chore: modernize release pipeline with OIDC trusted publishing

.github/workflows/ci.yml

@@ -6,6 +6,9 @@ on:
       - main
   pull_request:
 
+permissions:
+  contents: read
+
 jobs:
   test:
     name: Test & Build
@@ -17,10 +20,10 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Setup Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'yarn'

.github/workflows/publish.yml

@@ -0,0 +1,92 @@
+# Publishes react-align to npm with provenance via npm Trusted Publishing
+# (OIDC).
+#
+# Prerequisites (one-time setup, do these BEFORE the first tag push):
+#   1. On npmjs.com: react-align package settings → Trusted publishers →
+#      add this repo (reearth/react-align) and this workflow filename
+#      (publish.yml). This tells npm to accept OIDC tokens minted by this
+#      exact workflow instead of an NPM_TOKEN secret.
+#   2. On GitHub: Settings → Environments → create `npm-publish` with
+#      required reviewers. The publish job pauses for manual approval, so
+#      a compromised tag push can't auto-publish.
+#
+# Release flow:
+#   1. Run the `Release` workflow (release.yml) to open a release PR.
+#   2. Merge the PR.
+#   3. Push the matching tag (e.g. `v2.4.0`). This workflow fires.
+#   4. Approve the `npm-publish` environment in the run page.
+#   5. npm receives the package with a provenance attestation; anyone can
+#      verify with `npm audit signatures`.
+#
+# Dist-tag selection:
+#   Stable tags like `v2.4.0` publish to the default `latest` dist-tag —
+#   `npm install react-align` picks them up automatically.
+#   Pre-release tags like `v2.4.0-rc.0` or `v3.0.0-beta.1` (anything with a
+#   hyphen) publish to the `next` dist-tag instead, so they don't replace
+#   `latest`. Users opt in via `npm install react-align@next`.
+
+name: Publish
+
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: read
+
+jobs:
+  npm:
+    name: npm publish
+    runs-on: ubuntu-latest
+    environment: npm-publish # gates publish on required reviewer approval
+    permissions:
+      contents: read
+      id-token: write # for npm provenance and trusted publishing
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          # npm Trusted Publishing requires Node >=22.14 and npm >=11.5.1.
+          # This repo uses yarn for development, so we activate a recent
+          # npm via corepack just for the publish step rather than
+          # declaring `packageManager: "npm@..."` in package.json (which
+          # would conflict with the yarn-based dev workflow).
+          node-version: "22"
+          registry-url: "https://registry.npmjs.org"
+          cache: "yarn"
+      - name: Activate npm via corepack
+        # Trusted Publishing needs npm >=11.5.1; Node 22 ships npm 10.x.
+        # corepack fetches a fresh npm binary directly, bypassing the
+        # buggy `npm install -g npm@latest` self-upgrade path.
+        run: |
+          corepack enable npm
+          corepack prepare npm@11.14.1 --activate
+          npm --version
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+      - name: Verify tag matches package.json version
+        # The release PR already bumped package.json. We just sanity-check
+        # that the pushed tag matches, then publish — no version mutation
+        # here, so the npm tarball is exactly what merged to main.
+        run: |
+          PKG_VERSION=$(node -p "require('./package.json').version")
+          TAG_VERSION="${GITHUB_REF_NAME#v}"
+          if [ "$PKG_VERSION" != "$TAG_VERSION" ]; then
+            echo "::error::Tag $GITHUB_REF_NAME (=> $TAG_VERSION) does not match package.json version $PKG_VERSION"
+            exit 1
+          fi
+          echo "Publishing version $PKG_VERSION"
+      - name: Build
+        run: yarn build
+      - name: Publish to npm with provenance
+        # Pre-release tags (vX.Y.Z-foo) go to the `next` dist-tag so they
+        # don't replace `latest`. Stable tags (vX.Y.Z) go to `latest`.
+        run: |
+          if [[ "$GITHUB_REF_NAME" == *-* ]]; then
+            echo "Pre-release detected; publishing to dist-tag 'next'"
+            npm publish --provenance --access public --tag next
+          else
+            echo "Stable release; publishing to dist-tag 'latest'"
+            npm publish --provenance --access public
+          fi

