Set main as default (openwallet-foundation#171)

Signed-off-by: Lukas.J.Han <lukas.j.han@gmail.com>
Signed-off-by: Mirko Mollik <mirko.mollik@fit.fraunhofer.de>
Signed-off-by: Lukas <Lukas@hopae.io>
Co-authored-by: Lukas.J.Han <lukas.j.han@gmail.com>
Co-authored-by: github-actions <github-actions@github.com>

.github/settings.yml

@@ -14,7 +14,7 @@ repository:
   homepage: https://sdjwt.js.org/
   # A comma-separated list of topics to set on the repository
   topics: sd-jwt, jwt
-  default_branch: next
+  default_branch: main
 
 # Labels: define labels for Issues and Pull Requests
 labels:

.github/workflows/build-test-publish-on-push-cached.yaml

@@ -1,16 +1,11 @@
 name: build-test-publish-on-push-cached
-on:
-  workflow_dispatch:
+on:  
   pull_request:
-    branches:
-      - 'main'
-      - 'next'
-      - 'unstable'
+    branches:      
+      - 'main'      
   push:
-    branches:
-      - 'main'
-      - 'next'
-      - 'unstable'
+    branches:      
+      - 'main'      
 
 jobs:
   build:
@@ -109,12 +104,12 @@ jobs:
           node-version: 20
           cache: 'pnpm'
         # we are not using the github action for biome, but the package.json script. this makes sure we are using the same versions.
-      - name: Run Biome
+      - name: Run Biome      
         run: pnpm run biome:ci
 
   # Only run this job when the push is on main, next or unstable
-  publish:
-    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/next' || github.ref == 'refs/heads/unstable')
+  publish:    
+    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
     # needs permissions to write tags to the repository
     permissions:
       contents: write
@@ -166,14 +161,6 @@ jobs:
           echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> .npmrc
           npm whoami
 
-      - name: 'Publish @latest when on main'
-        if: github.ref == 'refs/heads/main'
-        run: pnpm publish:latest
-
-      - name: 'Publish @next when on next'
+      - name: 'Publish next version'
         if: github.ref == 'refs/heads/next'
         run: pnpm publish:next
-
-      - name: 'Publish @unstable when on unstable branch'
-        if: github.ref == 'refs/heads/unstable'
-        run: pnpm publish:unstable

