Feature/pnpm trusted publisher #100
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
* Changed to pnpm as the package manager * altered npm to use "Trusted Publisher" * updated node-version
* Changed to pnpm as the package manager * Altered npm to use "Trusted Publisher" * Updated node-version * Fixed Fossa workflow * Bumped workflow versions
Feature/pnpm trusted publisher
use standard runners for Trusted Publishing
…stEdge-sdk-js into feature/pnpm-trusted-publisher
Fossa workflow now passing and set as a requirement
…stEdge-sdk-js into feature/pnpm-trusted-publisher
Contributor
There was a problem hiding this comment.
Pull request overview
This PR migrates the project from npm to pnpm as the package manager and implements npm's Trusted Publishing for secure package releases without requiring manual NPM_TOKEN management. The changes include:
- Migration from npm to pnpm package manager with version 10+
- Node.js minimum version increased from 18 to 20
- Major version bump from 1.3.0 to 2.1.0
- Implementation of npm provenance for supply chain security
Key Changes:
- Package manager migration with new lockfiles and configuration
- GitHub Actions workflows updated to use OIDC-based npm publishing
- New composite action for standardized Node.js environment setup
- TypeScript type correction for better compatibility
Reviewed changes
Copilot reviewed 15 out of 20 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Major version bump to 2.1.0, engine requirements updated to Node >=20 and pnpm >=10, added pnpm config and provenance setting |
| src/server/static-assets/asset-loader/embedded-store-entry/embedded-store-entry.ts | Changed import from UnderlyingSource to UnderlyingDefaultSource for better type compatibility |
| docs/pnpm-lock.yaml | New pnpm lockfile for documentation dependencies |
| docs/package.json | Added pnpm configuration and updated sharp dependency |
| docs/.node-version | Pinned Node version to 24.12.0 |
| .node-version | Pinned Node version to 24.12.0 for root project |
| .gitignore | Added package-lock.json to ignore npm lockfiles |
| docs/.gitignore | Added package-lock.json to ignore npm lockfiles |
| README.md | Updated Node version requirement from v18 to v20 |
| .github/workflows/release.yaml | Removed NPM_TOKEN, added id-token permission for trusted publishing, updated to ubuntu-latest runner |
| .github/workflows/unit-tests.yaml | Updated Node versions tested to 20.x, 22.x, 24.x and refactored to use composite action |
| .github/workflows/fossa.yaml | Added permissions, updated checkout action, improved secret handling |
| .github/workflows/docs.yaml | Refactored to use composite setup-node action |
| .github/workflows/deploy.yaml | Removed NPM_TOKEN secret, added FOSSA_PUB_API_KEY secret passing |
| .github/workflows/code-validation.yaml | Refactored to use composite setup-node action |
| .github/workflows/build-libs.yaml | Refactored to use composite setup-node action |
| .github/setup-node/action.yaml | New composite action for standardized Node and pnpm setup across workflows |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
ensure smeantic release @25 is downlaoded for releases
qrdl
previously approved these changes
Jan 6, 2026
speed up dry-run vs deploy runs
|
🎉 This PR is included in version 2.2.0-alpha.3 🎉 The release is available on: Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 2.2.0 🎉 The release is available on: Your semantic-release bot 📦🚀 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.