fix(publish-npm): use github provider because the PROVENANCE require github self hosted runner

deps(deps): bump actions/setup-node in the github-actions group

Bumps the github-actions group with 1 update: [actions/setup-node](https://github.com/actions/setup-node).


Updates `actions/setup-node` from 4 to 5
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/v4...v5)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '5'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/build-lint-test.yaml

@@ -2,6 +2,10 @@
 
 name: Build, Lint, and Test Project
 
+# Required permission on the caller workflow
+# permissions:
+#   contents: read
+
 on:
   workflow_call:
     inputs:
@@ -11,22 +15,20 @@ on:
         default: 'lts/*'
         type: string
 
-permissions:
-  contents: read
-
 jobs:
   main:
     name: Build, Lint, and Test Project
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
 
     steps:
       - name: 📥 Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🔧 Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
-          node-version: ${{ inputs.NODE_VERSION }}
+          node-version: ${{ inputs.node-version }}
+          package-manager-cache: false
 
       - name: 🛠️ Setup Node.js Corepack
         run: corepack enable
@@ -43,6 +45,14 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-yarn-
 
+      - name: 🗂️ Cache .cache folders
+        uses: actions/cache@v4
+        with:
+          path: packages/**/.cache
+          key: ${{ runner.os }}-cache
+          restore-keys: |
+            ${{ runner.os }}-cache-
+
       - name: 📥 Install Dependencies
         run: yarn install --immutable
 

.github/workflows/codeql.yaml

@@ -2,18 +2,19 @@
 
 name: CodeQL
 
+# Required permission on the caller workflow
+# permissions:
+#   actions: read
+#   contents: read
+#   security-events: write
+
 on:
   workflow_call:
 
-permissions:
-  actions: read
-  contents: read
-  security-events: write
-
 jobs:
   main:
     name: CodeQL Analyze
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
 
     strategy:
       fail-fast: false
@@ -23,7 +24,7 @@ jobs:
 
     steps:
       - name: ⤵️ Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🏗 Initialize CodeQL
         uses: github/codeql-action/init@v3

.github/workflows/dependency-review.yaml

@@ -2,20 +2,35 @@
 
 name: Dependency Review
 
+# Required permission on the caller workflow
+# permissions:
+#   contents: read
+
 on:
   workflow_call:
-
+    inputs:
-permissions:
+      base_ref:
-  contents: read
+        description: 'The base ref for the dependency review'
+        required: false
+        type: string
+        default: 'next'
+      head_ref:
+        description: 'The head ref for the dependency review'
+        required: false
+        type: string
+        default: 'next'
 
 jobs:
   main:
     name: Dependency Review
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
 
     steps:
       - name: ⤵️ Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🚀 Dependency Review
         uses: actions/dependency-review-action@v4
+        with:
+          base-ref: ${{ inputs.base_ref }}
+          head-ref: ${{ inputs.head_ref }}

.github/workflows/publish-npm.yaml

@@ -2,6 +2,11 @@
 
 name: Publish NPM
 
+# Required permission on the caller workflow
+# permissions:
+#   contents: read
+#   id-token: write
+
 on:
   workflow_call:
     inputs:
@@ -10,18 +15,16 @@ on:
         required: true
         default: 'lts/*'
         type: string
+      npm-registry-url:
+        description: 'NPM registry url'
+        required: false
+        default: 'https://registry.npmjs.org'
+        type: string
     secrets:
       NPM_TOKEN:
         required: true
         description: 'NPM token'
 
-env:
-  NODE_VERSION: lts/*
-
-permissions:
-  contents: read
-  id-token: write
-
 jobs:
   main:
     if: github.repository_owner == 'the-nexim'
@@ -31,12 +34,14 @@ jobs:
 
     steps:
       - name: 📥 Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🔧 Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
-          node-version: ${{ inputs.NODE_VERSION }}
+          node-version: ${{ inputs.node-version }}
+          registry-url: ${{ inputs.npm-registry-url }}
+          package-manager-cache: false
 
       - name: 🛠️ Setup Node.js Corepack
         run: corepack enable
@@ -60,15 +65,11 @@ jobs:
         run: yarn build
         env:
           WIREIT_LOGGER: metrics
-
+          NODE_ENV: production
-      - name: 🧹 Run ESLint
-        run: yarn lint
-        env:
-          WIREIT_LOGGER: metrics
 
       - name: 🚀 Publish
         run: yarn run publish -- --yes
         env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           NPM_CONFIG_PROVENANCE: true
           WIREIT_LOGGER: metrics

.github/workflows/release.yaml

@@ -2,6 +2,10 @@
 
 name: Build & Lint & Test & Release
 
+# Required permission on the caller workflow
+# permissions:
+#   contents: write
+
 on:
   workflow_call:
     inputs:
@@ -11,30 +15,27 @@ on:
         default: 'lts/*'
         type: string
     secrets:
+      RELEASER_ACCOUNT_TOKEN:
+        required: true
+        description: 'GitHub token for the releaser account'
       GPG_KEY_ID:
         required: true
         description: 'GPG key ID'
-      BOT_TOKEN:
-        required: true
-        description: 'Nexim Bot token'
       GPG_PRIVATE_KEY:
         required: true
         description: 'GPG private key'
 
-permissions:
-  contents: write
-
 jobs:
   main:
     name: Build & Lint & Test & Release
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
 
     steps:
       - name: ⤵️ Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 0
-          token: ${{ secrets.BOT_TOKEN }}
+          token: ${{ secrets.RELEASER_ACCOUNT_TOKEN }}
 
       - name: 🙂‍↔️ Import GPG key
         run: |
@@ -54,9 +55,10 @@ jobs:
           GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
 
       - name: 🔧 Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: ${{ inputs.node-version }}
+          package-manager-cache: false
 
       - name: 🛠️ Setup Node.js Corepack
         run: corepack enable
@@ -94,5 +96,5 @@ jobs:
       - name: 🤖 Get Release
         run: yarn lerna version --yes
         env:
-          GITHUB_TOKEN: ${{ secrets.BOT_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.RELEASER_ACCOUNT_TOKEN }}
           WIREIT_LOGGER: metrics

.github/workflows/sync-label.yaml

@@ -1,26 +1,22 @@
 # yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
-
 name: Sync labels
 
+# Required permission on the caller workflow
+# permissions:
+#   contents: read
+#   issues: write
+
 on:
   workflow_call:
-    secrets:
-      GITHUB_TOKEN:
-        description: 'GitHub token'
-        required: true
-
-permissions:
-  contents: read
-  issues: write
 
 jobs:
   main:
     name: Sync labels
-    runs-on: ubuntu-latest
+    runs-on: blacksmith-2vcpu-ubuntu-2404
 
     steps:
       - name: ⤵️ Check out code from GitHub
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: 🚀 Run Label Syncer
         uses: micnncim/action-label-syncer@v1

.vscode/settings.json

@@ -22,7 +22,10 @@
   },
   "typescript.enablePromptUseWorkspaceTsdk": true,
   "typescript.tsdk": ".yarn/sdks/typescript/lib",
-  "cSpell.words": ["nexim"],
+  "cSpell.words": [
+    "nexim",
+    "wireit"
+  ],
   "todo-tree.tree.scanMode": "workspace only",
   "github.copilot.chat.codeGeneration.instructions": [
     {