Merge branch 'main' into v1

Author: GitHub Actions

.github/renovate.json5

@@ -7,7 +7,6 @@
     "github>microsoft/m365-renovate-config:scheduleNoisy"
   ],
 
-
   "ignorePresets": [
     // Ignore default semantic commit config (see packageRules below)
     ":semanticPrefixFixDepsChoreOthers",

.github/workflows/release.yml

@@ -13,15 +13,25 @@ concurrency:
 env:
   MAJOR_BRANCH: v1
 
+permissions:
+  actions: read
+
 jobs:
   release:
-    runs-on: ubuntu-latest
     # Only run this if it's a workflow_dispatch trigger or the CI workflow was successful
     if: ${{ github.event.workflow_run == null || github.event.workflow_run.conclusion == 'success' }}
+
+    runs-on: ubuntu-latest
+
+    # This environment contains secrets needed for publishing
+    environment: release
+
     steps:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
+          # Don't save creds in the git config (so it's easier to override later)
+          persist-credentials: false
 
       - name: Set up Node
         uses: actions/setup-node@v3
@@ -46,19 +56,30 @@ jobs:
         if: ${{ steps.shouldRelease.outputs.shouldRelease == 'yes' }}
         run: |
           set -x
-          git config user.name "GitHub Workflow"
+
+          # Get the existing remote URL without creds, and use a trap (like try/finally)
+          # to restore it after this step finishes
+          trap "git remote set-url origin '$(git remote get-url origin)'" EXIT
+
+          # Add a token to the remote URL for auth during release
+          git remote set-url origin "https://[email protected]/$GITHUB_REPOSITORY"
+
+          git config user.name "GitHub Actions"
           git config user.email "not provided"
-          git checkout $MAJOR_BRANCH
+
+          git checkout "$MAJOR_BRANCH"
           git merge main --no-edit -Xtheirs
           git push origin main
+        env:
+          REPO_PAT: ${{ secrets.REPO_PAT }}
 
       - name: Release from ${{ env.MAJOR_BRANCH }}
         if: ${{ steps.shouldRelease.outputs.shouldRelease == 'yes' }}
         run: |
           set -x
           yarn check-token "$GH_TOKEN"
-          GITHUB_REF=refs/heads/$MAJOR_BRANCH yarn release
+          GITHUB_REF="refs/heads/$MAJOR_BRANCH" yarn release
         env:
-          GH_TOKEN: ${{ secrets.TOKEN_RELEASE }}
-          GIT_AUTHOR_NAME: GitHub Workflow
+          GH_TOKEN: ${{ secrets.REPO_PAT }}
+          GIT_AUTHOR_NAME: GitHub Actions
           GIT_AUTHOR_EMAIL: not provided

README.md

@@ -323,7 +323,7 @@ Group D3 updates (except when initially pinning).
 
 #### `groupEslint`
 
-Group all eslint-related updates (except when initially pinning).
+Group and schedule all eslint-related updates (except when initially pinning).
 
 <details><summary><b>Show config JSON</b></summary>
 
@@ -333,7 +333,8 @@ Group all eslint-related updates (except when initially pinning).
     {
       "groupName": "eslint packages",
       "matchPackagePatterns": ["eslint"],
-      "matchUpdateTypes": ["major", "minor", "patch", "bump", "digest"]
+      "matchUpdateTypes": ["major", "minor", "patch", "bump", "digest"],
+      "schedule": ["before 8am on Monday"]
     }
   ]
 }

groupEslint.json

@@ -1,13 +1,14 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
 
-  "description": "Group all eslint-related updates (except when initially pinning).",
+  "description": "Group and schedule all eslint-related updates (except when initially pinning).",
 
   "packageRules": [
     {
       "groupName": "eslint packages",
       "matchPackagePatterns": ["eslint"],
-      "matchUpdateTypes": ["major", "minor", "patch", "bump", "digest"]
+      "matchUpdateTypes": ["major", "minor", "patch", "bump", "digest"],
+      "schedule": ["before 8am on Monday"]
     }
   ]
 }

package.json

@@ -14,27 +14,27 @@
     "format": "prettier --write .",
     "lint": "node ./scripts/lintPresets.js",
     "prepare": "husky install",
-    "release": "semantic-release",
+    "release": "HUSKY=0 semantic-release",
     "test:basic": "node ./scripts/testPresetsBasic.js",
     "test:full": "node ./scripts/testPresetsFull.js",
     "update-readme": "node ./scripts/updateReadme.js",
     "update-refs": "node ./scripts/updateRefs.js"
   },
   "devDependencies": {
-    "@commitlint/cli": "17.1.2",
-    "@semantic-release/changelog": "6.0.1",
+    "@commitlint/cli": "17.4.4",
+    "@semantic-release/changelog": "6.0.2",
     "@semantic-release/exec": "6.0.3",
     "@semantic-release/git": "10.0.1",
     "@types/jju": "1.4.2",
-    "@types/node": "16.11.59",
+    "@types/node": "16.18.12",
     "conventional-changelog-conventionalcommits": "5.0.0",
-    "execa": "6.1.0",
-    "husky": "8.0.1",
+    "execa": "7.0.0",
+    "husky": "8.0.3",
     "jju": "1.4.0",
-    "prettier": "2.7.1",
-    "renovate": "32.201.1",
+    "prettier": "2.8.4",
+    "renovate": "34.148.0",
     "semantic-release": "19.0.5",
-    "typescript": "4.8.3"
+    "typescript": "4.9.5"
   },
   "release": {
     "branches": [