Skip to content

chore: Use node 24 and npm trusted publishing, and update cspell#3411

Merged
sachindshinde merged 9 commits intomainfrom
sachin/use-trusted-publishing-and-fix-cspell
Mar 17, 2026
Merged

chore: Use node 24 and npm trusted publishing, and update cspell#3411
sachindshinde merged 9 commits intomainfrom
sachin/use-trusted-publishing-and-fix-cspell

Conversation

@sachindshinde
Copy link
Copy Markdown
Contributor

@sachindshinde sachindshinde commented Mar 14, 2026
edited
Loading

This PR:

  • Adds an ignore rule to cspell for GHSA IDs.
  • Bumps node to v24 for the repo (which is bundled with npm v11), updating the lint CircleCI jobs and release GitHub action as well.
    • This is because npm trusted publishing requires at least npm v11.5.1.
  • Stops passing NPM_TOKEN to changesets/action in the release GitHub action.
    • Note that npm versions that support trusted publishing will ignore locally configured tokens when OIDC environment variables are present (which they are for GH actions, since we've set that up), so NPM_TOKEN would be ignored anyway. But the main reason for this change is to stop changesets/action from printing a misleading log message saying NPM_TOKEN has been placed into .npmrc (which, while true, will be ignored by npm publish).
    • Note that we still need to keep the NPM_TOKEN GitHub secret around to run any tag-changing scripts, as npm dist-tag sadly doesn't support OIDC yet (see Allow Trusted Publishers to run "npm dist-tag add" npm/cli#8547 for discussion). This means we'll need to manually rotate the token every 90 days.
  • Pins the transitive dev dependency @inquirer/external-editor to 1.0.0.
    • The gist is that npm v11.5.0 introduced a breaking change in how unused optional peer dependencies are handed with fix: prune optional peer dependencies that are no longer explicitly depended on npm/cli#8431 (see the discussion there for details). Specifically, the change causes those dependencies to be removed from package-lock.json, and this will cause npm ci in earlier versions of npm to error, complaining about package-lock.json being out of sync with package.json. @inquirer/external-editor introduced such an optional peer dependency in 1.0.1, and the simplest fix here is to just fallback to 1.0.0.
  • Uses npm ci instead of npm i in the release GitHub action.
    • As a requirement for releasing (or filing a release PR), the package-lock.json should be aligned with the package.json.
  • Stops setting FEDERATION_VERSION in the release GitHub action since it's no longer used.
  • Sets the tag for npm publishes to the branch name for version-* branches.
    • Previously, it was the default of latest, which was causing backport releases to mistakenly change the latest tag (used when someone npm is without a version number).
    • We also tightened the version-* branch pattern down to version-[0-9]+.[0-9]+ (since it's getting passed around in bash now).

@sachindshinde sachindshinde requested a review from a team as a code owner March 14, 2026 06:07
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Mar 14, 2026
edited
Loading

⚠️ No Changeset found

Latest commit: 03de4ca

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@apollo-librarian
Copy link
Copy Markdown

apollo-librarian Bot commented Mar 14, 2026
edited
Loading

✅ Docs preview has no changes

The preview was not built because there were no changes.

Build ID: 733ab6543764c99b096dc87d
Build Logs: View logs

✅ AI Style Review — No Changes Detected

No MDX files were changed in this pull request.

Review Log: View detailed log

This review is AI-generated. Please use common sense when accepting these suggestions, as they may not always be accurate or appropriate for your specific context.

@sachindshinde sachindshinde changed the title chore: Use node 24 and npm trusted publishing, and fix cspell chore: Use node 24 and npm trusted publishing, and update cspell Mar 14, 2026
@sachindshinde sachindshinde merged commit ba3175e into main Mar 17, 2026
15 checks passed
@sachindshinde sachindshinde deleted the sachin/use-trusted-publishing-and-fix-cspell branch March 17, 2026 20:13
This was referenced Mar 18, 2026
Merged
Merged
Merged
Merged
sachindshinde added a commit that referenced this pull request Mar 19, 2026
@sachindshinde
chore: Use node 24 and npm trusted publishing, and update cspell (bac…
fe2f296 
…kport of #3411 for 2.12) (#3414)

