From 1ac36e1b3420bb66cf13b8bf20c2d92efa84f33d Mon Sep 17 00:00:00 2001 From: Samuel Attard Date: Mon, 30 Mar 2026 22:06:27 -0700 Subject: [PATCH] ci: use electron/semantic-trusted-release instead of npx MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Replaces unpinned npx semantic-release with the org-standard electron/semantic-trusted-release composite action. The previous invocation fetched semantic-release@latest from the registry on every release with publish credentials in scope. The .releaserc.json already matches what secret-service-action uses (commit-analyzer, release-notes-generator, github — all bundled with semantic-release core), so no config changes needed. Also: - drops the redundant setup-node step (the composite action has its own) - adds persist-credentials: false on checkout - adds pull-requests/issues write permissions for release comments --- .github/workflows/ci.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a8615e9..17ba9c2 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -41,14 +41,15 @@ jobs: needs: test-typescript if: github.ref == 'refs/heads/main' permissions: - contents: write + contents: write # for making github release + pull-requests: write # for commenting release version + issues: write # for commenting release version steps: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - - name: Setup Node.js - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0 with: - node-version: 20 - - run: npx semantic-release - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + persist-credentials: false + - name: Run semantic release + uses: electron/semantic-trusted-release@03517840010ba30fe5264f4875f4cff066b658d1 # v1.1.0 + with: + github-token: ${{ secrets.GITHUB_TOKEN }}