fix(ci): use Node 22/24 matrix and relax perf threshold for CI #5
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish to npm | |
| on: | |
| push: | |
| tags: ["v*"] | |
| # Deny all permissions by default — grant per-job | |
| permissions: {} | |
| jobs: | |
| publish: | |
| name: Publish | |
| runs-on: ubuntu-latest | |
| environment: npm-publish | |
| permissions: | |
| contents: read | |
| id-token: write # Required for OIDC Trusted Publishing + Sigstore provenance | |
| steps: | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 | |
| - run: corepack enable | |
| # Node 24.x required for npm >= 11.5.1 (OIDC Trusted Publishing) | |
| - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4 | |
| with: | |
| node-version: "24.x" | |
| registry-url: "https://registry.npmjs.org" | |
| cache: pnpm | |
| - run: pnpm install --frozen-lockfile | |
| - name: Validate | |
| run: pnpm run validate | |
| - name: Test | |
| run: pnpm test | |
| - name: Build | |
| run: pnpm run build | |
| - name: Verify tag matches package.json version | |
| run: | | |
| PKG_VERSION="v$(node -p 'require("./package.json").version')" | |
| GIT_TAG="${GITHUB_REF#refs/tags/}" | |
| if [ "$PKG_VERSION" != "$GIT_TAG" ]; then | |
| echo "::error::Tag $GIT_TAG does not match package.json version $PKG_VERSION" | |
| exit 1 | |
| fi | |
| - name: Publish with provenance | |
| run: npm publish --provenance --access public | |
| env: | |
| # NODE_AUTH_TOKEN must be unset (not empty) for OIDC to activate. | |
| # setup-node writes .npmrc with ${NODE_AUTH_TOKEN} placeholder; | |
| # when unset, npm falls through to OIDC. | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |