#68: proper ci cd for npm package publishing

.github/dependabot.yml

@@ -0,0 +1,119 @@
+
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    schedule:
+      interval: "daily"
+      time: "02:00"
+    commit-message:
+      prefix: ":arrow_up: maint"
+      include: scope
+    directory: "/"
+
+  - package-ecosystem: "npm"
+    schedule:
+      interval: "daily"
+      time: "02:00"
+    commit-message:
+      prefix: ":arrow_up: maint"
+      include: scope
+    directory: "/packages/ide/jetbrains"
+
+  - package-ecosystem: "npm"
+    schedule:
+      interval: "daily"
+      time: "02:00"
+    commit-message:
+      prefix: ":arrow_up: maint"
+      include: scope
+    directory: "/packages/language"
+
+  - package-ecosystem: "npm"
+    schedule:
+      interval: "daily"
+      time: "02:00"
+    commit-message:
+      prefix: ":arrow_up: maint"
+      include: scope
+    directory: "/packages/misc/redwood"
+
+  - package-ecosystem: "npm"
+    schedule:
+      interval: "daily"
+      time: "02:00"
+    commit-message:
+      prefix: ":arrow_up: maint"
+      include: scope
+    directory: "/packages/plugins/openapi"
+
+  - package-ecosystem: "npm"
+    schedule:
+      interval: "daily"
+      time: "02:00"
+    commit-message:
+      prefix: ":arrow_up: maint"
+      include: scope
+    directory: "/packages/plugins/swr"
+
+  - package-ecosystem: "npm"
+    schedule:
+      interval: "daily"
+      time: "02:00"
+    commit-message:
+      prefix: ":arrow_up: maint"
+      include: scope
+    directory: "/packages/plugins/tanstack-query"
+
+  - package-ecosystem: "npm"
+    schedule:
+      interval: "daily"
+      time: "02:00"
+    commit-message:
+      prefix: ":arrow_up: maint"
+      include: scope
+    directory: "/packages/plugins/trpc"
+
+  - package-ecosystem: "npm"
+    schedule:
+      interval: "daily"
+      time: "02:00"
+    commit-message:
+      prefix: ":arrow_up: maint"
+      include: scope
+    directory: "/packages/runtime"
+
+  - package-ecosystem: "npm"
+    schedule:
+      interval: "daily"
+      time: "02:00"
+    commit-message:
+      prefix: ":arrow_up: maint"
+      include: scope
+    directory: "/packages/sdk"
+
+  - package-ecosystem: "npm"
+    schedule:
+      interval: "daily"
+      time: "02:00"
+    commit-message:
+      prefix: ":arrow_up: maint"
+      include: scope
+    directory: "/packages/server"
+
+  - package-ecosystem: "npm"
+    schedule:
+      interval: "daily"
+      time: "02:00"
+    commit-message:
+      prefix: ":arrow_up: maint"
+      include: scope
+    directory: "/packages/testtools"
+
+  - package-ecosystem: "github-actions"
+    schedule:
+      interval: "daily"
+      time: "02:00"
+    commit-message:
+      prefix: ":arrow_up: maint"
+      include: scope
+    directory: "/"

.github/release/.release-manifest.json

@@ -0,0 +1,14 @@
+{
+    ".": "2.0.0-alpha.1",
+    "packages/ide/jetbrains": "2.0.0-alpha.1",
+    "packages/language": "2.0.0-alpha.1",
+    "packages/misc/redwood": "2.0.0-alpha.1",
+    "packages/plugins/openapi": "2.0.0-alpha.1",
+    "packages/plugins/swr": "2.0.0-alpha.1",
+    "packages/plugins/tanstack-query": "2.0.0-alpha.1",
+    "packages/plugins/trpc": "2.0.0-alpha.1",
+    "packages/runtime": "2.0.0-alpha.1",
+    "packages/sdk": "2.0.0-alpha.1",
+    "packages/server": "2.0.0-alpha.1",
+    "packages/testtools": "2.0.0-alpha.1"
+}

.github/release/release-main-config.json

@@ -0,0 +1,60 @@
+{
+  "packages": {
+    ".": {
+      "package-name": "zenstack-monorepo",
+      "component": "Monorepo"
+    },
+    "packages/ide/jetbrains": {
+      "package-name": "jetbrains",
+      "component": "JetBrains_IDE"
+    },
+    "packages/language": {
+      "package-name": "@zenstackhq/language",
+      "component": "Language"
+    },
+    "packages/misc/redwood": {
+      "package-name": "@zenstackhq/redwood",
+      "component": "Redwood"
+    },
+    "packages/plugins/openapi": {
+      "package-name": "@zenstackhq/openapi",
+      "component": "OpenAPI_Plugin"
+    },
+    "packages/plugins/swr": {
+      "package-name": "@zenstackhq/swr",
+      "component": "SWR_Plugin"
+    },
+    "packages/plugins/tanstack-query": {
+      "package-name": "@zenstackhq/tanstack-query",
+      "component": "Tanstack_Query_Plugin"
+    },
+    "packages/plugins/trpc": {
+      "package-name": "@zenstackhq/trpc",
+      "component": "tRPC_Plugin"
+    },
+    "packages/runtime": {
+      "package-name": "@zenstackhq/runtime",
+      "component": "Runtime"
+    },
+    "packages/sdk": {
+      "package-name": "@zenstackhq/sdk",
+      "component": "SDK"
+    },
+    "packages/server": {
+      "package-name": "@zenstackhq/server",
+      "component": "Server"
+    },
+    "packages/testtools": {
+      "package-name": "@zenstackhq/testtools",
+      "component": "Test_Tools"
+    }
+  },
+  "pull-request-footer": "This PR was generated by [Release-Please](https://github.com/googleapis/release-please), and approved by the ZenStack Team.",
+  "bump-minor-pre-major": true,
+  "bump-patch-for-minor-pre-major": true,
+  "sequential-calls": true,
+  "separate-pull-requests": true,
+  "versioning": "default",
+  "release-type": "node",
+  "$schema": "https://raw.githubusercontent.com/googleapis/release-please/main/schemas/config.json"
+}

