build: pin actions and switch npm publish to oidc

dgreif · Copilot · dgreif · commit 591276ab7153 · 2026-06-02T19:28:16.000-04:00
Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,9 +4,11 @@ updates:
     directory: /
     schedule:
       interval: weekly
+    groups:
+      npm:
+        patterns:
+          - "*"
   - package-ecosystem: github-actions
     directory: /
     schedule:
       interval: weekly
-    cooldown:
-      default-days: 3
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -6,10 +6,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      # TODO: Pin third-party actions to full commit SHAs after validating the current tags.
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
       - name: Use Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 26
           cache: npm
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -12,9 +12,8 @@ jobs:
   publish-npm:
     runs-on: ubuntu-latest
     steps:
-      # TODO: Pin third-party actions to full commit SHAs after validating the current tags.
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 26
           registry-url: https://registry.npmjs.org/
@@ -25,7 +24,4 @@ jobs:
       - run: npm version ${TAG_NAME} --git-tag-version=false
         env:
           TAG_NAME: ${{ github.event.release.tag_name }}
-      # TODO: This job publishes with an npm token; review secret scope before widening triggers or permissions.
-      - run: npm whoami; npm --ignore-scripts publish --provenance
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.npm_token}}
+      - run: npm publish --ignore-scripts --provenance
diff --git a/.nvmrc b/.nvmrc
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -30,7 +30,7 @@
     "eslint": "^8.0.1",
     "eslint-plugin-github": "^5.0.2",
     "nodejs-websocket": "^1.7.2",
-    "playwright": "1.55.1",
+    "playwright": "^1.60.0",
     "rollup": "^4.24.0",
     "typescript": "^5.6.3",
     "vitest": "^4.1.7"
@@ -41,8 +41,5 @@
       "plugin:github/recommended",
       "plugin:github/typescript"
     ]
-  },
-  "engines": {
-    "node": ">=26"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@`
`30`	`30`	`"eslint": "^8.0.1",`
`31`	`31`	`"eslint-plugin-github": "^5.0.2",`
`32`	`32`	`"nodejs-websocket": "^1.7.2",`
`33`		`- "playwright": "1.55.1",`
	`33`	`+ "playwright": "^1.60.0",`
`34`	`34`	`"rollup": "^4.24.0",`
`35`	`35`	`"typescript": "^5.6.3",`
`36`	`36`	`"vitest": "^4.1.7"`
`@@ -41,8 +41,5 @@`
`41`	`41`	`"plugin:github/recommended",`
`42`	`42`	`"plugin:github/typescript"`
`43`	`43`	`]`
`44`		`- },`
`45`		`- "engines": {`
`46`		`- "node": ">=26"`
`47`	`44`	`}`
`48`	`45`	`}`