Skip to content

Commit e161571

Browse files
csandmanclaude
andauthored
chore: Port the v5 publish workflow to main (#413)
* docs: fill out SECURITY.md with a real policy Replace the GitHub-templated stub with a project-specific policy: support matrix tied to the @chakra-ui/react major peer (v5/v6 supported, v4 and earlier not), private reporting via GitHub Security Advisories, and pointers to react-select / Chakra UI for upstream issues. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Downgrade the codemod types/node package to match the installed version of node * chore: Port the v5 publish workflow to main Adopts the e18e publishing recommendations on main, mirroring the v5 setup from #405: - Add .github/workflows/publish.yml with the three-job test → build → publish flow. OIDC trusted publishing with provenance attestations; no npm tokens. Top-level permissions: {}, persist-credentials: false, pinned action SHAs, --ignore-scripts on install, Node 24 throughout. - Replace v5's hardcoded --tag chakra2 with a conditional: stable releases publish to `latest`, GitHub-flagged prereleases publish to `next`. - Add `pnpm test` to the test job (v5 omitted it because the test suite didn't exist there yet; on main it does). - Drop `prepublishOnly` and `postpublish` from package.json — CI publishes from a pre-built tarball, and the equivalent gating now lives in the publish workflow's test job. - Drop `.npmrc ignore-scripts=true`. pnpm's `allowBuilds` whitelist (pnpm-workspace.yaml) already gates dependency install scripts with finer granularity, and the publish workflow passes --ignore-scripts to `pnpm install` explicitly. Removing the blanket flag lets husky's `prepare` script run automatically on fresh installs. - Update CONTRIBUTING.md to reflect the install-scripts model change, and remove the now-obsolete .npmrc → ini files.associations entry from .vscode/settings.json. Before the first publish from main, the GitHub `publish` environment will need `main` added to its allowed-branches list alongside `v5`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 parent cf64198 commit e161571

8 files changed

Lines changed: 275 additions & 110 deletions

File tree

.github/workflows/publish.yml

Lines changed: 124 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,124 @@
1+
name: Publish to npm
2+
3+
permissions: {}
4+
5+
on:
6+
release:
7+
types: [published]
8+
9+
jobs:
10+
test:
11+
runs-on: ubuntu-latest
12+
permissions:
13+
contents: read
14+
steps:
15+
- name: Checkout
16+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
17+
with:
18+
persist-credentials: false
19+
20+
- name: Install pnpm
21+
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
22+
23+
- name: Use Node.js 24
24+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
25+
with:
26+
node-version: 24
27+
cache: pnpm
28+
29+
- name: Install dependencies
30+
run: pnpm install --frozen-lockfile --ignore-scripts
31+
32+
- name: Lint code
33+
run: pnpm lint:src
34+
35+
- name: Lint types
36+
run: pnpm lint:types
37+
38+
- name: Run tests
39+
run: pnpm test
40+
41+
- name: Build
42+
run: pnpm build
43+
44+
- name: Lint exports (attw)
45+
run: pnpm lint:exports
46+
47+
- name: Lint publish (publint)
48+
run: pnpm lint:publish
49+
50+
build:
51+
runs-on: ubuntu-latest
52+
permissions:
53+
contents: read
54+
outputs:
55+
tarball: ${{ steps.pack.outputs.tarball }}
56+
steps:
57+
- name: Checkout
58+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
59+
with:
60+
persist-credentials: false
61+
62+
- name: Install pnpm
63+
uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
64+
65+
- name: Use Node.js 24
66+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
67+
with:
68+
node-version: 24
69+
cache: pnpm
70+
71+
- name: Install dependencies
72+
run: pnpm install --frozen-lockfile --ignore-scripts
73+
74+
- name: Build
75+
run: pnpm build
76+
77+
- name: Align package.json version with release tag
78+
env:
79+
TAG_NAME: ${{ github.ref_name }}
80+
run: npm version "$TAG_NAME" --git-tag-version=false --allow-same-version
81+
82+
- name: Pack tarball
83+
id: pack
84+
run: |
85+
TARBALL=$(npm pack)
86+
echo "tarball=$TARBALL" >> "$GITHUB_OUTPUT"
87+
88+
- name: Upload tarball artifact
89+
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
90+
with:
91+
name: tarball
92+
path: ${{ steps.pack.outputs.tarball }}
93+
94+
publish:
95+
needs:
96+
- test
97+
- build
98+
runs-on: ubuntu-latest
99+
permissions:
100+
id-token: write
101+
environment: publish
102+
env:
103+
TARBALL: ${{ needs.build.outputs.tarball }}
104+
steps:
105+
- name: Download tarball artifact
106+
uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
107+
with:
108+
name: tarball
109+
110+
- name: Use Node.js 24
111+
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
112+
with:
113+
node-version: 24
114+
registry-url: "https://registry.npmjs.org"
115+
116+
- name: Publish to npm
117+
env:
118+
PRERELEASE: ${{ github.event.release.prerelease }}
119+
run: |
120+
if [ "$PRERELEASE" = "true" ]; then
121+
npm publish --provenance --access public --tag next "$TARBALL"
122+
else
123+
npm publish --provenance --access public "$TARBALL"
124+
fi

.npmrc

Lines changed: 0 additions & 1 deletion
This file was deleted.

