Merge branch 'main' into css/v7-values/early

Author: caugner

.github/CODEOWNERS

@@ -6,5 +6,18 @@
 # https://docs.github.com/en/free-pro-team@latest/github/creating-cloning-and-archiving-repositories/about-code-owners
 
 /schemas/ @mdn/bcd-owners
-/.github/workflows/ @mdn/engineering
-/.github/CODEOWNERS @mdn/engineering
+
+/.github/ @mdn/engineering
+/.vscode/ @mdn/engineering
+/lint/    @mdn/engineering
+/scripts/ @mdn/engineering
+/types/   @mdn/engineering
+/utils/   @mdn/engineering
+/*        @mdn/engineering
+/package.json      @mdn/engineering @mdn-bot
+/package-lock.json @mdn/engineering @mdn-bot
+
+# Exclude some paths
+/.github/ISSUE_TEMPLATE/
+/.github/PULL_REQUESET_TEMPLATE.md
+/*.md

.github/workflows/add-push-artifacts.yml

@@ -11,23 +11,23 @@ jobs:
     name: Enumerate and diff features
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0 # get the full repository checkout, not just the inciting commit
           persist-credentials: false
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version-file: ".nvmrc"
           cache: npm
           package-manager-cache: true
       - run: npm ci
       - run: npx tsx ./scripts/enumerate-features.ts features.json
       - run: npx tsx ./scripts/diff-features.ts --no-github --format=json > features.diff.json
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: enumerate-features
           path: features.json
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: diff-features
           path: features.diff.json

.github/workflows/issue-regex-labeler.yml

@@ -12,7 +12,7 @@ jobs:
   issue-labeler:
     runs-on: ubuntu-latest
     steps:
-      - uses: github/[email protected]
+      - uses: github/issue-labeler@c1b0f9f52a63158c4adc09425e858e87b32e9685 # v3.4
         with:
           configuration-path: .github/issue-regex-labeler.yml
           enable-versioned-regex: 0

.github/workflows/labeler.yml

@@ -11,13 +11,13 @@ jobs:
   label-py-path:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v6
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           sync-labels: true
 
   label-by-size:
-    if: github.actor != 'dependabot[bot]' && !startsWith(github.event.pull_request.title, 'Release v')
+    if: github.secret_source == 'Actions' && !startsWith(github.event.pull_request.title, 'Release v')
     needs: label-py-path
     runs-on: ubuntu-latest
     steps:

.github/workflows/node.js.yml

@@ -13,10 +13,10 @@ jobs:
     name: Active LTS
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version-file: ".nvmrc"
           cache: npm

.github/workflows/ping-other-repos.yml

@@ -2,6 +2,8 @@ name: PR Needs Rebase
 on:
   push:
   pull_request_target:
+    branches:
+      - main
     types: [synchronize]
 
 permissions:

.github/workflows/pr-rebase-needed.yml

@@ -20,12 +20,12 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version-file: ".nvmrc"
           package-manager-cache: false

.github/workflows/pr-review-companion.yml

@@ -19,13 +19,13 @@ concurrency:
 
 jobs:
   manage-release-pr:
-    if: github.repository == 'mdn/browser-compat-data' && github.actor != 'dependabot[bot]' && !startsWith(github.event.head_commit.message, 'Release v')
+    if: github.repository == 'mdn/browser-compat-data' && github.secret_source == 'Actions' && !startsWith(github.event.head_commit.message, 'Release v')
     name: Manage release PR
     runs-on: ubuntu-latest
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
           fetch-tags: true
@@ -34,7 +34,7 @@ jobs:
           persist-credentials: true
 
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version-file: ".nvmrc"
           package-manager-cache: false

.github/workflows/release-pr.yml

@@ -15,6 +15,7 @@ env:
 
 permissions:
   contents: write
+  id-token: write # OIDC for npm Trusted Publishing
   issues: write
 
 jobs:
@@ -25,7 +26,7 @@ jobs:
 
     steps:
       - name: Checkout (BCD)
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
@@ -41,16 +42,19 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version-file: ".nvmrc"
           package-manager-cache: false
           registry-url: "https://registry.npmjs.org/"
 
+      # Ensure npm 11.5.1 or later for trusted publishing
+      - run: npm install -g npm@latest
+
       - run: npm ci
 
       - run: npm test
@@ -59,9 +63,7 @@ jobs:
 
       - run: npm run build
 
-      - run: npm publish build/ --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - run: npm publish build/ --access public --provenance
 
       - name: Add JSON as a release asset
         run: gh release upload ${GITHUB_REF#refs/*/} build/data.json
@@ -70,7 +72,7 @@ jobs:
       #   run: npm run --silent stats | gh issue comment https://github.com/mdn/browser-compat-data/issues/3555 --body-file -
 
       - name: Trigger BCD deployment
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.DISPATCH_PAT }}
           script: |