ci: add auto-publish workflow with npm provenance

DavertMik · claude · DavertMik · commit 6182460309e8 · 2026-04-13T21:49:56.000+03:00
Two workflows:

- test.yml: runs typecheck + full test suite on push/PR against Node 18, 20, 22
- publish.yml: auto-publishes on GitHub release using npm trusted publishing
  (OIDC via id-token: write — no NPM_TOKEN secret needed), upgrades to latest
  npm for best provenance support, auto-selects latest/beta dist-tag based on
  release tag, and publishes with --provenance --access public so each
  version is cryptographically linked to codeceptjs/reflection.

package.json now declares repository, homepage, bugs, and
publishConfig.{ access: public, provenance: true } — required for npm
provenance to link published tarballs back to this repo.

Release flow: git push --follow-tags → GitHub release → auto-publish.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,77 @@
+name: Publish to npm
+
+# Auto-publishes @codeceptjs/reflection to npm on every GitHub release.
+# Uses npm provenance (sigstore transparency log) so the published package
+# is cryptographically linked to this repo (codeceptjs/reflection) and the
+# exact workflow run that built it.
+#
+# Tag the release with a SemVer tag like `v0.4.0` or `v0.5.0-beta.1`.
+# - Stable tags (no prerelease suffix) publish under the default `latest` dist-tag.
+# - Prereleases (alpha/beta/rc) publish under the `beta` dist-tag.
+
+on:
+  release:
+    types: [published]
+
+# Required for npm provenance: id-token grants OIDC to the workflow so npm
+# can verify the build came from this repository's Actions runner.
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    name: Publish @codeceptjs/reflection (provenance)
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout codeceptjs/reflection at release ref
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.release.target_commitish }}
+
+      - name: Setup Node 22 with npm registry
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install dependencies
+        run: npm install
+
+      # Upgrade npm to the latest version — provenance support improves with
+      # every release and we want the most up-to-date signer on every publish.
+      - name: Install latest npm
+        run: npm install -g npm@latest
+
+      - name: Typecheck
+        run: npm run typecheck
+
+      - name: Run tests before publishing
+        run: npm test
+
+      - name: Set package version from release tag
+        run: |
+          TAG="${{ github.event.release.tag_name }}"
+          VERSION="${TAG#v}"
+          echo "Publishing @codeceptjs/reflection version $VERSION"
+          npm version "$VERSION" --no-git-tag-version
+
+      - name: Determine dist-tag
+        id: disttag
+        run: |
+          if [[ "${{ github.event.release.prerelease }}" == "true" ]] \
+             || [[ "${{ github.event.release.tag_name }}" == *alpha* ]] \
+             || [[ "${{ github.event.release.tag_name }}" == *beta* ]] \
+             || [[ "${{ github.event.release.tag_name }}" == *rc* ]]; then
+            echo "tag=beta" >> "$GITHUB_OUTPUT"
+          else
+            echo "tag=latest" >> "$GITHUB_OUTPUT"
+          fi
+
+      # `--provenance` requires npm >= 9.5.0 (we installed latest above).
+      # Auth uses npm trusted publishing via OIDC (id-token: write above) —
+      # no NPM_TOKEN secret needed. The published package gets a provenance
+      # statement linking it to this workflow run at github.com/codeceptjs/reflection.
+      - name: Publish to npm with provenance
+        run: npm publish --provenance --access public --tag ${{ steps.disttag.outputs.tag }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -0,0 +1,32 @@
+name: Test
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    name: Test (Node ${{ matrix.node }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        node: [18, 20, 22]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node }}
+          registry-url: 'https://registry.npmjs.org'
+
+      - run: npm install
+
+      - name: Typecheck
+        run: npm run typecheck
+
+      - name: Unit + integration tests
+        run: npm test