.github/workflows/build-test.yml

@@ -8,8 +8,22 @@ env:
     DO_NOT_TRACK: '1'
 
 on:
-    pull_request:
-        branches: ['dev', 'main', 'v2']
+  merge_group:
+  push:
+    branches: 
+      - main
+      - dev
+      - release/*
+      - v2
+  pull_request:
+    branches: 
+      - main
+      - dev
+      - release/*
+      - v2
+
+permissions:
+  contents: read
 
 jobs:
     build-test:

.github/workflows/codeql.yml

@@ -0,0 +1,77 @@
+
+name: Security - CodeQL
+
+on:
+  merge_group:
+  push:
+    branches: 
+      - main
+      - dev
+      - release/*
+      - v2
+  pull_request:
+    branches: 
+      - main
+      - dev
+      - release/*
+      - v2
+  schedule:
+    - cron: "0 0 * * 1"
+
+permissions:
+  contents: read
+
+
+jobs:
+  analyze:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["javascript", "typescript"]
+        # CodeQL supports [ $supported-codeql-languages ]
+        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0
+
+      # Initializes the CodeQL tools for scanning.
+      - name: Initialize CodeQL
+        uses: github/codeql-action/[email protected]
+        with:
+          languages: ${{ matrix.language }}
+          # If you wish to specify custom queries, you can do so here or in a config file.
+          # By default, queries listed here will override any specified in a config file.
+          # Prefix the list here with "+" to use these queries and those in the config file.
+
+      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+      # If this step fails, then you should remove it and run the build manually (see below)
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12
+
+      # ℹ️ Command-line programs to run using the OS shell.
+      # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
+
+      #   If the Autobuild fails above, remove it and uncomment the following three lines.
+      #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
+
+      # - run: |
+      #   echo "Run, Build Application using script"
+      #   ./location_of_script_within_repo/buildscript.sh
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@1500a131381b66de0c52ac28abb13cd79f4b7ecc # v2.22.12
+        with:
+          category: "/language:${{matrix.language}}"

.github/workflows/management-changelog.yml

@@ -0,0 +1,66 @@
+
+
+
+on:
+  push:
+    branches:
+    - main # Your main branch
+    - dev # Your development branch
+    - release/* # Your releases branch
+    # - v2 # Your current v2 branch - disabled for now because I don't know if you want to have this tag on this branch or not -_- 
+    # TODO: Rename your V2 brach to release/v2 for proper versioning if you intend to use a Release branch method
+
+permissions:
+  contents: read
+
+name: Management - Release Workflow
+
+jobs:
+  release:
+    permissions:
+      contents: write
+      pull-requests: write
+    env:
+      GITHUB_TOKEN: ${{ secrets.BOT_TOKEN || github.token }} # Bot Token is a PAT for a automation account.
+    runs-on: ubuntu-latest
+    steps:
+      # Harden-Runner provides runtime security for GitHub-hosted and self-hosted environments.
+      - name: Harden Runner
+        uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
+        with:
+          egress-policy: audit
+
+      # This tells you useful infomation about the workflow, but it's not required (hence commented out) - it's just nice to have
+      # - name: Workflow Telemetry
+      #   uses: catchpoint/workflow-telemetry-action@6705383eabd01833acfe8412ec697384830e1455 # v1.8.7
+      #   with: 
+      #     comment_on_pr: false
+      #     theme: dark
+      #     proc_trace_sys_enable: true
+
+      - uses: google-github-actions/release-please-action@v4
+        id: release
+        with:
+          config-file: '.github/release/release-main-config.json'
+          manifest-file: '.github/release/.release-manifest.json'
+          target-branch: ${{ github.ref_name == 'dev' && 'main' || github.ref_name }}
+          include-component-in-tag: true
+
+      - uses: actions/checkout@v4
+        if: ${{ steps.release.outputs.release_created }}
+
+      - uses: actions/setup-node@v4
+        if: ${{ steps.release.outputs.release_created }}
+        with:
+          node-version: 12
+          registry-url: 'https://registry.npmjs.org'
+
+      - run: pnpm i # Install using pnpm
+        if: ${{ steps.release.outputs.release_created }}
+
+      - run: pnpm publish-all # Publish using pre-defined pnpm script
+        if: ${{ steps.release.outputs.release_created }}
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+
+