ci(gha): install pnpm before use; align release to appsyncjs (Node 22/24, NPM_TOKEN) (#7)

charliecreates[bot] · CharlieHelps · mikecbrant · web-flow · commit f785d22d40f4 · 2025-09-04T19:53:07.000-05:00
* ci(gha): install pnpm before use; align release flow to appsyncjs (Node 22/24, registry auth, caching)

* ci(gha): use pnpm/action-setup with package_json_file to honor pinned pnpm version

* ci(gha): push-only release gating, npm auth hardening, strict tag push; pin pnpm via packageManager and fix Prettier config resolution

* ci(gha): make determine_release tolerant of PR merge refs (fallback when changeset status cannot diff from main)

* Update .github/workflows/release.yml

---------

Co-authored-by: CharlieCreates &lt;198680274+charliecreates[bot]@users.noreply.github.com&gt;
Co-authored-by: CharlieHelps &lt;charlie@charlielabs.ai&gt;
Co-authored-by: Mike Brant &lt;mikebranttx@gmail.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,89 +1,131 @@
-name: Test and Release
+name: CI — test → gate → release
 
 on:
   push:
     branches:
-      - main
-      - "release/**"
-      - "prerelease/**"
+      - "**"
+    tags:
+      - "**"
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
 
-concurrency: ${{ github.workflow }}-${{ github.ref }}
+# Ensure only one workflow per ref is active at a time
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# Default, least-privilege token permissions; jobs elevate as needed
+permissions:
+  contents: read
 
 jobs:
   test:
-    name: Test (Node ${{ matrix.node }})
+    name: Test (Node ${{ matrix.node-version }})
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
-        node: [22.x, 24.x]
+        node-version: [22.x, 24.x]
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout Repo
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node }}
-          cache: pnpm
-      - uses: pnpm/action-setup@v4
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
         with:
-          # Use the pnpm version pinned in package.json `packageManager` to avoid conflicts
+          package_json_file: package.json
           run_install: false
-      - run: pnpm install --frozen-lockfile
-      - run: pnpm -w run fmt:check
-      - run: pnpm -w run typecheck:tsgo
+      - name: Setup Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+      - name: Format check
+        run: pnpm -w run fmt:check
+      - name: Typecheck (tsgo)
+        run: pnpm -w run typecheck:tsgo
 
   determine_release:
+    name: Determine release
+    needs: [test]
     runs-on: ubuntu-latest
     outputs:
       is_prerelease: ${{ steps.determine.outputs.is_prerelease }}
       is_release: ${{ steps.determine.outputs.is_release }}
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout Repo
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v4
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          package_json_file: package.json
+          run_install: false
+      - name: Setup Node.js 24
+        uses: actions/setup-node@v4
         with:
           node-version: 24.x
           cache: pnpm
-      - uses: pnpm/action-setup@v4
-        with:
-          run_install: false
-      - run: pnpm install --frozen-lockfile
-      - id: determine
+          cache-dependency-path: pnpm-lock.yaml
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+      - name: Compute release flags
+        id: determine
         run: |
-          pnpm changeset status --output=changeset-status.json
+          # Changesets can error on PR merge refs; tolerate and default to no pre mode
+          pnpm changeset status --output=changeset-status.json || echo '{}' > changeset-status.json
           PRE=$(jq -r '.preState.mode // ""' changeset-status.json)
           rm -f changeset-status.json
           echo "is_prerelease=$([[ $PRE = 'pre' ]] && echo true || echo false)" >> $GITHUB_OUTPUT
           echo "is_release=$([[ $GITHUB_REF_NAME = 'main' ]] && echo true || echo false)" >> $GITHUB_OUTPUT
 
   release:
+    name: Release
     needs: [test, determine_release]
-    if: needs.determine_release.outputs.is_release == 'true' || needs.determine_release.outputs.is_prerelease == 'true'
+    if: ${{ github.event_name == 'push' && (needs.determine_release.outputs.is_release == 'true' || needs.determine_release.outputs.is_prerelease == 'true') }}
     permissions:
       contents: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout Repo
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - run: git config user.name "GitHubActions" && git config user.email "actions@github.com"
-      - uses: actions/setup-node@v4
+      - name: Configure Git author (for tag/commit)
+        run: |
+          git config user.name "GitHubActions"
+          git config user.email "actions@github.com"
+      - name: Install pnpm
+        uses: pnpm/action-setup@v4
+        with:
+          package_json_file: package.json
+          run_install: false
+      - name: Setup Node.js 24 (with npm registry)
+        uses: actions/setup-node@v4
         with:
           node-version: 24.x
           cache: pnpm
+          cache-dependency-path: pnpm-lock.yaml
           registry-url: https://registry.npmjs.org
-      - uses: pnpm/action-setup@v4
-        with:
-          run_install: false
-      - run: pnpm install --frozen-lockfile
-      - run: pnpm build
+          always-auth: true
+        env:
+          # Ensure the registry is authenticated for publish
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+      - name: Build
+        run: pnpm build
       - name: Publish with Changesets
         env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           pnpm changeset status
           pnpm changeset version
           pnpm changeset publish
-          git push --follow-tags --no-verify || true
+          git push --follow-tags --no-verify
diff --git a/packages/eslint-config/package.json b/packages/eslint-config/package.json
@@ -19,6 +19,9 @@
 		"eslint-plugin-sonarjs": "^3.0.2",
 		"eslint-plugin-unused-imports": "^4.0.0"
 	},
+	"devDependencies": {
+		"@mikecbrant/prettier-config": "workspace:*"
+	},
 	"publishConfig": {
 		"access": "public"
 	},
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
