From ff5559c3a45a1f177e60809415a127920b9128d5 Mon Sep 17 00:00:00 2001 From: sanand Date: Wed, 24 Jun 2026 11:11:34 +0530 Subject: [PATCH 1/6] oidc setup for publish --- .github/workflows/manual_public_release.yaml | 1 - .github/workflows/~reusable_public_publish.yaml | 7 ++++--- .github/workflows/~reusable_publish.yaml | 7 ++++--- .npmrc | 1 + 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/manual_public_release.yaml b/.github/workflows/manual_public_release.yaml index 87f4adbca..6818c14ca 100644 --- a/.github/workflows/manual_public_release.yaml +++ b/.github/workflows/manual_public_release.yaml @@ -22,7 +22,6 @@ jobs: BRANCH: main ENVIRONMENT: public_release secrets: - NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }} SLACK_WEB_HOOK: ${{ secrets.SLACK_WEB_HOOK }} G_TOKEN: ${{ secrets.GITHUB_TOKEN }} APP_ID: ${{ secrets.APP_ID }} diff --git a/.github/workflows/~reusable_public_publish.yaml b/.github/workflows/~reusable_public_publish.yaml index 46d15aa30..8c19ca5e3 100644 --- a/.github/workflows/~reusable_public_publish.yaml +++ b/.github/workflows/~reusable_public_publish.yaml @@ -19,8 +19,6 @@ on: type: string default: alpha_release secrets: - NODE_AUTH_TOKEN: - required: true SLACK_WEB_HOOK: required: true G_TOKEN: @@ -34,6 +32,9 @@ jobs: publish: runs-on: ubuntu-22.04 environment: ${{ inputs.ENVIRONMENT }} + permissions: + id-token: write # Required for OIDC authentication to npm + contents: write # Required for git operations steps: - uses: actions/create-github-app-token@v3 id: get_app_token @@ -71,7 +72,7 @@ jobs: BRANCH: ${{ inputs.BRANCH }} NODE_OPTIONS: --no-experimental-fetch CI: '' - NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }} + # OIDC authentication - no NODE_AUTH_TOKEN needed for public npm registry - name: Retrieve Version id: publicVersion run: | diff --git a/.github/workflows/~reusable_publish.yaml b/.github/workflows/~reusable_publish.yaml index 8ce1f3736..a318a1adf 100644 --- a/.github/workflows/~reusable_publish.yaml +++ b/.github/workflows/~reusable_publish.yaml @@ -19,8 +19,6 @@ on: type: string default: alpha_release secrets: - NODE_AUTH_TOKEN: - required: true SLACK_WEB_HOOK: required: true @@ -28,6 +26,9 @@ jobs: publish: runs-on: ubuntu-22.04 environment: ${{ inputs.ENVIRONMENT }} + permissions: + id-token: write # Required for OIDC authentication to npm + contents: read # Required for checkout steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v3 @@ -47,7 +48,7 @@ jobs: BRANCH: ${{ inputs.BRANCH }} NODE_OPTIONS: --no-experimental-fetch CI: "" - NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }} + # OIDC authentication - no NODE_AUTH_TOKEN needed for public npm registry - name: Slack Notification uses: rtCamp/action-slack-notify@v2 env: diff --git a/.npmrc b/.npmrc index 55163311b..95d13ed81 100644 --- a/.npmrc +++ b/.npmrc @@ -1 +1,2 @@ message=":bookmark: Release v%s" +registry=https://npmjs.artifacts.twilio.com/artifactory/api/npm/virtual-npm-thirdparty/ \ No newline at end of file From 499b64a5ff14fdd2b8c89cf4822cd7a1769f6b2c Mon Sep 17 00:00:00 2001 From: sanand Date: Tue, 30 Jun 2026 15:07:04 +0530 Subject: [PATCH 2/6] update runner --- .github/workflows/~reusable_e2e_all_OS.