ci: Enable trusted publishing and npm provenance (#975)

Author: rfgamaral

.github/workflows/chromatic.yml

@@ -7,23 +7,32 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v4
+              uses: actions/checkout@v5
               with:
                   fetch-depth: 0
 
             - name: Prepare Node.js environment
-              uses: actions/setup-node@v3
+              uses: actions/setup-node@v6
               with:
-                  node-version-file: '.nvmrc'
+                  node-version-file: '.node-version'
                   registry-url: https://npm.pkg.github.com
                   scope: '@doist'
 
-            - name: Install dependencies
-              run: npm install
+            - name: Cache project 'node_modules' directory
+              id: node-modules-cache
+              uses: actions/cache@v4
+              with:
+                  key: node-modules-cache-${{ hashFiles('**/package-lock.json', '**/.node-version') }}
+                  path: node_modules/
+
+            - name: Install project npm dependencies
+              if: ${{ steps.node-modules-cache.outputs.cache-hit != 'true' }}
+              run: npm ci
 
             - name: Publish to Chromatic
               uses: chromaui/action@d7afd50124cf4f337bcd943e7f45cfa85a5e4476
               with:
                   projectToken: ${{ secrets.CHROMATIC_PROJECT_TOKEN }}
                   skip: dependabot/**
                   onlyChanged: true
+                  buildScriptName: build:storybook

.github/workflows/deploy-storybook.yml

@@ -28,19 +28,23 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout
-              uses: actions/checkout@v4
+              uses: actions/checkout@v5
 
-            - name: Read Node.js version from '.nvmrc'
-              id: nvmrc
-              run: |
-                  echo "NODE_VERSION=$(cat .nvmrc)" >> $GITHUB_OUTPUT
+            - name: Prepare Node.js environment
+              uses: actions/setup-node@v6
+              with:
+                  cache: npm
+                  node-version-file: .node-version
 
-            - name: Setup Node.js
-              uses: actions/setup-node@v1
+            - name: Cache project 'node_modules' directory
+              id: node-modules-cache
+              uses: actions/cache@v4
               with:
-                  node-version: ${{ steps.nvmrc.outputs.NODE_VERSION }}
+                  key: node-modules-cache-${{ hashFiles('**/package-lock.json', '**/.node-version') }}
+                  path: node_modules/
 
-            - name: Install dependencies
+            - name: Install project npm dependencies
+              if: ${{ steps.node-modules-cache.outputs.cache-hit != 'true' }}
               run: npm ci
 
             - name: Build storybook

.github/workflows/publish.yml

@@ -23,51 +23,56 @@ jobs:
         # Based on historical data
         timeout-minutes: 60
         steps:
-            - uses: actions/checkout@v4
+            - name: Checkout repository
+              uses: actions/checkout@v5
 
             - name: Prepare Node.js environment
-              uses: actions/setup-node@v3
+              uses: actions/setup-node@v6
               with:
-                  node-version-file: '.nvmrc'
+                  cache: npm
+                  node-version-file: .node-version
 
-            # Temporarily disabled until we can upgrade to Node.js 20+
-            # ref: https://github.com/Doist/reactist/actions/runs/18786284512/job/53605250671
-            # - name: Ensure npm 11.5.1 or later is installed
-            #   run: npm install -g npm@latest
+            - name: Cache project 'node_modules' directory
+              id: node-modules-cache
+              uses: actions/cache@v4
+              with:
+                  key: node-modules-cache-${{ hashFiles('**/package-lock.json', '**/.node-version') }}
+                  path: node_modules/
+
+            - name: Ensure npm 11.5.1 or later is installed
+              run: npm install -g npm@latest
 
-            # Remove any registry configurations from .npmrc
-            - run: sed -i "/@doist/d" ./.npmrc
+            - name: Install project npm dependencies
+              if: ${{ steps.node-modules-cache.outputs.cache-hit != 'true' }}
+              run: |
+                  npm ci
 
-            - run: npm ci
             - run: npm run lint
             - run: npm run type-check
             - run: npm test
-
-            # Build artifacts for publishing
             - run: npm run build
 
-            # Publish to GitHub package registry
-            - name: Publish to GitHub Package Registry
-              uses: actions/setup-node@v3
-              with:
-                  node-version-file: '.nvmrc'
-                  registry-url: https://npm.pkg.github.com/
-                  scope: '@doist'
-            - run: npm publish
-              env:
-                  NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            # The Node.js environment is prepared based on the `.npmrc` file in the repo, which
+            # configures Doist scoped packages to use the public npm registry with OIDC
+            # authentication for the initial `semantic-release` publish, after which we remove the
+            # Doist registry configuration, and prepare the Node.js environment for the GitHub
+            # Packages registry, providing a predictable release workflow for both registries.
+
+            - name: Publish package to public npm registry
+              run: npm publish
 