This PR is a backport of #3411 for the `version-2.12` branch. Specifically, this PR:
- Adds an ignore rule to cspell for GHSA IDs.
- Bumps `actions/checkout` to v4 and adds OIDC/changesets permissions in the release GitHub action.
- Bumps node to v24 for the repo (which is bundled with npm v11), updating the lint CircleCI jobs and release GitHub action as well.
  - This is because npm trusted publishing requires at least npm v11.5.1.
- Bumps the npm constraint in `engines` in `package.json` to `<12` (to allow running npm v11).
- Runs the test CircleCI jobs for node v24 and latest.
  - The job was previously installing npm v9 because node v14's bundled npm version was too low to support the `package-lock.json`, but it was doing this for all node versions. We've now changed this to only happen for node v14.
- Stops passing `NPM_TOKEN` to `changesets/action` in the release GitHub action.
  - Note that npm versions that support trusted publishing will [ignore locally configured tokens when OIDC environment variables are present](https://github.com/npm/cli/blob/8afa3bd21461c0984caf1bcc2e486c4881bda516/lib/utils/oidc.js#L141) (which they are for GH actions, since we've set that up), so `NPM_TOKEN` would be ignored anyway. But the main reason for this change is to stop `changesets/action` from printing a misleading log message saying `NPM_TOKEN` has been placed into `.npmrc` (which, while true, will be ignored by `npm publish`).
  - Note that we still need to keep the `NPM_TOKEN` GitHub secret around to run any tag-changing scripts, as `npm dist-tag` sadly doesn't support OIDC yet (see npm/cli#8547 for discussion). This means we'll need to manually rotate the token every 90 days.
- Uses `npm ci` instead of `npm i` in the release GitHub action.
  - As a requirement for releasing (or filing a release PR), the `package-lock.json` should be aligned with the `package.json`.
- Stops setting `FEDERATION_VERSION` in the release GitHub action since it's no longer used.
- Sets the tag for npm publishes to the branch name for `version-*` branches.
  - Previously, it was the default of `latest`, which was causing backport releases to mistakenly change the `latest` tag (used when someone `npm i`s without a version number).
  - We also tightened the `version-*` branch pattern down to `version-[0-9]+.[0-9]+` (since it's getting passed around in bash now).
sachindshinde added a commit that referenced this pull request Mar 19, 2026
@sachindshinde
chore: Use node 24 and npm trusted publishing, and update cspell (bac…
3ba3469 
…kport of #3411 for 2.11) (#3415)

This PR is a backport of #3411 for the `version-2.11` branch. Specifically, this PR:
- Adds an ignore rule to cspell for GHSA IDs.
- Backports the node orb version bump and lint CircleCI jobs from `main` (previously using `node/run`).
- Bumps `actions/checkout` to v4 and adds OIDC/changesets permissions in the release GitHub action.
- Bumps node to v24 for the repo (which is bundled with npm v11), updating the lint CircleCI jobs and release GitHub action as well.
  - This is because npm trusted publishing requires at least npm v11.5.1.
- Bumps the npm constraint in `engines` in `package.json` to `<12` (to allow running npm v11).
- Runs the test CircleCI jobs for node v22, v24, and latest.
  - The job was previously installing npm v9 because node v14's bundled npm version was too low to support the `package-lock.json`, but it was doing this for all node versions. We've now changed this to only happen for node v14.
- Stops passing `NPM_TOKEN` to `changesets/action` in the release GitHub action.
  - Note that npm versions that support trusted publishing will [ignore locally configured tokens when OIDC environment variables are present](https://github.com/npm/cli/blob/8afa3bd21461c0984caf1bcc2e486c4881bda516/lib/utils/oidc.js#L141) (which they are for GH actions, since we've set that up), so `NPM_TOKEN` would be ignored anyway. But the main reason for this change is to stop `changesets/action` from printing a misleading log message saying `NPM_TOKEN` has been placed into `.npmrc` (which, while true, will be ignored by `npm publish`).
  - Note that we still need to keep the `NPM_TOKEN` GitHub secret around to run any tag-changing scripts, as `npm dist-tag` sadly doesn't support OIDC yet (see npm/cli#8547 for discussion). This means we'll need to manually rotate the token every 90 days.
- Uses `npm ci` instead of `npm i` in the release GitHub action.
  - As a requirement for releasing (or filing a release PR), the `package-lock.json` should be aligned with the `package.json`.
- Stops setting `FEDERATION_VERSION` in the release GitHub action since it's no longer used.
- Sets the tag for npm publishes to the branch name for `version-*` branches.
  - Previously, it was the default of `latest`, which was causing backport releases to mistakenly change the `latest` tag (used when someone `npm i`s without a version number).
  - We also tightened the `version-*` branch pattern down to `version-[0-9]+.[0-9]+` (since it's getting passed around in bash now).
sachindshinde added a commit that referenced this pull request Mar 19, 2026
@sachindshinde
chore: Use node 24 and npm trusted publishing, and update cspell (bac…
6a01df7 
…kport of #3411 for 2.10) (#3416)