.github/workflows/release.yml

@@ -0,0 +1,185 @@
+name: release
+on:
+  workflow_dispatch:
+
+jobs:
+  check-author:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Check if user is in CODEOWNERS
+        id: check_user
+        run: |
+            CODEOWNERS_PATH="CODEOWNERS"
+            if [ ! -f "$CODEOWNERS_PATH" ]; then
+                echo "CODEOWNERS file not found."
+                exit 1            
+            fi
+            
+            # Extract GitHub usernames from CODEOWNERS file (assumes usernames, not emails or teams)
+            USERS=$(grep '@' $CODEOWNERS_PATH | sed -E 's/.*@([^ ]+).*/\1/' | tr '\n' ' ')
+            
+            # Check if the actor is in the list of users
+            if [[ ! " $USERS " =~ " ${{ github.actor }} " ]]; then
+                echo "Error: Actor ${{ github.actor }} is not listed in CODEOWNERS."
+                exit 1
+            else
+                echo "Actor ${{ github.actor }} is listed in CODEOWNERS."
+            fi
+  # we can add an approval stage with the environment so it can only be run when accepted by two authorized users.
+  build:
+    needs: check-author
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: pnpm/action-setup@v3
+        with:
+          version: 8
+      - run: pnpm add -g pnpm
+      - name: 'Setup Node.js with pnpm cache'
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'pnpm'
+
+      - run: pnpm install
+      - run: pnpm build
+      - name: 'Save build output'
+        uses: actions/cache/save@v4
+        with:
+          path: ${{ github.workspace }}
+          key: ${{ runner.os }}-build-${{ github.sha }}-${{ github.run_id }}
+
+  test:
+    needs: build
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: ['16.x', '18.x', '20.x']
+    steps:
+      - uses: pnpm/action-setup@v3
+        with:
+          version: 8
+      - run: pnpm add -g pnpm
+      - name: 'Restore build output'
+        uses: actions/cache/restore@v4
+        with:
+          path: ${{ github.workspace }}
+          key: ${{ runner.os }}-build-${{ github.sha }}-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-build-${{ github.sha }}
+          fail-on-cache-miss: true
+      - name: 'Setup Node.js with pnpm cache'
+        uses: actions/setup-node@v4
+        with:
+          node-version: ${{ matrix.node-version }}
+          cache: 'pnpm'
+      - name: 'Run node'
+        run: pnpm test
+      - uses: actions/upload-artifact@v4
+        # we are only uploading the 20 coverage report so we do not have to merge them in the next step.
+        if: matrix.node-version == '20.x'
+        with:
+          name: coverage-artifacts
+          path: coverage/
+
+  report-coverage:
+    runs-on: ubuntu-latest
+    needs: [test]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - uses: actions/download-artifact@v4
+        with:
+          name: coverage-artifacts
+          path: coverage
+      - uses: codecov/codecov-action@v4
+        with:
+          fail_ci_if_error: true
+        env:
+          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+
+  lint:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - uses: pnpm/action-setup@v3
+        with:
+          version: 8
+      - run: pnpm add -g pnpm
+      - name: 'Restore build output'
+        uses: actions/cache/restore@v4
+        with:
+          path: ${{ github.workspace }}
+          key: ${{ runner.os }}-build-${{ github.sha }}-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-build-${{ github.sha }}
+          fail-on-cache-miss: true
+      - name: 'Setup Node.js with pnpm cache'
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'pnpm'
+        # we are not using the github action for biome, but the package.json script. this makes sure we are using the same versions.
+      - name: Run Biome      
+        run: pnpm run biome:ci
+
+  publish:    
+    # needs permissions to write tags to the repository
+    permissions:
+      contents: write
+    needs:
+      - build
+      - test
+      - lint
+    env:
+      NPM_TOKEN: ${{secrets.NPM_TOKEN }}
+      NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN }}
+      GH_TOKEN: ${{secrets.GITHUB_TOKEN }}
+      GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN }}
+      GH_USER: github-actions
+      GH_EMAIL: github-actions@github.com
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{secrets.GITHUB_TOKEN }}
+      - uses: pnpm/action-setup@v3
+        with:
+          version: 8
+      - run: pnpm add -g pnpm
+      - name: 'Setup Node.js with pnpm cache'
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: 'pnpm'
+
+      - name: 'Restore build output'
+        uses: actions/cache/restore@v4
+        with:
+          path: ${{ github.workspace }}
+          key: ${{ runner.os }}-build-${{ github.sha }}-${{ github.run_id }}
+          restore-keys: ${{ runner.os }}-build-${{ github.sha }}
+          fail-on-cache-miss: true
+
+      - name: 'Setup git coordinates'
+        run: |
+          git remote set-url origin https://${{github.actor}}:${{secrets.GITHUB_TOKEN}}@github.com/${{ github.repository }}.git
+          git config user.name $GH_USER
+          git config user.email $GH_EMAIL
+
+      - name: 'Setup npm registry'
+        run: |
+          echo "@sd-jwt:registry=https://registry.npmjs.org/" > .npmrc
+          echo "registry=https://registry.npmjs.org/" >> .npmrc
+          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> .npmrc
+          npm whoami
+
+      - name: 'Publish latest version'        
+        run: pnpm publish:latest

CONTRIBUTING.md

@@ -42,3 +42,12 @@ We use GitHub issues to track public bugs. Report a bug by opening a new issue i
 - What you expected would happen
 - What actually happens
 - Notes (possibly including why you think this might be happening, or stuff you tried that didn't work)
+
+## Release procedure
+
+Each PR to the `main` branch has to pass the `build`, `test`, `lint` and `code coverage` steps from the CI. The PR also needs a review from one authorized person.
+All commits needs to be signed to pass the DCO check.
+
+After the PR is merged, a new `next` version is build and deployed to `npmjs` for all packages with the `next` tag.
+
+The release of a new version is done by running the `release` workflow manually. This workflow can only be triggered successfully by an authorized person that is listed inside the `CODEOWNERS` file. The test and coverage steps are executed again and the new version is published to `npmjs` for all packages with the `latest` tag. The version number is calculated based on the commits since the last release and the `semver` rules.

README.md

@@ -1,6 +1,7 @@
 ![Coverage](https://img.shields.io/codecov/c/github/openwallet-foundation-labs/sd-jwt-js)
 ![License](https://img.shields.io/github/license/openwallet-foundation-labs/sd-jwt-js.svg)
 ![NPM](https://img.shields.io/npm/v/%40sd-jwt%2Fcore)
+![NPM-Downloads](https://img.shields.io/endpoint?&url=https://runkit.io/thetarnav/combined-weekly-npm-downloads/1.0.3/@sd-jwt/core,@sd-jwt/types,@sd-jwt/decode,@sd-jwt/utils,@sd-jwt/sd-jwt-vc,@sd-jwt/crypto-nodejs,@sd-jwt/crypto-browser,@sd-jwt/hash&label=npm%20downloads&color=ff7724)
 ![Release](https://img.shields.io/github/v/release/openwallet-foundation-labs/sd-jwt-js)
 ![Stars](https://img.shields.io/github/stars/openwallet-foundation-labs/sd-jwt-js)