-        uses: 'actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744' # v3.6.0
+      - name: Git checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.2
         # run: git fetch --depth=1 origin +refs/tags/*:refs/tags/*
         with:
           fetch-depth: 0
@@ -46,71 +78,101 @@ jobs:
       #   GIT_AUTHOR_NAME: "GitHub Actions Shell"
       #   EMAIL: "github-actions[bot]@users.noreply.github.com"
 
-      - name: 'Setup PNPM'
-        uses: 'pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598' # v2.4.0
+      # MARK: Setup Node env.
+
+      - name: Setup PNPM
+        uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
         with:
           run_install: false
 
-      - name: 'Use Node.js 20.6.1'
-        uses: 'actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d' # v3.8.1
+      - name: Use Node.js 22.2.0
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
         with:
           # registry-url: "https://registry.npmjs.org"
-          node-version: '20.6.1'
-          cache: 'pnpm'
+          node-version: 22.2.0
+          cache: pnpm
 
-      # @see: npm install -g npm@latest is necessary to make provenance available. More info: https://docs.npmjs.com/generating-provenance-statements
-      # - name: "Upgrade npm to latest version"
-      #   run: "npm install --global [email protected]"
-      #   env:
-      #     SKIP_CHECK: "true"
+      - name: Install packages
+        shell: bash
+        run: pnpm install --frozen-lockfile
 
-      # - name: "Check npm version"
-      #   run: "npm -v"
-      #   env:
-      #     SKIP_CHECK: "true"
+      # TODO: More tests
+      # - name: Syncpack Lint
+      #   shell: bash
+      #   run: node --run syncpack:lint
 
-      - name: 'Install packages'
-        run: 'pnpm install --frozen-lockfile'
+      # NOTE: Audit is for prod only because a lot of root packages (like lerna etc.)
+      # are used old packages with intricate dependency trees, and they are
+      # never shipped to the user. But that's not 100% optimal, as devDeps could
+      # provoke some sec issues, too? A middleground is better than nothing and
+      # regularly blocked releases for obscure root mono-repo tooling deps.
+      - name: 'Verify the integrity of provenance attestations and registry signatures for installed [prod] dependencies'
+        run: node --run audit
 
-      # - name: "Verify the integrity of provenance attestations and registry signatures for installed dependencies"
-      #   run: "pnpm audit signatures"
+      # MARK: Lint/Checks pre-build
 
-      # - name: "npm v8.5+ requires workspaces-update to be set to false"
-      #   run: "echo 'workspaces-update=false' >> .npmrc"
+      # TODO: Setup Husky etc.
+      # - name: Lint last commit — Commitlint
+      #   shell: bash
+      #   run: node --run lint:commit
 
-      # - name: "Semantic Release"
-      #   if: "success()"
-      #   env:
-      #     GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
-      #     NPM_TOKEN: "${{ secrets.NPM_TOKEN }}"
-      #     GIT_AUTHOR_NAME: "github-actions-shell"
-      #     GIT_AUTHOR_EMAIL: "github-actions[bot]@users.noreply.github.com"
-      #     GIT_COMMITTER_NAME: "github-actions-shell"
-      #     GIT_COMMITTER_EMAIL: "github-actions[bot]@users.noreply.github.com"
-      #   run: "pnpm exec multi-semantic-release"
+      # - name: Lint CSS — Stylelint
+      #   shell: bash
+      #   run: node --run lint:css
+
+      - name: Check all formatting — Prettier
+        shell: bash
+        run: node --run format
+
+      # MARK: Build packages
+
+      - name: Setup Turbo cache
+        uses: dtinth/setup-github-actions-caching-for-turbo@a0e976d970c2a94366a26984efcef3030e2c0115 # v1.2.0
+
+      - name: Build all packages
+        shell: bash
+        run: node --run build
+
+      # MARK: Lint/Checks post-build
 
-      - name: 'Setup Turbo cache'
-        uses: dtinth/setup-github-actions-caching-for-turbo@v1
+      - name: Lint JS/TS — ESLint
+        shell: bash
+        run: node --run lint:es
 
-      - name: 'Build all packages'
-        run: 'pnpm build'
+      # MARK:Tests
 
-      - name: 'Create temporary NPM identity'
+      - name: Tests — Units
+        shell: bash
+        run: node --run test:unit
+
+      # - name: Tests — Integration
+      #   shell: bash
+      #   run: node --run test:integration
+
+      # TODO: Build and launch example-app
+      # - name: Tests — E2E
+      #   shell: bash
+      #   run: node --run test:e2e
+
+      # MARK: Publish packages
+
+      - name: Create temporary NPM identity # + Enable Provenance
         env:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+        # run: |
+        #   echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN\nprovenance=true" > .npmrc
+        #   echo "provenance=true" > .npmrc
         run: |
           echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > .npmrc
 
