feat: adopt trusted publishers (#121)

adopting https://docs.npmjs.com/trusted-publishers for better
transparency and supply chain security.

Author: mnahkies

.github/workflows/ci.yml

@@ -15,11 +15,6 @@ permissions:
 jobs:
   build:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: [22.x]
-        # See supported Node.js release schedule at https://nodejs.org/en/about/releases/
-
     steps:
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
@@ -28,11 +23,11 @@ jobs:
     - name: Install pnpm
       uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
 
-    - name: Use Node.js ${{ matrix.node-version }}
+    - name: Use Node.js
       uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         registry-url: "https://registry.npmjs.org"
-        node-version: ${{ matrix.node-version }}
+        node-version-file: '.nvmrc'
         cache: "pnpm"
 
     - run: pnpm install --frozen-lockfile
@@ -42,11 +37,3 @@ jobs:
     - run: pnpm run ci-test
 
     - run: pnpm run ci-lint
-
-    - name: Publish documentation
-      if: github.ref == 'refs/heads/master'
-      run: |
-        git config user.name "github-actions[bot]"
-        git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
-        git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY
-        pnpm run publish:gh-pages

.github/workflows/publish.yml

@@ -0,0 +1,56 @@
+name: publish
+on:
+  push:
+    tags:
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          fetch-depth: 0
+
+      - name: Install pnpm
+        uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+
+      - name: Use Node.js
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        with:
+          registry-url: "https://registry.npmjs.org"
+          node-version-file: '.nvmrc'
+          cache: "pnpm"
+
+      - name: Validate tag matches package.json
+        run: |
+          TAG_VERSION="${{ github.ref_name }}"
+          PKG_VERSION=$(jq -r .version projects/ng-qrcode/package.json)
+
+          echo "Git tag version: $TAG_VERSION"
+          echo "package.json version: $PKG_VERSION"
+
+          if [ "$TAG_VERSION" != "$PKG_VERSION" ]; then
+            echo "ERROR: Git tag does not match package.json version"
+            exit 1
+          fi
+
+      - run: pnpm install --frozen-lockfile
+
+      - run: pnpm run build-for-publish
+
+      - name: Publish to npm
+        working-directory: ./dist/ng-qrcode
+        run: |
+          pnpm publish
+
+      - name: Publish documentation
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/$GITHUB_REPOSITORY
+          pnpm run publish:gh-pages

CHANGES.md

@@ -1,3 +1,7 @@
+# 20.0.1 - 2025-10-26
+- Adopt trusted publishers (#121)
+- Switch to `pnpm` and adopt a 1 week minimum release age for dependencies (#116)
+
 # 20.0.0 - 2025-05-31
 - Support Angular 20 (#115)
 

package.json

@@ -16,18 +16,18 @@
     "url": "https://github.com/mnahkies/ng-qrcode/issues"
   },
   "scripts": {
-    "postinstall": "husky",
+    "prepare": "husky",
     "clean": "rm -rf ./dist ./coverage",
     "docs:generate": "node ./scripts/generate-toc.mjs",
     "start": "ng serve",
     "build": "ng build --project ng-qrcode --configuration production",
-    "build-for-publish": "ng build --project ng-qrcode --configuration production && cp ./README.md ./CHANGES.md ./LICENSE ./dist/ng-qrcode/",
+    "build-for-publish": "ng build --project ng-qrcode --configuration production && pnpm run copy:docs",
     "build-demo-app": "ng build --project=ng-qrcode-demo --configuration production --base-href '/ng-qrcode/'",
     "publish:gh-pages": "pnpm run build-demo-app && pnpm exec gh-pages -d ./dist/ng-qrcode-demo/browser -b gh-pages --nojekyll",
     "test": "ng test",
     "lint": "ng lint",
-    "ci-pipeline": "pnpm run clean && pnpm run ci-build && pnpm run ci-test && pnpm run ci-lint",
-    "postci-pipeline": "cp ./README.md ./CHANGES.md ./LICENSE ./dist/ng-qrcode/",
+    "ci-pipeline": "pnpm run clean && pnpm run ci-build && pnpm run ci-test && pnpm run ci-lint && pnpm run copy:docs",
+    "copy:docs": "cp ./README.md ./CHANGES.md ./LICENSE ./dist/ng-qrcode/",
     "ci-build": "ng build --project ng-qrcode --configuration production && ng build --project=ng-qrcode-demo --configuration production",
     "ci-test": "ng test --code-coverage",
     "ci-lint": "ng lint"

pnpm-workspace.yaml

@@ -1,2 +1,4 @@
 minimumReleaseAge: 10080 # 7 days in minutes
 
+# GH actions doesn't checkout the branch
+gitChecks: false

projects/ng-qrcode/package.json

@@ -1,7 +1,7 @@
 {
   "name": "ng-qrcode",
   "description": "Simple AOT compatible QR code generator for your Angular project.",
-  "version": "20.0.0",
+  "version": "20.0.1",
   "license": "MIT",
   "author": {
     "name": "Michael Nahkies",