ci.yml with OIDC trusted

.github/dependabot.yml

@@ -0,0 +1,16 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
+
+version: 2
+updates:
+  - package-ecosystem: "npm" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      # Check for updates to GitHub Actions every week
+      interval: "weekly"

.github/workflows/ci.yml

@@ -0,0 +1,103 @@
+# This workflow will do a clean install of node dependencies, build the source code and run tests across different versions of node
+# For more information see: https://help.github.com/actions/language-and-framework-guides/using-nodejs-with-github-actions
+
+name: CI
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [20, 22]
+
+    steps:
+      - uses: actions/checkout@v6
+      - name: Use Node.js ${{ matrix.node-version }}
+        uses: actions/setup-node@v6
+        with:
+          node-version: ${{ matrix.node-version }}
+      - run: npm ci
+      - run: npm run lint --if-present
+      - run: npm test
+      - run: npm run build --if-present
+      - name: Save build
+        if: matrix.node-version == 20
+        uses: actions/upload-artifact@v6
+        with:
+          name: build
+          path: |
+            .
+            !node_modules
+          retention-days: 1
+
+  dependabot:
+    name: 'Dependabot'
+    needs: build # After the E2E and build jobs, if one of them fails, it won't merge the PR.
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'}} # Detect that the PR author is dependabot
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Enable auto-merge for Dependabot PRs
+        run: gh pr merge --auto --merge "$PR_URL" # Use Github CLI to merge automatically the PR
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+
+  npm-publish-build:
+      needs: build
+      runs-on: ubuntu-latest
+      permissions:
+        id-token: write
+        contents: read
+      steps:
+        - uses: actions/download-artifact@v7
+          with:
+            name: build
+        - uses: actions/setup-node@v6
+          with:
+            node-version: 20
+            registry-url: 'https://registry.npmjs.org'
+        - name: Update npm to latest (required for OIDC)
+          run: npm install -g npm@latest
+        - uses: rlespinasse/github-slug-action@v3.x
+        - name: Append commit hash to package version
+          run: 'sed -i -E "s/(\"version\": *\"[^\"]+)/\1-${GITHUB_SHA_SHORT}/" package.json'
+        - name: Disable pre- and post-publish actions
+          run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json'
+        - name: Publish to npm
+          if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]'
+          run: npm publish --tag ${{ env.GITHUB_REF_SLUG }}
+
+  npm-publish-latest:
+    needs: [build, npm-publish-build]
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    permissions:
+      id-token: write  # Required for OIDC
+      contents: read
+    steps:
+      - uses: actions/download-artifact@v7
+        with:
+          name: build
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 20
+          registry-url: 'https://registry.npmjs.org'
+      - name: Update npm to latest (required for OIDC)
+        run: npm install -g npm@latest
+      - name: Disable pre- and post-publish actions
+        run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json'
+      - name: Publish to npm
+        if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]'
+        run: npm publish --tag latest