fix: add provenance

.github/renovate.json

@@ -0,0 +1,14 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["github>sanity-io/renovate-config"],
+  "packageRules": [
+    {
+      "matchDepTypes": ["dependencies"],
+      "matchPackageNames": ["@portabletext/types", "@portabletext/react"],
+      "rangeStrategy": "bump",
+      "groupName": null,
+      "groupSlug": null,
+      "semanticCommitType": "fix"
+    }
+  ]
+}

.github/workflows/ci.yml

@@ -1,89 +1,81 @@
----
-  name: CI
+name: CI
 
-  # Workflow name based on selected inputs. Fallback to default Github naming when expression evaluates to empty string
-  run-name: >-
-    ${{
-      inputs.release && 'CI ➤ Publish to NPM' ||
-      ''
-    }}
+on:
+  push:
+    branches:
+      - alpha
+      - beta
+      - main
+  pull_request:
+    branches:
+      - alpha
+      - beta
+      - main
 
-  on:
-    pull_request:
-    push:
-      branches: [main]
-    workflow_dispatch:
-      inputs:
-        release:
-          description: 'Publish new release'
-          required: true
-          default: false
-          type: boolean
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
 
-  concurrency:
-    group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
-    cancel-in-progress: true
+permissions:
+  contents: read # for checkout
 
-  jobs:
-    build:
-      runs-on: ubuntu-latest
-      steps:
-        - uses: actions/checkout@v3
-        - uses: actions/setup-node@v3
-          with:
-            node-version: lts/*
-            cache: npm
-        - run: npm ci
-        - run: npm run prepublishOnly
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    name: Lint & Build
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: lts/*
+      - run: corepack enable && pnpm --version
+      - run: pnpm install
+      - run: pnpm type-check
+      - run: pnpm lint
+      - run: pnpm build
 
-    test:
-      needs: build
-      runs-on: ${{ matrix.os }}
-      strategy:
-        fail-fast: false
-        matrix:
-          os: [macos-latest, ubuntu-latest, windows-latest]
-          node: [lts/*]
-          include:
-            - os: ubuntu-latest
-              node: lts/-1
-            - os: ubuntu-latest
-              node: current
-      steps:
-        - name: Set git to use LF
-          if: matrix.os == 'windows-latest'
-          run: |
-            git config --global core.autocrlf false
-            git config --global core.eol lf
-        - uses: actions/checkout@v3
-        - uses: actions/setup-node@v3
-          with:
-            node-version: ${{ matrix.node }}
-            cache: npm
-        - run: npm i
-        - run: npm test
+  test:
+    runs-on: ${{ matrix.platform }}
+    name: Node.js ${{ matrix.node-version }} / ${{ matrix.platform }}
+    strategy:
+      fail-fast: false
+      matrix:
+        platform: [macos-latest, ubuntu-latest, windows-latest]
+        node-version: [lts/*]
+        include:
+          - platform: ubuntu-latest
+            node-version: current
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: corepack enable && pnpm --version
+      - run: pnpm install
+      - run: pnpm test
 
-    release:
-      needs: [build, test]
-      # only run if opt-in during workflow_dispatch
-      if: github.event.inputs.release == 'true'
-      runs-on: ubuntu-latest
-      steps:
-        - uses: actions/checkout@v3
-          with:
-            # Need to fetch entire commit history to
-            # analyze every commit since last release
-            fetch-depth: 0
-        - uses: actions/setup-node@v3
-          with:
-            node-version: lts/*
-            cache: npm
-        - run: npm ci
-          # Branches that will release new versions are defined in .releaserc.json
-        - run: npx semantic-release
-          # Don't allow interrupting the release step if the job is cancelled, as it can lead to an inconsistent state
-          # e.g. git tags were pushed but it exited before `npm publish`
-          if: always()
-          env:
-            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-            NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+  release:
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
+    name: 'Semantic release'
+    needs: [build, test]
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # Need to fetch entire commit history to
+          # analyze every commit since last release
+          fetch-depth: 0
+      - uses: actions/setup-node@v3
+        with:
+          node-version: lts/*
+      - run: corepack enable && pnpm --version
+      - run: pnpm install
+      # Branches that will release new versions are defined in "release" in "package.json"
+      - run: pnpm exec semantic-release
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}

.github/workflows/format-if-needed.yml

@@ -0,0 +1,41 @@
+---
+name: Auto format
+
+on:
+  push:
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read # for checkout
+
+jobs:
+  run:
+    name: Can the code be formatted? 🤔
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-node@v3
+        with:
+          node-version: lts/*
+      - run: corepack enable && pnpm --version
+      - run: pnpm install --ignore-scripts
+      - run: pnpm format
+      - run: git restore .github/workflows
+      - uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1
+        id: generate-token
+        with:
+          app_id: ${{ secrets.ECOSCRIPT_APP_ID }}
+          private_key: ${{ secrets.ECOSCRIPT_APP_PRIVATE_KEY }}
+      - uses: peter-evans/create-pull-request@153407881ec5c347639a548ade7d8ad1d6740e38 # v5
+        with:
+          author: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
+          body: I ran `pnpm format` 🧑‍💻
+          branch: actions/format
+          commit-message: 'chore(format): 🤖 ✨'
+          labels: 🤖 bot
+          title: 'chore(format): 🤖 ✨'
+          token: ${{ steps.generate-token.outputs.token }}

.gitignore

@@ -50,3 +50,5 @@ yarn.lock
 
 # Compiled portable text
 /dist
+
+package-lock.json

.prettierignore

@@ -0,0 +1 @@
+pnpm-lock.yaml