Push to protected branches fix (#113)

* chore: add cross-env to enable Windows support * chore: semantic-release pushing to protected branches with fine-grained token --------- Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
vorotech · Mar 10, 2024 · 485844e · 485844e
1 parent 67be4e2
commit 485844e
Showing 1 changed file with 23 additions and 8 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,22 +1,37 @@
 name: Release
-
 on:
   push:
     branches: [ "main" ]
 
+permissions:
+  contents: read # for checkout
+
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - name: Checkout
+        uses: actions/checkout@v4
         with:
-          node-version: 18
-      - run: npm ci
-      - run: npm test
-
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: "lts/*"
+      - name: Run CI scripts
+        run: npm ci
+      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+        run: npm audit signatures
+      - name: Run tests
+        run: npm test
       - name: Release
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.CI_GITHUB_TOKEN }}
         run: npm run semantic-release