chore: Bump @npmcli/template-oss from 4.11.4 to 4.13.0 (#13)

* chore: Bump @npmcli/template-oss from 4.11.4 to 4.13.0 Bumps [@npmcli/template-oss](https://github.com/npm/template-oss) from 4.11.4 to 4.13.0. - [Release notes](https://github.com/npm/template-oss/releases) - [Changelog](https://github.com/npm/template-oss/blob/main/CHANGELOG.md) - [Commits](npm/template-oss@v4.11.4...v4.13.0) --- updated-dependencies: - dependency-name: "@npmcli/template-oss" dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * chore: postinstall for dependabot template-oss PR * chore: postinstall for dependabot template-oss PR --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: npm CLI robot <[email protected]> Co-authored-by: nlf <[email protected]>
npm · Apr 17, 2023 · f6eb29a · f6eb29a
1 parent b382ed4
commit f6eb29a
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 14 deletions.
diff --git a/.github/workflows/post-dependabot.yml b/.github/workflows/post-dependabot.yml
@@ -48,11 +48,11 @@ jobs:
         run: |
           dependabot_dir="${{ steps.metadata.outputs.directory }}"
           if [[ "$dependabot_dir" == "/" ]]; then
-            echo "::set-output name=workspace::-iwr"
+            echo "workspace=-iwr" >> $GITHUB_OUTPUT
           else
             # strip leading slash from directory so it works as a
             # a path to the workspace flag
-            echo "::set-output name=workspace::-w ${dependabot_dir#/}"
+            echo "workspace=-w ${dependabot_dir#/}" >> $GITHUB_OUTPUT
           fi
 
       - name: Apply Changes
@@ -61,7 +61,7 @@ jobs:
         run: |
           npm run template-oss-apply ${{ steps.flags.outputs.workspace }}
           if [[ `git status --porcelain` ]]; then
-            echo "::set-output name=changes::true"
+            echo "changes=true" >> $GITHUB_OUTPUT
           fi
           # This only sets the conventional commit prefix. This workflow can't reliably determine
           # what the breaking change is though. If a BREAKING CHANGE message is required then
@@ -71,7 +71,7 @@ jobs:
           else
             prefix='chore'
           fi
-          echo "::set-output name=message::$prefix: postinstall for dependabot template-oss PR"
+          echo "message=$prefix: postinstall for dependabot template-oss PR" >> $GITHUB_OUTPUT
 
       # This step will fail if template-oss has made any workflow updates. It is impossible
       # for a workflow to update other workflows. In the case it does fail, we continue

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -171,7 +171,7 @@ jobs:
           RELEASE_COMMENT_ID: ${{ needs.release.outputs.comment-id }}
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          npm exec --offline -- template-oss-release-manager --lockfile=false
+          npm exec --offline -- template-oss-release-manager --lockfile=false --publish=false
           npm run rp-pull-request --ignore-scripts --if-present
       - name: Commit
         id: commit
@@ -180,7 +180,7 @@ jobs:
         run: |
           git commit --all --amend --no-edit || true
           git push --force-with-lease
-          echo "::set-output  name=sha::$(git rev-parse HEAD)"
+          echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
       - name: Get Workflow Job
         uses: actions/github-script@v6
         if: steps.commit.outputs.sha
@@ -261,7 +261,7 @@ jobs:
           else
             result="success"
           fi
-          echo "::set-output name=result::$result"
+          echo "result=$result" >> $GITHUB_OUTPUT
       - name: Conclude Check
         uses: LouisBrunner/[email protected]
         if: needs.update.outputs.check-id && always()
@@ -368,15 +368,14 @@ jobs:
       - name: Get Needs Result
         id: needs-result
         run: |
-          result=""
           if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" ]]; then
             result="x"
           elif [[ "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then
             result="heavy_multiplication_x"
           else
             result="white_check_mark"
           fi
-          echo "::set-output name=result::$result"
+          echo "result=$result" >> $GITHUB_OUTPUT
       - name: Update Release PR Comment
         uses: actions/github-script@v6
         env:
@@ -397,7 +396,8 @@ jobs:
             if (updateComment) {
               console.log('Found comment to update:', JSON.stringify(updateComment, null, 2))
               let body = updateComment.body.replace(/Workflow run: :[a-z_]+:/, `Workflow run: :${RESULT}:`)
-              if (RESULT === 'x') {
+              const tagCodeowner = RESULT !== 'white_check_mark'
+              if (tagCodeowner) {
                 body += `\n\n:rotating_light:`
                 body += ` @npm/cli-team: The post-release workflow failed for this release.`
                 body += ` Manual steps may need to be taken after examining the workflow output`

diff --git a/SECURITY.md b/SECURITY.md
@@ -4,11 +4,10 @@ GitHub takes the security of our software products and services seriously, inclu
 
 If you believe you have found a security vulnerability in this GitHub-owned open source repository, you can report it to us in one of two ways. 
 
-If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly using [private vulnerability reporting](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability).
+If the vulnerability you have found is *not* [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) or if you do not wish to be considered for a bounty reward, please report the issue to us directly through [[email protected]](mailto:opensource-security@github.com).
 
 If the vulnerability you have found is [in scope for the GitHub Bug Bounty Program](https://bounty.github.com/#scope) and you would like for your finding to be considered for a bounty reward, please submit the vulnerability to us through [HackerOne](https://hackerone.com/github) in order to be eligible to receive a bounty award.
 
 **Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.**
 
 Thanks for helping make GitHub safe for everyone.
-
diff --git a/package.json b/package.json
@@ -24,15 +24,15 @@
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^4.0.1",
-    "@npmcli/template-oss": "4.11.4",
+    "@npmcli/template-oss": "4.13.0",
     "tap": "^16.3.2"
   },
   "engines": {
     "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.11.4"
+    "version": "4.13.0"
   },
   "tap": {
     "nyc-arg": [