.commitlintrc

@@ -1,5 +1,5 @@
 {
 	"extends": [
-		"@insurgentlab/commitlint-config"
+		"@insurgent/commitlint-config"
 	]
 }

.github/renovate.json

@@ -16,7 +16,11 @@
 		"group:commitlintMonorepo"
 	],
 	"schedule": ["before 5am every weekday", "every weekend"],
-	"lockFileMaintenance": { "enabled": true, "automerge": true },
+	"lockFileMaintenance": {
+		"enabled": true,
+		"automerge": true,
+		"automergeType": "branch"
+	},
 	"labels": ["dependencies"],
 	"osvVulnerabilityAlerts": true,
 	"packageRules": [
@@ -46,8 +50,8 @@
 		},
 		{
 			"matchPackagePatterns": [
-				"@insurgentlab/conventional-changelog-preset",
-				"@insurgentlab/commitlint-config"
+				"@insurgent/conventional-changelog-preset",
+				"@insurgent/commitlint-config"
 			],
 			"groupName": "semantic-release related packages",
 			"matchUpdateTypes": ["digest", "patch", "minor", "major"]
@@ -67,7 +71,8 @@
 		{
 			"matchDepTypes": ["devDependencies"],
 			"matchUpdateTypes": ["minor", "patch"],
-			"automerge": true
+			"automerge": true,
+			"automergeType": "branch"
 		}
 	]
 }

.github/workflows/codeql.yml

@@ -30,7 +30,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -39,7 +39,7 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
+        uses: github/codeql-action/init@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
         with:
           languages: ${{ matrix.language }}
           # If you wish to specify custom queries, you can do so here or in a config file.
@@ -49,7 +49,7 @@ jobs:
       # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
       # If this step fails, then you should remove it and run the build manually (see below)
       - name: Autobuild
-        uses: github/codeql-action/autobuild@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
+        uses: github/codeql-action/autobuild@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
 
       # ℹ️ Command-line programs to run using the OS shell.
       # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
@@ -62,6 +62,6 @@ jobs:
       #   ./location_of_script_within_repo/buildscript.sh
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
+        uses: github/codeql-action/analyze@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
         with:
           category: '/language:${{matrix.language}}'

.github/workflows/lint_pr_title.yml

@@ -16,16 +16,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
-      - uses: amannn/action-semantic-pull-request@c3cd5d1ea3580753008872425915e343e351ab54 # v5
+      - uses: amannn/action-semantic-pull-request@e9fabac35e210fea40ca5b14c0da95a099eff26f # v5
         id: lint_pr_title
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2
+      - uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2
         # When the previous steps fails, the workflow would stop. By adding this
         # condition you can continue the execution with the populated error message.
         if: always() && (steps.lint_pr_title.outputs.error_message != null)
@@ -44,7 +44,7 @@ jobs:
 
       # Delete a previous comment when the issue has been resolved
       - if: ${{ steps.lint_pr_title.outputs.error_message == null }}
-        uses: marocchino/sticky-pull-request-comment@efaaab3fd41a9c3de579aba759d2552635e590fd # v2
+        uses: marocchino/sticky-pull-request-comment@331f8f5b4215f0445d3c07b4967662a32a2d3e31 # v2
         with:
           header: pr-title-lint-error
           delete: true

.github/workflows/release.yml

@@ -1,4 +1,4 @@
-name: Test & Release
+name: Release
 
 on:
   push:
@@ -8,37 +8,42 @@ on:
       - '+([0-9])?(.{+([0-9]),x}).x'
 
 jobs:
-  lint-and-test:
+  test:
     uses: ./.github/workflows/test.yml
-    secrets: inherit
 
   release:
-    needs: lint-and-test
+    needs: test
 
     runs-on: ubuntu-latest
-    env:
-      node-version: 20.x
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - name: Checkout project
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           persist-credentials: false
-      - name: Use Node.js ${{ env.node-version }}
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
+
+      - name: Use Node.js LTS
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
         with:
-          node-version: ${{ env.node-version }}
+          node-version: 'lts/*'
+          cache: npm
+
       - name: Install packages
         run: npm ci
+
+      - name: Audit npm signatures
+        run: npm audit signatures
+
       - name: Build project
         run: npm run build
+
       - name: Run Semantic Release
-        run: npm run release
+        run: npx semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.CI_GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/scorecards.yml