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/~reusable_e2e_all_OS.yaml b/.github/workflows/~reusable_e2e_all_OS.yaml index 967cf01a5..5a2109fe3 100644 --- a/.github/workflows/~reusable_e2e_all_OS.yaml +++ b/.github/workflows/~reusable_e2e_all_OS.yaml @@ -90,7 +90,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ ubuntu-22.04, windows-latest, macos-latest ] + os: [ twilio-internal-ubuntu-latest-slim ] uses: ./.github/workflows/~reusable_e2e_by_OS.yaml with: OS: ${{ matrix.os }} From a7cf12c147e4280da84a29d783dd18392fbc13fa Mon Sep 17 00:00:00 2001 From: sanand Date: Tue, 30 Jun 2026 15:21:08 +0530 Subject: [PATCH 3/6] update runner --- .github/workflows/pr_e2e.yaml | 4 ++-- .github/workflows/pr_workflow.yaml | 2 +- .github/workflows/skip_pr_workflow.yaml | 2 +- .github/workflows/skip_publish.yaml | 2 +- .github/workflows/tag.yaml | 2 +- .github/workflows/~reusable_e2e_by_OS.yaml | 2 +- .github/workflows/~reusable_publish.yaml | 2 +- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/pr_e2e.yaml b/.github/workflows/pr_e2e.yaml index e4ee21ae1..8305bd5f2 100644 --- a/.github/workflows/pr_e2e.yaml +++ b/.github/workflows/pr_e2e.yaml @@ -7,7 +7,7 @@ on: jobs: get-version: if: ${{ (github.event.label.name == vars.E2E_LABEL) || (github.event.label.name == vars.PUBLISH_AND_E2E_LABEL) }} - runs-on: ubuntu-22.04 + runs-on: twilio-internal-ubuntu-latest-slim outputs: branch: ${{ steps.extractBranch.outputs.branch }} version: ${{ steps.alphaVersion.outputs.version }} @@ -69,7 +69,7 @@ jobs: remove-label-on-failure: needs: e2e-test if: always() - runs-on: ubuntu-22.04 + runs-on: twilio-internal-ubuntu-latest-slim steps: - uses: actions-ecosystem/action-remove-labels@v1 if: needs.e2e-test.result != 'success' diff --git a/.github/workflows/pr_workflow.yaml b/.github/workflows/pr_workflow.yaml index 4ad6546d1..d6e210db5 100644 --- a/.github/workflows/pr_workflow.yaml +++ b/.github/workflows/pr_workflow.yaml @@ -18,7 +18,7 @@ on: jobs: build-and-test: - runs-on: ubuntu-22.04 + runs-on: twilio-internal-ubuntu-latest-slim steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v3 diff --git a/.github/workflows/skip_pr_workflow.yaml b/.github/workflows/skip_pr_workflow.yaml index 154c96b69..3540a8f7f 100644 --- a/.github/workflows/skip_pr_workflow.yaml +++ b/.github/workflows/skip_pr_workflow.yaml @@ -14,7 +14,7 @@ on: jobs: build-and-test: - runs-on: ubuntu-22.04 + runs-on: twilio-internal-ubuntu-latest-slim steps: - run: echo "Test execution not required. Passing status check" release-alpha-version: diff --git a/.github/workflows/skip_publish.yaml b/.github/workflows/skip_publish.yaml index 7ba5ec764..a15dcc3a5 100644 --- a/.github/workflows/skip_publish.yaml +++ b/.github/workflows/skip_publish.yaml @@ -3,6 +3,6 @@ on: jobs: publish: - runs-on: ubuntu-22.04 + runs-on: twilio-internal-ubuntu-latest-slim steps: - run: echo "Skip Publish, Passing status check" \ No newline at end of file diff --git a/.github/workflows/tag.yaml b/.github/workflows/tag.yaml index 6ff2d002b..8c531f867 100644 --- a/.github/workflows/tag.yaml +++ b/.github/workflows/tag.yaml @@ -3,7 +3,7 @@ on: jobs: tag: - runs-on: ubuntu-22.04 + runs-on: twilio-internal-ubuntu-latest-slim steps: - name: wait-job run: sleep 10s diff --git a/.github/workflows/~reusable_e2e_by_OS.yaml b/.github/workflows/~reusable_e2e_by_OS.yaml index e60f7966e..033adece3 100644 --- a/.github/workflows/~reusable_e2e_by_OS.yaml +++ b/.github/workflows/~reusable_e2e_by_OS.yaml @@ -184,7 +184,7 @@ jobs: path: packages/flex-plugin-e2e-tests/screenshots notify-failure: - runs-on: ubuntu-22.04 + runs-on: twilio-internal-ubuntu-latest-slim needs: node if: ${{ always() && inputs.SEND_NOTIFICATION }} steps: diff --git a/.github/workflows/~reusable_publish.yaml b/.github/workflows/~reusable_publish.yaml index a318a1adf..ff1c67c75 100644 --- a/.github/workflows/~reusable_publish.yaml +++ b/.github/workflows/~reusable_publish.yaml @@ -24,7 +24,7 @@ on: jobs: publish: - runs-on: ubuntu-22.04 + runs-on: twilio-internal-ubuntu-latest-slim