This PR is a backport of #3411 for the `version-2.10` branch. Specifically, this PR:
- Adds an ignore rule to cspell for GHSA IDs.
- Backports the node orb version bump and lint CircleCI jobs from `main` (previously using `node/run`).
- Bumps `actions/checkout` to v4 and adds OIDC/changesets permissions in the release GitHub action.
- Bumps node to v24 for the repo (which is bundled with npm v11), updating the lint CircleCI jobs and release GitHub action as well.
  - This is because npm trusted publishing requires at least npm v11.5.1.
- Bumps the npm constraint in `engines` in `package.json` to `<12` (to allow running npm v11).
- Runs the test CircleCI jobs for node v22, v24, and latest.
  - The job was previously installing npm v9 because node v14's bundled npm version was too low to support the `package-lock.json`, but it was doing this for all node versions. We've now changed this to only happen for node v14.
- Stops passing `NPM_TOKEN` to `changesets/action` in the release GitHub action.
  - Note that npm versions that support trusted publishing will [ignore locally configured tokens when OIDC environment variables are present](https://github.com/npm/cli/blob/8afa3bd21461c0984caf1bcc2e486c4881bda516/lib/utils/oidc.js#L141) (which they are for GH actions, since we've set that up), so `NPM_TOKEN` would be ignored anyway. But the main reason for this change is to stop `changesets/action` from printing a misleading log message saying `NPM_TOKEN` has been placed into `.npmrc` (which, while true, will be ignored by `npm publish`).
  - Note that we still need to keep the `NPM_TOKEN` GitHub secret around to run any tag-changing scripts, as `npm dist-tag` sadly doesn't support OIDC yet (see npm/cli#8547 for discussion). This means we'll need to manually rotate the token every 90 days.
- Uses `npm ci` instead of `npm i` in the release GitHub action.
  - As a requirement for releasing (or filing a release PR), the `package-lock.json` should be aligned with the `package.json`.
- Remove the `federation-rs` step in the release GitHub action, as this is no longer necessary in the release process. 
  - We also stop setting `FEDERATION_VERSION`, since it's no longer used.
- Sets the tag for npm publishes to the branch name for `version-*` branches.
  - Previously, it was the default of `latest`, which was causing backport releases to mistakenly change the `latest` tag (used when someone `npm i`s without a version number).
  - We also tightened the `version-*` branch pattern down to `version-[0-9]+.[0-9]+` (since it's getting passed around in bash now).
sachindshinde added a commit that referenced this pull request Mar 19, 2026
@sachindshinde
chore: Use node 24 and npm trusted publishing, and update cspell (bac…
abbab85 
…kport of #3411 for 2.9) (#3417)

This PR is a backport of #3411 for the `version-2.10` branch. Specifically, this PR:
- Adds an ignore rule to cspell for GHSA IDs.
- Backports the node orb version bump and lint CircleCI jobs from `main` (previously using `node/run`).
- Bumps `actions/checkout` to v4 and adds OIDC/changesets permissions in the release GitHub action.
- Bumps node to v24 for the repo (which is bundled with npm v11), updating the lint CircleCI jobs and release GitHub action as well.
  - This is because npm trusted publishing requires at least npm v11.5.1.
- Bumps the npm constraint in `engines` in `package.json` to `<12` (to allow running npm v11).
- Runs the test CircleCI jobs for node v22, v24, and latest.
  - The job was previously installing npm v9 because node v14's bundled npm version was too low to support the `package-lock.json`, but it was doing this for all node versions. We've now changed this to only happen for node v14.
- Stops passing `NPM_TOKEN` to `changesets/action` in the release GitHub action.
  - Note that npm versions that support trusted publishing will [ignore locally configured tokens when OIDC environment variables are present](https://github.com/npm/cli/blob/8afa3bd21461c0984caf1bcc2e486c4881bda516/lib/utils/oidc.js#L141) (which they are for GH actions, since we've set that up), so `NPM_TOKEN` would be ignored anyway. But the main reason for this change is to stop `changesets/action` from printing a misleading log message saying `NPM_TOKEN` has been placed into `.npmrc` (which, while true, will be ignored by `npm publish`).
  - Note that we still need to keep the `NPM_TOKEN` GitHub secret around to run any tag-changing scripts, as `npm dist-tag` sadly doesn't support OIDC yet (see npm/cli#8547 for discussion). This means we'll need to manually rotate the token every 90 days.
- Uses `npm ci` instead of `npm i` in the release GitHub action.
  - As a requirement for releasing (or filing a release PR), the `package-lock.json` should be aligned with the `package.json`.
- Remove the `federation-rs` step in the release GitHub action, as this is no longer necessary in the release process. 
  - We also stop setting `FEDERATION_VERSION`, since it's no longer used.
- Sets the tag for npm publishes to the branch name for `version-*` branches.
  - Previously, it was the default of `latest`, which was causing backport releases to mistakenly change the `latest` tag (used when someone `npm i`s without a version number).
  - We also tightened the `version-*` branch pattern down to `version-[0-9]+.[0-9]+` (since it's getting passed around in bash now).
- Backports #3195, which removes security CircleCI jobs (they've been replaced with a GitHub app).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dariuszkuc dariuszkuc dariuszkuc approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sachindshinde @dariuszkuc