@@ -31,7 +31,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -63,14 +63,14 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: 'Upload artifact'
-        uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: 'Upload to code-scanning'
-        uses: github/codeql-action/upload-sarif@74483a38d39275f33fcff5f35b679b5ca4a26a99 # v2.22.5
+        uses: github/codeql-action/upload-sarif@8a470fddafa5cbb6266ee11b37ef4d8aae19c571 # v3.24.6
         with:
           sarif_file: results.sarif

.github/workflows/test.yml

@@ -1,44 +1,86 @@
-name: Lint & Test
+name: Test
 
 on:
-  workflow_call:
+  push:
+    branches:
+      - renovate/** # branches generated by https://github.com/apps/renovate
   pull_request:
     branches:
       - main
       - beta
       - '+([0-9])?(.{+([0-9]),x}).x'
+  workflow_call:
 
 permissions:
   contents: read
 
 jobs:
-  lint-and-test:
-    runs-on: ${{ matrix.os }}
+  # prevent duplicate checks on Renovate PRs
+  prevent-duplicate-checks:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: insurgent-lab/is-in-pr-action@129df59687402c4a9c81a9a9e88d7448cdbba541 # v0.2.0
+        id: isInPR
+    outputs:
+      should-run: ${{ !(steps.isInPR.outputs.result == 'true' && startsWith(github.ref, 'refs/heads/renovate/')) }}
+
+  test_matrix:
     strategy:
       matrix:
-        node: [16.x, 18.x, 20.x]
         os: [ubuntu-latest, windows-latest, macos-latest]
+        node: [16, 18, 20]
+
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 5
+
+    needs: prevent-duplicate-checks
+    if: ${{ needs.prevent-duplicate-checks.outputs.should-run == 'true' }}
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
         with:
           egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
 
       - name: Checkout project
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+
       - name: Use Node.js ${{ matrix.node }}
-        uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4
         with:
           node-version: ${{ matrix.node }}
           cache: 'npm'
+
       - name: Install packages
         run: npm ci
-      - name: Build project
-        run: npm run build
+
+      - name: Audit npm signatures
+        run: npm audit signatures
+
       - name: Check codestyle compliance
         run: npm run lint
+
+      - name: Build project
+        run: npm run build
+
       - name: Run tests
         run: npm run test
+
       - name: Run fuzz tests
         run: npm run test:fuzz
+
+  # separate job to set as required status check in branch protection
+  required_check:
+    runs-on: ubuntu-latest
+    needs:
+      - prevent-duplicate-checks
+      - test_matrix
+
+    if: ${{ !cancelled() && needs.prevent-duplicate-checks.outputs.should-run == 'true' }}
+    steps:
+      - name: All required jobs and matrix versions passed
+        if: ${{ !(contains(needs.*.result, 'failure')) }}
+        run: exit 0
+      - name: Some required jobs or matrix versions failed
+        if: ${{ contains(needs.*.result, 'failure') }}
+        run: exit 1

.releaserc

@@ -13,14 +13,14 @@
 		[
 			"@semantic-release/commit-analyzer",
 			{
-				"config": "@insurgentlab/conventional-changelog-preset",
-				"releaseRules": "@insurgentlab/conventional-changelog-preset/release-rules"
+				"config": "@insurgent/conventional-changelog-preset",
+				"releaseRules": "@insurgent/conventional-changelog-preset/release-rules"
 			}
 		],
 		[
 			"@semantic-release/release-notes-generator",
 			{
-				"config": "@insurgentlab/conventional-changelog-preset"
+				"config": "@insurgent/conventional-changelog-preset"
 			}
 		],
 		"@semantic-release/npm",