Sync ci and publish workflows

.github/workflows/ci.yml

@@ -7,6 +7,9 @@ on:
   merge_group:
     branches:
       - main
+      - next
+      # merge group rulesets don't allow wildcards so in settings each maintenance branch needs to be added separately
+      - "maintenance/v*" # branch rulesets don't support v[0-9]+
 
 permissions:
   contents: read
@@ -16,39 +19,24 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  build:
-    name: Build
+  lint-workflows:
+    name: Lint workflows
     runs-on: ubuntu-latest
+    permissions:
+      actions: read # only required in private repos
+      security-events: write # allow writing security events
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
-      - uses: ./.github/actions/ci-setup
-
-      - name: Build
-        run: pnpm build
-
-  lint:
-    name: Lint
-    runs-on: ubuntu-latest
-    steps:
-      - name: Check out repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
         with:
-          persist-credentials: false
-
-      - uses: ./.github/actions/ci-setup
-
-      - name: Codegen
-        run: pnpm codegen:github
-
-      - name: Lint
-        run: pnpm lint
-
-      - name: Format
-        run: pnpm format
+          persona: pedantic
+          annotations: true
+          advanced-security: false
 
   test:
     name: Test
@@ -81,12 +69,49 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+  typecheck:
+    name: Typecheck
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: ./.github/actions/ci-setup
+
+      - name: Codegen
+        run: pnpm codegen:github
+
+      - name: Typecheck
+        run: pnpm typecheck
+
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - uses: ./.github/actions/ci-setup
+
+      - name: Codegen
+        run: pnpm codegen:github
+
+      - name: Lint
+        run: pnpm lint
+
+      - name: Format
+        run: pnpm format
+
   ci-ok:
     name: CI OK
     runs-on: ubuntu-latest
     if: always()
-    needs: [build, lint, test]
+    needs: [lint-workflows, test, typecheck, lint]
     steps:
       - name: Exit with error if some jobs are not successful
-        if: ${{ always() && (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) }}
         run: exit 1
+        if: ${{ always() && (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) }}

.github/workflows/publish.yml

@@ -4,13 +4,15 @@ on:
   push:
     branches:
       - main
+      - next
+      - "maintenance/v*" # branch rulesets don't support v[0-9]+
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: false
   queue: max
 
-permissions: {}
+permissions: {} # each job should define its own permission explicitly
 
 jobs:
   version:
@@ -21,8 +23,7 @@ jobs:
     outputs:
       hasChangesets: ${{ steps.changesets.outputs.hasChangesets }}
     permissions:
-      contents: write # to create version commits (changesets/action)
-      pull-requests: write # to create pull request (changesets/action)
+      contents: read # to check out repo (actions/checkout)
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -33,11 +34,13 @@ jobs:
         with:
           skip-cache: true # avoid cache poisoning attacks
 
-      - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
+      - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
         id: app-token
         with:
           client-id: ${{ vars.APP_CLIENT_ID }}
           private-key: ${{ secrets.APP_PRIVATE_KEY }}
+          permission-contents: write # to create version commits (changesets/action)
+          permission-pull-requests: write # to create pull request (changesets/action)
 
       - name: Create or update release pull request
         id: changesets
@@ -66,11 +69,8 @@ jobs:
         with:
           skip-cache: true # avoid cache poisoning attacks
 
-      - name: Build
-        run: pnpm build
-
       - name: Publish to npm
         uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0
         with:
-          publish: pnpm changeset publish
+          publish: pnpm release
           commitMode: github-api

.vscode/settings.json

@@ -0,0 +1,4 @@
+{
+  "js/ts.tsdk.path": "node_modules/typescript/lib",
+  "editor.defaultFormatter": "oxc.oxc-vscode"
+}

package.json

@@ -48,13 +48,15 @@
     "access": "public"
   },
   "scripts": {
-    "build": "pnpm codegen:github && tsc && tsdown",
+    "build": "pnpm codegen:github && tsdown",
     "codegen:github": "graphql-codegen --config src/github/codegen.ts",
+    "typecheck": "tsc",
     "format": "oxfmt --check",
     "format:fix": "oxfmt",
     "lint": "oxlint",
     "test:integration": "vitest -c vitest.integration.config.ts",
-    "version-packages": "pnpm changeset version && pnpm format:fix"
+    "version-packages": "changeset version && pnpm format:fix",
+    "release": "pnpm build && changeset publish"
   },
   "dependencies": {
     "isomorphic-git": "^1.36.3"