.github/workflows/release.yml

@@ -12,6 +12,9 @@ on:
           - minor
           - major
 
+permissions:
+  contents: read
+
 jobs:
   create-release-pr:
     runs-on: ubuntu-latest
@@ -23,12 +26,12 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: '20'
           cache: 'yarn'
@@ -151,7 +154,7 @@ jobs:
           fi
 
       - name: Create Pull Request
-        uses: peter-evans/create-pull-request@v8
+        uses: peter-evans/create-pull-request@5f6978faf089d4d20b00c7766989d076bb2fc7f1 # v8.1.1
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           branch: release/v${{ steps.bump_version.outputs.new_version }}
@@ -169,9 +172,8 @@ jobs:
             ### Release Checklist
             - [ ] Review changelog and version bump
             - [ ] Merge this PR to main
-            - [ ] Create a GitHub release from main with tag `v${{ steps.bump_version.outputs.new_version }}`
-            - [ ] Run `yarn build` locally
-            - [ ] Run `npm publish` to publish to npm registry
+            - [ ] Push the tag `v${{ steps.bump_version.outputs.new_version }}` (`git tag v${{ steps.bump_version.outputs.new_version }} && git push origin v${{ steps.bump_version.outputs.new_version }}`)
+            - [ ] Approve the `npm-publish` environment on the resulting Publish workflow run to publish to npm with provenance
 
             ---
             *This PR was automatically generated by the release workflow*

package.json

@@ -3,6 +3,12 @@
   "version": "2.3.1",
   "author": "KaWaite",
   "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/reearth/react-align.git"
+  },
+  "homepage": "https://github.com/reearth/react-align#readme",
+  "bugs": "https://github.com/reearth/react-align/issues",
   "main": "./dist/react-align.umd.js",
   "module": "./dist/react-align.mjs",
   "types": "./dist/index.d.ts",
@@ -23,7 +29,7 @@
     "src"
   ],
   "engines": {
-    "node": ">=10"
+    "node": ">=20"
   },
   "peerDependencies": {
     "@hello-pangea/dnd": "*",
@@ -35,12 +41,12 @@
     "trailingComma": "es5"
   },
   "resolutions": {
-    "@types/react": "19.2.10",
+    "@types/react": "19.2.14",
     "@types/react-dom": "19.2.3",
-    "**/@types/react": "19.2.10",
+    "**/@types/react": "19.2.14",
     "**/@types/react-dom": "19.2.3",
     "minimist": "^1.2.8",
-    "@babel/runtime": "^7.26.10",
+    "@babel/runtime": "^7.29.2",
     "js-yaml": "^4.1.1"
   },
   "devDependencies": {
@@ -49,17 +55,17 @@
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.2",
     "@testing-library/user-event": "^14.6.1",
-    "@types/react": "^19.2.10",
+    "@types/react": "^19.2.14",
     "@types/react-dom": "^19.2.3",
     "@vitejs/plugin-react": "^5.1.2",
-    "eslint": "^9.39.2",
+    "eslint": "^9.39.4",
     "eslint-config-reearth": "^0.3.8",
     "husky": "^9.1.7",
     "jsdom": "^27.4.0",
-    "postcss": "^8.5.6",
-    "prettier": "^3.8.1",
-    "react": "^19.2.4",
-    "react-dom": "^19.2.4",
+    "postcss": "^8.5.14",
+    "prettier": "^3.8.3",
+    "react": "^19.2.6",
+    "react-dom": "^19.2.6",
     "tslib": "^2.8.1",
     "typescript": "^5.9.3",
     "vite": "^7.3.1",