From 8893a9e2c95d150ac4332ff42afe945d15b21af3 Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Fri, 15 May 2026 14:35:51 +0200 Subject: [PATCH 1/4] ci: Use GitHub environment for publishing workflow --- .github/workflows/release-please.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index aac0b7b6244..1905db16ba4 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -8,7 +8,6 @@ on: permissions: contents: write pull-requests: write - id-token: write # Required for trusted publishing via OIDC (https://docs.npmjs.com/trusted-publishers) jobs: release-please: @@ -60,6 +59,10 @@ jobs: runs-on: ubuntu-24.04 needs: release-please if: needs.release-please.outputs.releases_created == 'true' + permissions: + id-token: write # Required for trusted publishing via OIDC (https://docs.npmjs.com/trusted-publishers) + # The GitHub Actions Environment configured for the trusted publisher + environment: npmjs:ui5-cli-mono strategy: # Sequential publishing ensures dependencies exist on NPM before dependents are published # Order: logger → fs → builder → server → project (CLI handled separately for shrinkwrap generation) @@ -87,6 +90,10 @@ jobs: runs-on: ubuntu-24.04 needs: [release-please, publish-packages] if: needs.release-please.outputs.releases_created == 'true' + permissions: + id-token: write # Required for trusted publishing via OIDC (https://docs.npmjs.com/trusted-publishers) + # The GitHub Actions Environment configured for the trusted publisher + environment: npmjs:ui5-cli-mono steps: - uses: actions/checkout@v6 From 763b9aa57efc50d0dab9610ff777cf5b04040c39 Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Fri, 15 May 2026 14:37:33 +0200 Subject: [PATCH 2/4] ci: Disallow npm dependencies from git See: https://github.blog/changelog/2026-02-18-npm-bulk-trusted-publishing-config-and-script-security-now-generally-available/#:~:text=New%20%2D%2Dallow%2Dgit%20flag,explicit%20control%20over%20this%20behavior. --- .npmrc | 1 + 1 file changed, 1 insertion(+) diff --git a/.npmrc b/.npmrc index 3eeeab4e326..f5bb40b0e47 100644 --- a/.npmrc +++ b/.npmrc @@ -2,3 +2,4 @@ registry=https://registry.npmjs.org/ lockfile-version=3 ignore-scripts=true +allow-git=none From aaa15301d6cfe5bc81e2f7f8bd53b198783f32df Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Fri, 15 May 2026 15:05:15 +0200 Subject: [PATCH 3/4] ci: Replace outdated commitlint action Use the commitlint npm package directly instead as recommended at: https://commitlint.js.org/guides/ci-setup.html --- .github/workflows/commitlint.yml | 21 --------------------- .github/workflows/github-ci.yml | 10 ++++++++++ 2 files changed, 10 insertions(+), 21 deletions(-) delete mode 100644 .github/workflows/commitlint.yml diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml deleted file mode 100644 index 07fb5f7b08f..00000000000 --- a/.github/workflows/commitlint.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: Commit Message Linting - -on: - push: - branches: - - main - pull_request: - branches: - - main - -permissions: - contents: read - -jobs: - commitlint: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1 diff --git a/.github/workflows/github-ci.yml b/.github/workflows/github-ci.yml index c164066ca5e..aa9ade1ada1 100644 --- a/.github/workflows/github-ci.yml +++ b/.github/workflows/github-ci.yml @@ -19,6 +19,8 @@ jobs: steps: - uses: actions/checkout@v6 + with: + fetch-depth: 0 - name: Setup Node.js uses: actions/setup-node@v6 @@ -56,6 +58,14 @@ jobs: - name: Perform ESLint check run: npm run lint + - name: Validate current commit (last commit) with commitlint + if: github.event_name == 'push' + run: npm run lint:commit -- --last --verbose + + - name: Validate PR commits with commitlint + if: github.event_name == 'pull_request' + run: npm run lint:commit -- --from ${{ github.event.pull_request.base.sha }} --to ${{ github.event.pull_request.head.sha }} --verbose + - name: Perform Licenses check run: npm run check-licenses From 009809bf80fe016cc5ec5803eeee3645414a8a28 Mon Sep 17 00:00:00 2001 From: Merlin Beutlberger Date: Fri, 15 May 2026 15:28:58 +0200 Subject: [PATCH 4/4] ci: Pin more actions to commit hash --- .github/workflows/coverage.yml | 2 +- .github/workflows/release-please.yml | 2 +- .github/workflows/reuse-compliance.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index a8b269729d8..142a3eaaeaf 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -55,6 +55,6 @@ jobs: runs-on: ubuntu-24.04 steps: - name: Close parallel build - uses: coverallsapp/github-action@v2.3.7 + uses: coverallsapp/github-action@648a8eb78e6d50909eff900e4ec85cab4524a45b # v2.3.6 with: parallel-finished: true diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 1905db16ba4..3bfe68b6a8f 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -23,7 +23,7 @@ jobs: node-version: 24.x - name: Run Release Please to update PRs and create releases - uses: googleapis/release-please-action@v5 + uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0 id: release with: token: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/reuse-compliance.yml b/.github/workflows/reuse-compliance.yml index a7f056c0ba8..d17397d1465 100644 --- a/.github/workflows/reuse-compliance.yml +++ b/.github/workflows/reuse-compliance.yml @@ -46,4 +46,4 @@ jobs: - uses: actions/checkout@v6 - name: REUSE check for full repository - uses: fsfe/reuse-action@v6 + uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0