-      - name: 'Git user configuration'
+      - name: Git user configuration
         run: |
           git config --global user.name "${{ github.actor }}"
           git config --global user.email "${{ github.actor }}@users.noreply.github.com"
 
-      # - name: 'Lerna version'
-      #   run: |
-      #     pnpm lerna version --conventional-commits --yes
-
+      # MARK: [MAIN]
       - name: 'Lerna publish [main]'
+        # if: github.ref == 'refs/heads/to-integrate'
         if: github.ref == 'refs/heads/main'
         # https://github.com/lerna/lerna/issues/2532
         id: graduateRelease
@@ -119,7 +181,7 @@ jobs:
           GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
           NPM_TOKEN: '${{ secrets.NPM_TOKEN }}' # Not really needed (already global)
         run: |
-          pnpm lerna publish --conventional-commits --exact --conventional-graduate --create-release=github --yes
+          pnpm lerna publish --message 'chore: publish [main] release [skip ci]' --create-release=github --conventional-graduate --yes
 
       - name: Bump Prod Version Fallback
         if: ${{ always() && steps.graduateRelease.outcome == 'failure'  }}
@@ -129,18 +191,28 @@ jobs:
         run: |
           echo Falling back to non-graduate release due to https://github.com/lerna/lerna/issues/2532
           git stash
-          pnpm lerna publish --conventional-commits --exact --create-release=github --yes
+          pnpm lerna publish --message 'chore: publish [main] release [skip ci]' --create-release=github --yes
 
+      # # TRY: https://www.jessesquires.com/blog/2021/10/17/github-actions-workflows-for-automatic-rebasing-and-merging/
+      # - name: Merge (rebase) back main into next
+      #   env:
+      #     GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+      #   run: |
+      #     git checkout next
+      #     git rebase main
+      #     git push
+
+      # MARK: [NEXT]
       - name: 'Lerna publish [next]'
         if: github.ref == 'refs/heads/next'
+        # if: github.ref == 'refs/heads/to-integrate-next'
         env:
           NPM_TOKEN: '${{ secrets.NPM_TOKEN }}' # Not really needed (already global)
-        run: |
-          pnpm lerna publish --conventional-commits --exact --conventional-prerelease --canary --dist-tag=next --preid=next --yes
 
-      # pnpm publish -r
-
-      # - name: "Publish"
-      #   run: "pnpm publish -r"
-
-#  --changelog-preset conventionalcommits
+        # --canary next
+        # https://github.com/lerna/lerna/issues/1433
+        # pnpm lerna publish --conventional-prerelease --dist-tag=next --preid=next --no-changelog --yes
+        # pnpm lerna publish --conventional-prerelease --pre-dist-tag=next --preid=next --yes
+        # pnpm lerna publish --force-publish='*' --canary --pre-dist-tag=next --preid=next --yes
+        run: |
+          pnpm lerna publish --message 'chore: publish [next] pre-release' --conventional-prerelease --pre-dist-tag=next --preid=next --yes