environment: ${{ inputs.ENVIRONMENT }} permissions: id-token: write # Required for OIDC authentication to npm From b0466f7f16fb2d52fc64576507af73686c57ca3a Mon Sep 17 00:00:00 2001 From: sanand Date: Tue, 30 Jun 2026 16:43:34 +0530 Subject: [PATCH 4/6] update runner --- .github/workflows/pr_e2e.yaml | 6 +++--- .github/workflows/pr_workflow.yaml | 6 +++--- .github/workflows/tag.yaml | 2 +- .github/workflows/~reusable_e2e_by_OS.yaml | 8 ++++---- .github/workflows/~reusable_public_publish.yaml | 10 +++++----- .github/workflows/~reusable_publish.yaml | 6 +++--- 6 files changed, 19 insertions(+), 19 deletions(-) diff --git a/.github/workflows/pr_e2e.yaml b/.github/workflows/pr_e2e.yaml index 8305bd5f2..42c665fe9 100644 --- a/.github/workflows/pr_e2e.yaml +++ b/.github/workflows/pr_e2e.yaml @@ -12,8 +12,8 @@ jobs: branch: ${{ steps.extractBranch.outputs.branch }} version: ${{ steps.alphaVersion.outputs.version }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: '22' - name: Extract branch name @@ -71,7 +71,7 @@ jobs: if: always() runs-on: twilio-internal-ubuntu-latest-slim steps: - - uses: actions-ecosystem/action-remove-labels@v1 + - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1 if: needs.e2e-test.result != 'success' with: labels: ${{ github.event.label.name }} \ No newline at end of file diff --git a/.github/workflows/pr_workflow.yaml b/.github/workflows/pr_workflow.yaml index d6e210db5..6542c8bc1 100644 --- a/.github/workflows/pr_workflow.yaml +++ b/.github/workflows/pr_workflow.yaml @@ -20,8 +20,8 @@ jobs: build-and-test: runs-on: twilio-internal-ubuntu-latest-slim steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: '22' - name: Install project dependencies @@ -42,7 +42,7 @@ jobs: - name: Build packages run: npm run build - name: Codecov report - uses: codecov/codecov-action@v3 + uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3 with: token: ${{ secrets.CODECOV_TOKEN }} diff --git a/.github/workflows/tag.yaml b/.github/workflows/tag.yaml index 8c531f867..2cbe5ba89 100644 --- a/.github/workflows/tag.yaml +++ b/.github/workflows/tag.yaml @@ -8,7 +8,7 @@ jobs: - name: wait-job run: sleep 10s shell: bash - - uses: actions/checkout@v4 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: ref: main - name: Retrieve Version diff --git a/.github/workflows/~reusable_e2e_by_OS.yaml b/.github/workflows/~reusable_e2e_by_OS.yaml index 033adece3..aca4707e7 100644 --- a/.github/workflows/~reusable_e2e_by_OS.yaml +++ b/.github/workflows/~reusable_e2e_by_OS.yaml @@ -98,8 +98,8 @@ jobs: node: runs-on: ${{ inputs.OS }} steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: ${{ inputs.NODE_VERSION }} - name: Override localhost to IPv4 in Linux for Node 18 @@ -177,7 +177,7 @@ jobs: cd packages/flex-plugin-e2e-tests npm run start - name: Upload Screenshots - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 if: always() with: name: ${{ inputs.OS }}-screenshots @@ -189,7 +189,7 @@ jobs: if: ${{ always() && inputs.SEND_NOTIFICATION }} steps: - name: Slack Notification - uses: rtCamp/action-slack-notify@v2 + uses: rtCamp/action-slack-notify@33fa0808da52e41c8dcec3cc101c0027442ed173 # v2 env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} SLACK_COLOR: ${{ needs.node.result }} diff --git a/.github/workflows/~reusable_public_publish.yaml b/.github/workflows/~reusable_public_publish.yaml index 8c19ca5e3..3c2fc89ad 100644 --- a/.github/workflows/~reusable_public_publish.yaml +++ b/.github/workflows/~reusable_public_publish.yaml @@ -36,13 +36,13 @@ jobs: id-token: write # Required for OIDC authentication to npm contents: write # Required