From 9161814e667debf74bd4f7aa099fabbb5ab37035 Mon Sep 17 00:00:00 2001
From: Daniel Brooks <bass_rock@me.com>
Date: Thu, 30 Nov 2023 06:41:18 -0800
Subject: [PATCH] fix(ci): cleaning up github ci

---
 .github/workflows/build.yml   | 51 +++++++++++++++++++++++++++++
 .github/workflows/publish.yml | 61 ++++++++++++++++++++---------------
 package.json                  |  4 ++-
 3 files changed, 89 insertions(+), 27 deletions(-)
 create mode 100644 .github/workflows/build.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
new file mode 100644
index 0000000..e7536ff
--- /dev/null
+++ b/.github/workflows/build.yml
@@ -0,0 +1,51 @@
+name: Build
+ 
+on:
+    pull_request:
+      branches: ["main"]  
+ 
+jobs:
+  validator:
+      runs-on: ubuntu-latest
+      steps:
+       - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
+       - uses: RoadieHQ/backstage-entity-validator@70da3dfb77cb4d0e150b9f6de953b806837d16df # tag=v0.3.2
+         with:
+           path: 'catalog-info.yaml'
+  ##
+  # Runs semantic release in a dryRun configuration
+  ##
+  check-semver:
+    name: Check Semantic Release Type
+    timeout-minutes: 15
+    runs-on: ubuntu-latest
+
+    # https://github.com/semantic-release/npm
+    permissions:
+        contents: write # to be able to publish a GitHub release
+        issues: write # to be able to comment on released issues
+        pull-requests: write # to be able to comment on released pull requests
+        id-token: write # to enable use of OIDC for npm provenance
+
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 2
+
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v3
+        with:
+          node-version: 20
+          registry-url: 'https://registry.npmjs.org'
+      - run: npm install -g npm
+      - name: Install dependencies
+        run: npm ci
+      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+        run: npm audit signatures
+      - name: Check SemVer
+        run: npm release:check 
+        env:
+            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+            NPM_CONFIG_PROVENANCE: true
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index d97e323..aa6fd79 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,35 +1,44 @@
-name: Node.js Package
-
+name: Build
+ 
 on:
-  pull_request:
-    branches:
-      - main
-  push:
-    branches:
-      - main
-
+    push:
+      branches: ["main"]  
+ 
 jobs:
-  validator:
+  ##
+  # Runs semantic release in a regular
+  ##
+  check-semver:
+    name: Check Semantic Release Type
+    timeout-minutes: 15
     runs-on: ubuntu-latest
+
+    # https://github.com/semantic-release/npm
+    permissions:
+        contents: write # to be able to publish a GitHub release
+        issues: write # to be able to comment on released issues
+        pull-requests: write # to be able to comment on released pull requests
+        id-token: write # to enable use of OIDC for npm provenance
+
     steps:
-      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
-      - uses: RoadieHQ/backstage-entity-validator@70da3dfb77cb4d0e150b9f6de953b806837d16df # tag=v0.3.2
+      - name: Check out code
+        uses: actions/checkout@v4
         with:
-          path: 'catalog-info.yaml'
+          fetch-depth: 2
 
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
-      - uses: actions/setup-node@17f8bd926464a1afa4c6a11669539e9c1ba77048 # tag=v3.2.0
+      - name: Setup Node.js environment
+        uses: actions/setup-node@v3
         with:
-          node-version: '16.x'
+          node-version: 20
           registry-url: 'https://registry.npmjs.org'
-          scope: '@pocket-tools'
-      - run: npm ci
-      - name: Semantic Release
-        uses: cycjimmy/semantic-release-action@v2
+      - run: npm install -g npm
+      - name: Install dependencies
+        run: npm ci
+      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+        run: npm audit signatures
+      - name: Check SemVer
+        run: npm release 
         env:
-          GITHUB_TOKEN: ${{ secrets.CI_GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
\ No newline at end of file
+            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+            NPM_CONFIG_PROVENANCE: true
diff --git a/package.json b/package.json
index 92fdbee..371b83c 100644
--- a/package.json
+++ b/package.json
@@ -15,7 +15,9 @@
     "bin/install.js"
   ],
   "scripts": {
-    "postinstall": "node bin/install.js"
+    "postinstall": "node bin/install.js",
+    "release": "semantic-release",
+    "release:check": "semantic-release --dryRun"
   },
   "keywords": [
     "tsconfig"