package.json

@@ -2,8 +2,8 @@
   "name": "@jsfe/root",
   "version": "0.0.0",
   "private": true,
-  "homepage": "https://jsfe.js.org",
   "description": "Effortless forms, with standards.",
+  "homepage": "https://jsfe.js.org",
   "repository": {
     "type": "git",
     "url": "https://github.com/json-schema-form-element/jsfe"
@@ -15,26 +15,24 @@
     "url": "https://www.juliancataldo.com"
   },
   "type": "module",
-  "engines": {
-    "node": ">=20.0.0"
-  },
   "scripts": {
-    "dev": "turbo run dev --filter=!@jsfe/example-app --filter=!@jsfe/e2e",
+    "// publish:dry": "pnpm lerna publish --dry-run",
+    "// test": "cd tests && pnpm test",
+    "audit": "pnpm audit signatures --prod",
     "build": "turbo run build --filter=!@jsfe/example-app --filter=!@jsfe/e2e",
-    "ts:build": "turbo run ts:build --filter=!@jsfe/example-app --filter=!@jsfe/e2e",
-    "lint": "turbo run lint",
-    "lint:fix": "turbo run lint:fix",
-    "format": "turbo run format",
-    "format:check": "turbo run format:check",
     "check": "pnpm run lint && pnpm run format:check",
+    "dev": "turbo run dev --filter=!@jsfe/example-app --filter=!@jsfe/e2e",
+    "format": "turbo run format",
+    "format:fix": "turbo run format:fix",
     "gen:manifests": "./scripts/manifests.sh",
+    "lint:es": "turbo run lint:es",
+    "lint:es:fix": "turbo run lint:es:fix",
     "test": "vitest",
-    "test:unit": "FORCE_COLOR=1 pnpm -r --parallel test:unit",
-    "test:unit:dev": "FORCE_COLOR=1 pnpm -r --parallel test:unit:dev",
     "test:e2e": "pnpm --filter=@jsfe/e2e test",
     "test:e2e:dev": "pnpm --filter=@jsfe/e2e test:ui",
-    "// test": "cd tests && pnpm test",
-    "// publish:dry": "pnpm lerna publish --dry-run",
+    "test:unit": "FORCE_COLOR=1 pnpm -r --parallel test:unit",
+    "test:unit:dev": "FORCE_COLOR=1 pnpm -r --parallel test:unit:dev",
+    "// ts:build": "turbo run ts:build --filter=!@jsfe/example-app --filter=!@jsfe/e2e",
     "util:scaffold": "plop --plopfile scripts/scaffold/plopfile.js",
     "util:sort": "keep-sorted packages/*/src/widgets/index.ts packages/*/src/styles.scss && sort-package-json packages/*/package.json"
   },
@@ -72,5 +70,28 @@
     "typedoc-plugin-markdown": "^4.6.2",
     "typescript": "^5.8.3"
   },
-  "packageManager": "[email protected]"
+  "packageManager": "[email protected]",
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "pnpm": {
+    "overrides": {
+      "array-includes": "npm:@nolyfill/array-includes@^1",
+      "array.prototype.findlastindex": "npm:@nolyfill/array.prototype.findlastindex@^1",
+      "array.prototype.flat": "npm:@nolyfill/array.prototype.flat@^1",
+      "array.prototype.flatmap": "npm:@nolyfill/array.prototype.flatmap@^1",
+      "es-set-tostringtag": "npm:@nolyfill/es-set-tostringtag@^1",
+      "hasown": "npm:@nolyfill/hasown@^1",
+      "is-core-module": "npm:@nolyfill/is-core-module@^1",
+      "isarray": "npm:@nolyfill/isarray@^1",
+      "object.assign": "npm:@nolyfill/object.assign@^1",
+      "object.fromentries": "npm:@nolyfill/object.fromentries@^1",
+      "object.groupby": "npm:@nolyfill/object.groupby@^1",
+      "object.values": "npm:@nolyfill/object.values@^1",
+      "safe-buffer": "npm:@nolyfill/safe-buffer@^1",
+      "safer-buffer": "npm:@nolyfill/safer-buffer@^1",
+      "string.prototype.trimend": "npm:@nolyfill/string.prototype.trimend@^1",
+      "typedarray": "npm:@nolyfill/typedarray@^1"
+    }
+  }
 }

packages/engine/package.json

@@ -55,18 +55,18 @@
     "// css:to-js": "node ../../scripts/css-to-js.js dist/esm/styles.css",
     "// css:to-js:dev": "nodemon dist/esm/styles.css -x 'pnpm css:to-js'",
     "// dev": "pnpm ts:dev & pnpm css:dev & (sleep 3 && pnpm css:to-js:dev)",
-    "build": "pnpm clean ; pnpm ts:build || exit 0",
+    "// build 2": "pnpm clean ; pnpm ts:build || exit 0",
+    "// dev 2": "pnpm ts:dev",
     "clean": "rm -rf ./dist",
-    "dev": "pnpm ts:dev",
-    "ts:build": "pnpm tsc",
-    "ts:dev": "pnpm tsc --watch",
+    "build": "pnpm tsc",
+    "dev": "pnpm tsc --watch",
     "test": "pnpm tsc",
     "test:unit": "node --test --test-reporter=spec --experimental-test-coverage --enable-source-maps 'dist/**/*.test.js'",
     "test:unit:dev": "node --test --enable-source-maps --watch 'dist/**/*.test.js'",
-    "lint": "eslint --cache \"src/**/*.{ts,tsx,js}\"",
-    "lint:fix": "eslint --fix --cache \"src/**/*.{ts,tsx,js}\"",
-    "format": "prettier --cache --write \"src/**/*.{ts,tsx,js,json,md,yml}\"",
-    "format:check": "prettier --cache --check \"src/**/*.{ts,tsx,js,json,md,yml}\""
+    "lint:es": "eslint --cache \"src/**/*.{ts,tsx,js}\"",
+    "lint:es:fix": "eslint --fix --cache \"src/**/*.{ts,tsx,js}\"",
+    "format": "prettier --cache --check \"src/**/*.{ts,tsx,js,json,md,yml}\"",
+    "format:fix": "prettier --cache --write \"src/**/*.{ts,tsx,js,json,md,yml}\""
   },
   "dependencies": {
     "@standard-schema/spec": "^1.0.0",