Skip to content

fix: provenance & oidc #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
TobiTenno merged 3 commits into from
Oct 15, 2025
Merged

fix: provenance & oidc #28

TobiTenno merged 3 commits into from
Oct 15, 2025

Conversation

@TobiTenno
Copy link
Member

@TobiTenno TobiTenno commented Oct 14, 2025
edited by coderabbitai bot
Loading

What did you fix?

Add permissions for ID token, contents, pull requests, and issues.

Reproduction steps

release

Evidence/screenshot/link to line

Considerations

  • Does this contain a new dependency? [No]
  • Does this introduce opinionated data formatting or manual data entry? [No]
  • Does this pr include updated data files in a separate commit that can be reverted for a clean code-only pr? [No]
  • Have I run the linter? [Yes]
  • Is is a bug fix, feature request, or enhancement? [Security]

Summary by CodeRabbit

  • Chores
    • Updated release workflow permissions to grant required write access during verification.
    • Simplified package metadata by normalizing the repository URL and enabling provenance for published packages.
    • Adjusted dependency update automation commit prefixes and scope handling for clearer commit messages.
  • CI
    • Simplified lint job to a single Node setup flow and updated the Node LTS target to the newer release.

@TobiTenno
fix: provenance & oidc
dfcc4de 
Add permissions for ID token, contents, pull requests, and issues.
@coderabbitai
Copy link

coderabbitai bot commented Oct 14, 2025
edited
Loading

Walkthrough

Added workflow permissions to the Release verify job, simplified CI lint flow by removing matrix, updated package metadata (repository string and provenance), adjusted Dependabot commit-message prefixes and scopes, and bumped Node LTS in .nvmrc from lts/hydrogen to lts/jod.

Changes

Cohort / File(s) Summary
Release workflow permissions
.github/workflows/release.yaml		 Added permissions to the verify job: id-token: write, contents: write, pull-requests: write, issues: write. No other changes.
CI workflow simplification
.github/workflows/ci.yaml		 Removed matrix strategy under lint job and per-version setup; replaced with single-run flow using actions/checkout@v4, actions/setup-node@v4 with node-version-file: .nvmrc, then install and lint steps.
Package metadata
package.json		 Replaced repository object with a string URL "https://github.com/WFCD/eslint-config". Added top-level publishConfig: { "provenance": true }.
Dependabot commit-message changes
.github/dependabot.yml		 Adjusted npm and GitHub Actions update commit-message prefixes: e.g., npm prefixes changed (chorefix, devci) and removed include: scope entries.
Node LTS update
.nvmrc		 Replaced lts/hydrogen with lts/jod.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions
  participant Verify as Release:verify job
  participant GHAPI as GitHub API / OIDC

  Dev->>GH: Push tag / trigger release workflow
  GH->>Verify: Start verify job (with permissions)
  Note over Verify: permissions:\n- id-token: write\n- contents: write\n- pull-requests: write\n- issues: write
  Verify->>GHAPI: Request OIDC token (id-token)
  GHAPI-->>Verify: OIDC token
  Verify->>GHAPI: Perform writes (contents / PRs / issues) as needed
  GH-->>Dev: Workflow completes
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I nibble bytes and hop on keys,
Permissions set with gentle ease.
Repo trimmed, provenance true,
Dependabot sings a different cue.
New node LTS—my whiskers twitch,
This rabbit ships the tiny fix. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check ✅ Passed The title succinctly highlights the addition of provenance support and OIDC id-token permissions, reflecting the key changes in publishConfig and the release workflow. It is concise and uses clear technical terms relevant to the changeset. This level of specificity ensures teammates can quickly grasp the primary updates.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch TobiTenno-patch-1
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ca39213 and 79548c4.

📒 Files selected for processing (3)
  • .github/dependabot.yml (1 hunks)
  • .github/workflows/ci.yaml (1 hunks)
  • .nvmrc (1 hunks)
🔇 Additional comments (1)
.github/dependabot.yml (1)

9-10: Conventional commit tweak looks good.

Using fix/ci here should keep Dependabot PRs aligned with your release automation triggers.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@TobiTenno TobiTenno enabled auto-merge (squash) October 14, 2025 18:16
@TobiTenno TobiTenno disabled auto-merge October 15, 2025 01:28
@TobiTenno TobiTenno merged commit 1cd20c7 into main Oct 15, 2025
3 checks passed
@TobiTenno TobiTenno deleted the TobiTenno-patch-1 branch October 15, 2025 01:28
wfcd-bot-boi pushed a commit that referenced this pull request Oct 15, 2025
@semantic-release-bot
chore(release): 1.6.4 [skip ci]
e438d91 
## [1.6.4](v1.6.3...v1.6.4) (2025-10-15)

### Bug Fixes

* footer length ([86745fb](86745fb))
* provenance & oidc ([#28](#28)) ([1cd20c7](1cd20c7))
@wfcd-bot-boi
Copy link

wfcd-bot-boi commented Oct 15, 2025

🎉 This PR is included in version 1.6.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@TobiTenno @wfcd-bot-boi