for git operations steps: - - uses: actions/create-github-app-token@v3 + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3 id: get_app_token with: client-id: ${{ secrets.APP_ID }} private_key: ${{ secrets.APP_KEY }} - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: '22' registry-url: 'https://registry.npmjs.org' @@ -53,7 +53,7 @@ jobs: timeout 10m npm ci --verbose && break || echo "npm ci failed, retrying ($i/3)..." done - name: Slack Started Notification - uses: rtCamp/action-slack-notify@v2 + uses: rtCamp/action-slack-notify@33fa0808da52e41c8dcec3cc101c0027442ed173 # v2 env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} SLACK_COLOR: ${{ job.status }} @@ -79,7 +79,7 @@ jobs: echo "version=$(awk '/version/{gsub(/("|",)/,"",$2);print $2}' lerna.json)" echo "version=$(awk '/version/{gsub(/("|",)/,"",$2);print $2}' lerna.json)" >> "$GITHUB_OUTPUT" - name: Slack Completed Notification - uses: rtCamp/action-slack-notify@v2 + uses: rtCamp/action-slack-notify@33fa0808da52e41c8dcec3cc101c0027442ed173 # v2 env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} SLACK_COLOR: ${{ job.status }} diff --git a/.github/workflows/~reusable_publish.yaml b/.github/workflows/~reusable_publish.yaml index ff1c67c75..65b0a4467 100644 --- a/.github/workflows/~reusable_publish.yaml +++ b/.github/workflows/~reusable_publish.yaml @@ -30,8 +30,8 @@ jobs: id-token: write # Required for OIDC authentication to npm contents: read # Required for checkout steps: - - uses: actions/checkout@v4 - - uses: actions/setup-node@v3 + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 + - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 with: node-version: "22" registry-url: "https://registry.npmjs.org" @@ -50,7 +50,7 @@ jobs: CI: "" # OIDC authentication - no NODE_AUTH_TOKEN needed for public npm registry - name: Slack Notification - uses: rtCamp/action-slack-notify@v2 + uses: rtCamp/action-slack-notify@33fa0808da52e41c8dcec3cc101c0027442ed173 # v2 env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEB_HOOK }} SLACK_COLOR: ${{ job.status }} From 49ef63fb0fabff432feaf7503b52508e1bb4cb92 Mon Sep 17 00:00:00 2001 From: sanand Date: Tue, 30 Jun 2026 16:45:47 +0530 Subject: [PATCH 5/6] update runner --- .github/workflows/pr_workflow.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/pr_workflow.yaml b/.github/workflows/pr_workflow.yaml index 6542c8bc1..3bec6fb04 100644 --- a/.github/workflows/pr_workflow.yaml +++ b/.github/workflows/pr_workflow.yaml @@ -41,9 +41,9 @@ jobs: CI: "" - name: Build packages run: npm run build - - name: Codecov report - uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3 - with: - token: ${{ secrets.CODECOV_TOKEN }} + # - name: Codecov report + # uses: codecov/codecov-action@ab904c41d6ece82784817410c45d8b8c02684457 # v3 + # with: + # token: ${{ secrets.CODECOV_TOKEN }} \ No newline at end of file From 7babc25e86336ce9662e683b30e8ec08ccee9f5b Mon Sep 17 00:00:00 2001 From: sanand Date: Tue, 30 Jun 2026 17:08:38 +0530 Subject: [PATCH 6/6] update runner --- .github/workflows/pr_e2e.yaml | 4 ++-- .github/workflows/pr_workflow.yaml | 2 +- .github/workflows/skip_pr_workflow.yaml | 2 +- .github/workflows/skip_publish.yaml | 2 +- .github/workflows/tag.yaml | 2 +- .github/workflows/~reusable_e2e_all_OS.yaml | 2 +- .github/workflows/~reusable_e2e_by_OS.yaml | 2 +- .github/workflows/~reusable_publish.yaml | 2 +- 8 files changed, 9 insertions(+), 9 deletions(-) diff --git a/.github/workflows/pr_e2e.yaml b/.github/workflows/pr_e2e.yaml index 42c665fe9..d5c048480 100644 --- a/.github/workflows/pr_e2e.yaml +++ b/.github/workflows/pr_e2e.yaml @@ -7,7 +7,7 @@ on: jobs: get-version: if: ${{ (github.event.label.name == vars.E2E_LABEL) || (github.event.label.name == vars.PUBLISH_AND_E2E_LABEL) }} - runs-on: twilio-internal-ubuntu-latest-slim + runs-on: ubuntu-latest-large outputs: branch: ${{ steps.extractBranch.outputs.branch }} version: ${{ steps.alphaVersion.outputs.version }} @@ -69,7 +69,7 @@ jobs: remove-label-on-failure: needs: e2e-test if: always() - runs-on: twilio-internal-ubuntu-latest-slim + runs-on: ubuntu-latest-large steps: - uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1 if: needs.e2e-test.result != 'success' diff --git a/.github/workflows/pr_workflow.yaml b/.github/workflows/pr_workflow.yaml index 3bec6fb04..12430c840 100644 --- a/.github/workflows/pr_workflow.yaml +++ b/.github/workflows/pr_workflow.yaml @@ -18,7 +18,7 @@ on: jobs: build-and-test: - runs-on: twilio-internal-ubuntu-latest-slim + runs-on: ubuntu-latest-large steps: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 - uses: actions/setup-node@3235b876344d2a9aa001b8d1453c930bba69e610 # v3 diff --git a/.github/workflows/skip_pr_workflow.yaml b/.github/workflows/skip_pr_workflow.yaml index 3540a8f7f..a9efb9a4c 100644 --- a/.github/workflows/skip_pr_workflow.yaml +++ b/.github/workflows/skip_pr_workflow.yaml @@ -14,7 +14,7 @@ on: jobs: build-and-test: - runs-on: twilio-internal-ubuntu-latest-slim + runs-on: ubuntu-latest-large steps: - run: echo "Test execution not required. Passing status check" release-alpha-version: diff --git a/.github/workflows/skip_publish.yaml b/.github/workflows/skip_publish.yaml index a15dcc3a5..1b3a9dba9 100644 --- a/.github/workflows/skip_publish.yaml +++ b/.github/workflows/skip_publish.yaml @@ -3,6 +3,6 @@ on: jobs: publish: - runs-on: twilio-internal-ubuntu-latest-slim + runs-on: ubuntu-latest-large steps: - run: echo "Skip Publish, Passing status check" \ No newline at end of file diff --git a/.github/workflows/tag.yaml b/.github/workflows/tag.yaml index 2cbe5ba89..9ae02e7cf 100644 --- a/.github/workflows/tag.yaml +++ b/.github/workflows/tag.yaml @@ -3,7 +3,7 @@ on: jobs: tag: - runs-on: twilio-internal-ubuntu-latest-slim + runs-on: ubuntu-latest-large steps: - name: wait-job run: sleep 10s diff --git a/.github/workflows/~reusable_e2e_all_OS.yaml b/.github/workflows/~reusable_e2e_all_OS.yaml index 5a2109fe3..69794a3a4 100644 --- a/.github/workflows/~reusable_e2e_all_OS.yaml +++ b/.github/workflows/~reusable_e2e_all_OS.yaml @@ -90,7 +90,7 @@ jobs: strategy: fail-fast: false matrix: - os: [ twilio-internal-ubuntu-latest-slim ] + os: [ ubuntu-latest-large, windows-latest-large, macos-latest-large ] uses: ./.github/workflows/~reusable_e2e_by_OS.yaml with: OS: ${{ matrix.os }} diff --git a/.github/workflows/~reusable_e2e_by_OS.yaml b/.github/workflows/~reusable_e2e_by_OS.yaml index aca4707e7..f054a6ec5 100644 --- a/.github/workflows/~reusable_e2e_by_OS.yaml +++ b/.github/workflows/~reusable_e2e_by_OS.yaml @@ -184,7 +184,7 @@ jobs: path: packages/flex-plugin-e2e-tests/screenshots notify-failure: - runs-on: twilio-internal-ubuntu-latest-slim + runs-on: ubuntu-latest-large needs: node if: ${{ always() && inputs.SEND_NOTIFICATION }} steps: diff --git a/.github/workflows/~reusable_publish.yaml b/.github/workflows/~reusable_publish.yaml index 65b0a4467..8b8d2334b 100644 --- a/.github/workflows/~reusable_publish.yaml +++ b/.github/workflows/~reusable_publish.yaml @@ -24,7 +24,7 @@ on: jobs: publish: - runs-on: twilio-internal-ubuntu-latest-slim + runs-on: ubuntu-latest-large environment: ${{ inputs.ENVIRONMENT }} permissions: id-token: write # Required for OIDC authentication to npm