ci: fix delivery pipeline

Author: adbayb

.changeset/deep-hairs-sniff.md

@@ -0,0 +1,5 @@
+---
+"@adbayb/stack": minor
+---
+
+Update template to allow trusted publishing for npm packages following the long-lived tokens npm deprecation.

.github/workflows/continuous_delivery.yml

@@ -16,28 +16,22 @@ jobs:
         runs-on: ubuntu-latest
         permissions:
             contents: write
+            id-token: write
             pull-requests: write
         steps:
-            - uses: actions/checkout@v5
-            - uses: pnpm/action-setup@v4
+            - uses: actions/checkout@v6
+            - uses: pnpm/action-setup@v5
             - uses: actions/setup-node@v6
               with:
-                  node-version-file: ".nvmrc"
                   cache: pnpm
-            - name: Setup .npmrc
-              run: |
-                  cat << EOF > "$HOME/.npmrc"
-                    //registry.npmjs.org/:_authToken=$NPM_TOKEN
-                  EOF
-              env:
-                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+                  node-version-file: ".nvmrc"
             - name: Install dependencies
               run: pnpm install --frozen-lockfile
             - name: Publish pre-release version(s)
               if: "!contains(github.event.head_commit.message, 'chore: release package(s)')"
               run: |
-                  pnpm --filter="!./(applications|examples|tools)/*" --recursive exec pnpm version "$(pnpm show ./ version)-next-${GITHUB_SHA::7}"
-                  pnpm --filter="!./(applications|examples|tools)/*" --recursive exec pnpm publish --tag next --no-git-checks
+                  pnpm --filter="!." --filter="!./(applications|examples|tools)/*" --recursive exec pnpm version "$(pnpm show ./ version)-next-${GITHUB_SHA::7}" --no-git-tag-version
+                  pnpm --filter="!." --filter="!./(applications|examples|tools)/*" --recursive exec pnpm publish --tag next --no-git-checks
             - name: Create release pull request
               if: "!contains(github.event.head_commit.message, 'chore: release package(s)')"
               uses: changesets/action@v1

.github/workflows/conventional_commit.yml

@@ -29,8 +29,7 @@ jobs:
                   requireScope: false
                   subjectPattern: ^(?![A-Z]).+$
                   subjectPatternError: The subject must start with a lowercase character
-            # Create a sticky comment to display the detailed error
-            - uses: marocchino/sticky-pull-request-comment@v2
+            - uses: marocchino/sticky-pull-request-comment@v3
               if: always() && (steps.check_pr_rule.outputs.error_message != null)
               with:
                   header: check_pr_comment

.github/workflows/dependency_changelog.yml

@@ -12,7 +12,7 @@ jobs:
         if: github.actor == 'renovate[bot]'
         steps:
             - name: Checkout
-              uses: actions/checkout@v5
+              uses: actions/checkout@v6
               with:
                   fetch-depth: 2
                   ref: ${{ github.head_ref }}

.github/workflows/workflow.yml

@@ -9,22 +9,12 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout the code
-              uses: actions/checkout@v5
-            - uses: pnpm/action-setup@v4
+              uses: actions/checkout@v6
+            - uses: pnpm/action-setup@v5
             - uses: actions/setup-node@v6
               with:
-                  node-version-file: ".nvmrc"
                   cache: pnpm
-            - name: Setup cache
-              id: cache
-              uses: actions/cache@v4
-              with:
-                  path: |
-                      ./node_modules
-                      ./turbo
-                  key: ${{ runner.os }}-cache-${{ github.sha }}
-                  restore-keys: |
-                      ${{ runner.os }}-cache-
+                  node-version-file: ".nvmrc"
             - name: Install dependencies
               run: pnpm install --frozen-lockfile
             - name: Build

.npmrc

@@ -1,8 +1 @@
 save-exact=true
-public-hoist-pattern[]=*changesets*
-public-hoist-pattern[]=*commitlint*
-public-hoist-pattern[]=*eslint*
-public-hoist-pattern[]=*prettier*
-public-hoist-pattern[]=*turbo*
-public-hoist-pattern[]=*typescript*
-public-hoist-pattern[]=*types*

pnpm-workspace.yaml

@@ -1,3 +1,11 @@
 packages:
     - "stack"
     - "stack/create"
+publicHoistPattern:
+    - "*changesets*"
+    - "*commitlint*"
+    - "*eslint*"
+    - "*prettier*"
+    - "*turbo*"
+    - "*typescript*"
+    - "*types*"

stack/templates/multi-projects/.github/workflows/continuous_delivery.yml

@@ -16,28 +16,22 @@ jobs:
         runs-on: ubuntu-latest
         permissions:
             contents: write
+            id-token: write
             pull-requests: write
         steps:
-            - uses: actions/checkout@v5
-            - uses: pnpm/action-setup@v4
+            - uses: actions/checkout@v6
+            - uses: pnpm/action-setup@v5
             - uses: actions/setup-node@v6
               with:
-                  node-version-file: ".nvmrc"
                   cache: pnpm
-            - name: Setup .npmrc
-              run: |
-                  cat << EOF > "$HOME/.npmrc"
-                    //registry.npmjs.org/:_authToken=$NPM_TOKEN
-                  EOF
-              env:
-                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+                  node-version-file: ".nvmrc"
             - name: Install dependencies
               run: pnpm install --frozen-lockfile
             - name: Publish pre-release version(s)
               if: "!contains(github.event.head_commit.message, 'chore: release package(s)')"
               run: |
-                  pnpm --filter="!./(applications|examples|tools)/*" --recursive exec pnpm version "$(pnpm show ./ version)-next-${GITHUB_SHA::7}"
-                  pnpm --filter="!./(applications|examples|tools)/*" --recursive exec pnpm publish --tag next --no-git-checks
+                  pnpm --filter="!." --filter="!./(applications|examples|tools)/*" --recursive exec pnpm version "$(pnpm show ./ version)-next-${GITHUB_SHA::7}" --no-git-tag-version
+                  pnpm --filter="!." --filter="!./(applications|examples|tools)/*" --recursive exec pnpm publish --tag next --no-git-checks
             - name: Create release pull request
               if: "!contains(github.event.head_commit.message, 'chore: release package(s)')"
               uses: changesets/action@v1

stack/templates/multi-projects/.github/workflows/conventional_commit.yml

@@ -29,8 +29,7 @@ jobs:
                   requireScope: false
                   subjectPattern: ^(?![A-Z]).+$
                   subjectPatternError: The subject must start with a lowercase character
-            # Create a sticky comment to display the detailed error
-            - uses: marocchino/sticky-pull-request-comment@v2
+            - uses: marocchino/sticky-pull-request-comment@v3
               if: always() && (steps.check_pr_rule.outputs.error_message != null)
               with:
                   header: check_pr_comment

stack/templates/multi-projects/.github/workflows/dependency_changelog.yml

@@ -12,7 +12,7 @@ jobs:
         if: github.actor == 'renovate[bot]'
         steps:
             - name: Checkout
-              uses: actions/checkout@v5
+              uses: actions/checkout@v6
               with:
                   fetch-depth: 2
                   ref: ${{ github.head_ref }}