.vscode/settings.json

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,6 @@
22
"typescript.tsdk": "node_modules/typescript/lib",
33
"editor.defaultFormatter": "oxc.oxc-vscode",
44
"editor.formatOnSave": true,
5-
"files.associations": {
6-
".npmrc": "ini"
7-
},
85
"[json]": {
96
"editor.defaultFormatter": "oxc.oxc-vscode"
107
},

CONTRIBUTING.md

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6,10 +6,9 @@ welcome, from issue reports to PRs and documentation / write-ups.
66
Before you open a PR:
77

88
- In development, run `pnpm install` to setup the dependencies for the core
9-
package and the demo. Dependency lifecycle scripts (`postinstall`, etc.)
10-
are disabled via `.npmrc` for supply-chain safety — pnpm still runs the
11-
workspace's own `prepare` script, so husky installs the git hooks
12-
automatically.
9+
package and the demo. Dependency install scripts are gated by pnpm's
10+
[`allowBuilds`](./pnpm-workspace.yaml) whitelist for supply-chain safety;
11+
husky's `prepare` script runs automatically on install.
1312
- Run `pnpm dev` to build (and watch) the package source, as well as run the
1413
demo project which can be viewed at http://localhost:5152.
1514
- Please ensure all the examples work correctly after your change.

SECURITY.md

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
# Security Policy
2+
3+
## Supported Versions
4+
5+
`chakra-react-select` major versions track the major version of its peer
6+
dependency, [`@chakra-ui/react`](https://github.com/chakra-ui/chakra-ui). The
7+
two most recent majors receive security fixes; earlier majors are no longer
8+
maintained.
9+
10+
| Version | Chakra UI peer | Supported |
11+
| ------- | -------------- | ------------------ |
12+
| 6.x | 3.x | :white_check_mark: |
13+
| 5.x | 2.x | :white_check_mark: |
14+
| 4.x | 2.x | :x: |
15+
| < 4 | 1.x | :x: |
16+
17+
If you need a fix on an older line, please open a discussion describing the
18+
constraint that prevents upgrading.
19+
20+
## Reporting a Vulnerability
21+
22+
**Please do not report security vulnerabilities through public GitHub issues,
23+
discussions, or pull requests.**
24+
25+
Report privately via
26+
[GitHub Security Advisories](https://github.com/csandman/chakra-react-select/security/advisories/new).
27+
28+
Include as much of the following as you can:
29+
30+
- Affected version(s) of `chakra-react-select`
31+
- A description of the issue and its impact
32+
- Steps to reproduce, ideally with a minimal repro
33+
- Any known mitigations or workarounds
34+
35+
You can expect an initial acknowledgement within a few days. Once the report
36+
is triaged, we'll keep you updated as a fix is developed and coordinate a
37+
disclosure timeline with you before publishing the advisory and patched
38+
release.
39+
40+
### Out of scope
41+
42+
This package is a thin wrapper around
43+
[`react-select`](https://github.com/JedWatson/react-select) styled with
44+
[`@chakra-ui/react`](https://github.com/chakra-ui/chakra-ui). Issues that
45+
originate in those upstream projects should be reported to them directly:
46+
47+
- react-select — https://github.com/JedWatson/react-select/security
48+
- Chakra UI — https://github.com/chakra-ui/chakra-ui/security

codemod/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,7 @@
3636
"devDependencies": {
3737
"@types/is-git-clean": "^1.1.2",
3838
"@types/jscodeshift": "^17.3.0",
39-
"@types/node": "^25.7.0",
39+
"@types/node": "^24.12.4",
4040
"rimraf": "^6.1.3",
4141
"typescript": "^6.0.3",
4242
"vitest": "^4.1.6"

package.json

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -62,8 +62,6 @@
6262
"lint:types": "tsc",
6363
"lint-fix": "oxlint -c .oxlintrc.json --fix",
6464
"prepare": "husky",
65-
"prepublishOnly": "pnpm build && pnpm lint && pnpm test",
66-
"postpublish": "git push --follow-tags",
6765
"lint:publish": "publint",
6866
"test": "vitest run",
6967
"test:watch": "vitest"

0 commit comments

Comments
 (0)