-            - name: Clear npm config between GitHub/npm registries
-              run: rm -f $NPM_CONFIG_USERCONFIG
+            - name: Remove Doist registry configuration from `.npmrc`
+              run: npm config delete @doist:registry --location=project
 
-            # Publish to npm registry
-            - name: Publish to npm registry
-              uses: actions/setup-node@v3
+            - name: Prepare Node.js environment for GitHub Packages registry
+              uses: actions/setup-node@v6
               with:
-                  node-version-file: '.nvmrc'
-                  registry-url: https://registry.npmjs.org/
+                  cache: npm
+                  node-version-file: .node-version
+                  registry-url: https://npm.pkg.github.com/
                   scope: '@doist'
-            - run: npm publish --provenance --access public
-              # Token-based authentication until we can use OIDC
+
+            - name: Publish package to private GitHub Packages registry
+              run: npm publish
               env:
-                  NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+                  NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pull_request.yml

@@ -8,14 +8,26 @@ jobs:
         # Based on historical data
         timeout-minutes: 15
         steps:
-            - uses: actions/checkout@v4
+            - name: Checkout repository
+              uses: actions/checkout@v5
 
             - name: Prepare Node.js environment
-              uses: actions/setup-node@v3
+              uses: actions/setup-node@v6
               with:
-                  node-version-file: '.nvmrc'
+                  cache: npm
+                  node-version-file: .node-version
+
+            - name: Cache project 'node_modules' directory
+              id: node-modules-cache
+              uses: actions/cache@v4
+              with:
+                  key: node-modules-cache-${{ hashFiles('**/package-lock.json', '**/.node-version') }}
+                  path: node_modules/
+
+            - name: Install project npm dependencies
+              if: ${{ steps.node-modules-cache.outputs.cache-hit != 'true' }}
+              run: npm ci
 
-            - run: npm ci
             - run: npm run lint
             - run: npm run type-check
             - run: npm test

.node-version

@@ -0,0 +1 @@
+22.14

.npmrc

@@ -1,6 +1,9 @@
-# Ensure dependencies are installed from the npm registry instead of GitHub
-# if you've defined the default registry for @doist in another .npmrc
+# Ensure dependencies are installed from the npm Registry instead of GitHub Packages in case you
+# have changed the default registry for the `@doist` scope in a parent `.npmrc` file
 @doist:registry=https://registry.npmjs.org/
 
 # Refuse to install any package incompatible with the current Node.js version
-engine-strict=true
+engine-strict=true
+
+# Save dependencies with an exact version rather than the semver range
+save-exact=true

.nvmrc

@@ -21,16 +21,24 @@
     "sideEffects": [
         "**/*.css"
     ],
-    "files": [
-        "dist",
-        "es",
-        "lib",
-        "styles"
-    ],
     "engines": {
-        "node": "^16.0.0 || ^18.0.0 || ^20.0.0 || ^21.0.0 || ^22.0.0",
-        "npm": "^8.3.0 || ^9.0.0 || ^10.0.0 || ^11.0.0"
+        "node": "^22.14.0 || >= 24.10.0",
+        "npm": "^10.9.2 || >= 11.5.1"
+    },
+    "publishConfig": {
+        "access": "public"
     },
+    "files": [
+        "CHANGELOG.md",
+        "CODE_OF_CONDUCT.md",
+        "CONTRIBUTING.md",
+        "LICENSE",
+        "README.md",
+        "dist/**",
+        "es/**",
+        "lib/**",
+        "styles/**"
+    ],
     "scripts": {
         "postinstall": "patch-package",
         "setup": "npm install && npm run validate",
@@ -41,7 +49,7 @@
         "poststart:yalc": "yalc installations clean",
         "start:yalc:success": "./scripts/organize-styles.sh && yalc push --sig",
         "build": "scripts/build.sh",
-        "build:storybook": "build-storybook -o docs",
+        "build:storybook": "NODE_OPTIONS=--openssl-legacy-provider build-storybook -o docs",
         "clean": "rimraf es lib styles dist",
         "test": "jest --passWithNoTests",
         "test:watch": "npm run test -- --watch",