autofixes from Etherpad checkPlugin.js

github-actions[bot] · github-actions[bot] · commit e8d158cf07e0 · 2026-04-07T17:26:46.000Z
diff --git a/.github/workflows/backend-tests.yml b/.github/workflows/backend-tests.yml
@@ -22,11 +22,11 @@ jobs:
           version: 1.0
       -
         name: Install etherpad core
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           repository: ether/etherpad-lite
           path: etherpad-lite
-      - uses: pnpm/action-setup@v5
+      - uses: pnpm/action-setup@v3
         name: Install pnpm
         with:
           version: 10
@@ -35,7 +35,7 @@ jobs:
         shell: bash
         run: |
           echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-      - uses: actions/cache@v5
+      - uses: actions/cache@v4
         name: Setup pnpm cache
         with:
           path: ${{ env.STORE_PATH }}
@@ -44,7 +44,7 @@ jobs:
             ${{ runner.os }}-pnpm-store-
       -
         name: Checkout plugin repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           path: plugin
       - name: Remove tests
@@ -62,6 +62,7 @@ jobs:
         name: Run the backend tests
         working-directory: ./etherpad-lite/src
         run: |
+          shopt -s globstar
           res=$(find ./plugin_packages -path "*/static/tests/backend/specs/*" 2>/dev/null | wc -l)
           if [ $res -eq 0 ]; then
           echo "No backend tests found"
diff --git a/.github/workflows/frontend-tests.yml b/.github/workflows/frontend-tests.yml
@@ -12,10 +12,10 @@ jobs:
     steps:
       -
         name: Check out Etherpad core
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           repository: ether/etherpad-lite
-      - uses: pnpm/action-setup@v5
+      - uses: pnpm/action-setup@v3
         name: Install pnpm
         with:
           version: 10
@@ -24,7 +24,7 @@ jobs:
         shell: bash
         run: |
           echo "STORE_PATH=$(pnpm store path --silent)" >> $GITHUB_ENV
-      - uses: actions/cache@v5
+      - uses: actions/cache@v4
         name: Setup pnpm cache
         with:
           path: ${{ env.STORE_PATH }}
@@ -33,7 +33,7 @@ jobs:
             ${{ runner.os }}-pnpm-store-
       -
         name: Check out the plugin
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4
         with:
           path: ./node_modules/__tmp
       -
diff --git a/.github/workflows/npmpublish.yml b/.github/workflows/npmpublish.yml
@@ -1,5 +1,10 @@
 # This workflow will run tests using node and then publish a package to the npm registry when a release is created
 # For more information see: https://help.github.com/actions/language-and-framework-guides/publishing-nodejs-packages
+#
+# Publishing uses npm Trusted Publishing (OIDC) — no NPM_TOKEN secret is
+# required. Each package must have a trusted publisher configured on npmjs.com
+# pointing at this workflow file. See:
+# https://docs.npmjs.com/trusted-publishers
 
 name: Node.js Package
 
@@ -9,11 +14,19 @@ on:
 jobs:
   publish-npm:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write   # for `git push --follow-tags` of the version bump
+      id-token: write   # for npm OIDC trusted publishing
     steps:
       - uses: actions/setup-node@v6
         with:
+          # OIDC trusted publishing needs npm >= 11.5.1, which requires
+          # Node >= 20.17.0. setup-node's `20` resolves to the latest
+          # 20.x, which satisfies that.
           node-version: 20
           registry-url: https://registry.npmjs.org/
+      - name: Upgrade npm to >=11.5.1 (required for trusted publishing)
+        run: npm install -g npm@latest
       - name: Check out Etherpad core
         uses: actions/checkout@v6
         with:
@@ -63,12 +76,10 @@ jobs:
       # already-used version number. By running `npm publish` after `git push`,
       # back-to-back merges will cause the first merge's workflow to fail but
       # the second's will succeed.
-      -
-        run: pnpm publish
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
-      #-
-      #  name: Add package to etherpad organization
-      #  run: pnpm access grant read-write etherpad:developers
-      #  env:
-      #    NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+      #
+      # Use `npm publish` directly (not `pnpm publish`) because OIDC trusted
+      # publishing requires npm CLI >= 11.5.1 and `pnpm publish` shells out to
+      # whichever `npm` is on PATH; calling `npm` directly avoids any shim
+      # ambiguity.
+      - name: Publish to npm via OIDC
+        run: npm publish --provenance --access public
diff --git a/.github/workflows/test-and-release.yml b/.github/workflows/test-and-release.yml
@@ -1,6 +1,11 @@
 name: Node.js Package
 on: [push]
 
+# id-token: write must be granted here so the reusable npmpublish workflow
+# can request an OIDC token for npm trusted publishing.
+permissions:
+  contents: write
+  id-token: write
 
 jobs:
   backend:
@@ -14,5 +19,8 @@ jobs:
     needs:
       - backend
       - frontend
+    permissions:
+      contents: write   # for the version bump push
+      id-token: write   # for npm OIDC trusted publishing
     uses: ./.github/workflows/npmpublish.yml
     secrets: inherit
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "ep_print",
   "description": "Support for printing, works cross browser, supports page breaks",
-  "version": "0.1.19",
+  "version": "0.1.20",
   "author": {
     "name": "johnyma22",
     "email": "john@mclear.co.uk",
@@ -22,7 +22,7 @@
   "devDependencies": {
     "eslint": "^8.57.1",
     "eslint-config-etherpad": "^4.0.4",
-    "typescript": "^6.0.2"
+    "typescript": "^5.9.3"
   },
   "scripts": {
     "lint": "eslint .",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
