Merge branch 'nodejs:main' into allow-toc-to-scroll-independently

Author: utkarsh125

.github/workflows/lint-and-tests.yml

@@ -149,10 +149,10 @@ jobs:
         if: ${{ !cancelled() && github.event_name != 'merge_group' }}
         uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
         with:
-          files: ./apps/site/lcov.info,./packages/ui-components/lcov.info
+          files: ./apps/site/lcov.info,./packages/*/lcov.info
 
       - name: Upload test results to Codecov
         if: ${{ !cancelled() && github.event_name != 'merge_group' }}
         uses: codecov/test-results-action@f2dba722c67b86c6caa034178c6e4d35335f6706 # v1.1.0
         with:
-          files: ./apps/site/junit.xml,./packages/ui-components/junit.xml
+          files: ./apps/site/junit.xml,./packages/*/junit.xml

.github/workflows/playwright.yml

@@ -0,0 +1,107 @@
+# Security Notes
+# Only selected Actions are allowed within this repository. Please refer to (https://github.com/nodejs/nodejs.org/settings/actions)
+# for the full list of available actions. If you want to add a new one, please reach out a maintainer with Admin permissions.
+# REVIEWERS, please always double-check security practices before merging a PR that contains Workflow changes!!
+# AUTHORS, please only use actions with explicit SHA references, and avoid using `@master` or `@main` references or `@version` tags.
+# MERGE QUEUE NOTE: This Workflow does not run on `merge_group` trigger, as this Workflow is not required for Merge Queue's
+
+name: Playwright Tests
+
+on:
+  pull_request:
+    branches:
+      - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+  actions: read
+
+jobs:
+  get-vercel-preview:
+    name: Get Vercel Preview
+    runs-on: ubuntu-latest
+    outputs:
+      deployment_found: ${{ steps.set_outputs.outputs.deployment_found }}
+      url: ${{ steps.set_outputs.outputs.url }}
+    steps:
+      - name: Capture Vercel Preview
+        id: check_deployment
+        uses: patrickedqvist/wait-for-vercel-preview@06c79330064b0e6ef7a2574603b62d3c98789125 # v1.3.2
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          max_timeout: 300 # timeout after 5 minutes
+          check_interval: 10 # check every 10 seconds
+        continue-on-error: true
+      - name: Set Outputs
+        if: always()
+        id: set_outputs
+        run: |
+          if [[ -z "${{ steps.check_deployment.outputs.url }}" ]]; then
+            echo "deployment_found=false" >> $GITHUB_OUTPUT
+          else
+            echo "deployment_found=true" >> $GITHUB_OUTPUT
+            echo "url=${{ steps.check_deployment.outputs.url }}" >> $GITHUB_OUTPUT
+          fi
+
+  playwright:
+    needs: get-vercel-preview
+    if: needs.get-vercel-preview.outputs.deployment_found == 'true'
+    name: Playwright Tests
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Git Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        with:
+          cache: true
+
+      - name: Set up Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          # We want to ensure that the Node.js version running here respects our supported versions
+          node-version-file: '.nvmrc'
+          cache: 'pnpm'
+
+      - name: Install packages
+        run: pnpm install --frozen-lockfile
+
+      - name: Get Playwright version
+        id: playwright-version
+        working-directory: apps/site
+        run: echo "version=$(pnpm exec playwright --version | awk '{print $2}')" >> $GITHUB_OUTPUT
+
+      - name: Cache Playwright browsers
+        id: playwright-cache
+        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+        with:
+          path: ~/.cache/ms-playwright
+          key: playwright-${{ runner.os }}-${{ steps.playwright-version.outputs.version }}
+
+      - name: Install Playwright Browsers
+        working-directory: apps/site
+        run: pnpm exec playwright install --with-deps
+
+      - name: Run Playwright tests
+        working-directory: apps/site
+        run: pnpm playwright
+        env:
+          VERCEL_PREVIEW_URL: ${{ needs.get-vercel-preview.outputs.url }}
+
+      - name: Upload Playwright test results
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: playwright-report
+          path: apps/site/playwright-report/

.github/workflows/publish-packages.yml

@@ -0,0 +1,149 @@
+name: Publish Packages
+
+# This workflow publishes packages to NPM when changes are merged to main branch or when manually triggered.
+# It runs automatically after successful tests or can be run manually for specific packages.
+
+on:
+  workflow_run:
+    # Only run after linting and tests have passed on main branch
+    workflows: ['Linting and Tests']
+    types: [completed]
+    # For security reasons, this should never be set to anything but `main`
+    branches: [main]
+  workflow_dispatch:
+    inputs:
+      package:
+        description: 'Specific package to publish (leave empty for all packages)'
+        required: false
+        type: string
+
+permissions:
+  contents: read
+
+env:
+  # Use the SHA from the workflow run that triggered this or the current SHA for manual runs
+  COMMIT_SHA: ${{ github.event.workflow_run.head_sha || github.sha }}
+
+jobs:
+  prepare-packages:
+    runs-on: ubuntu-latest
+    # Only run if manually triggered or if the triggering workflow succeeded from a push event
+    if: github.event_name == 'workflow_dispatch' || (
+      github.event.workflow_run.conclusion == 'success' &&
+      github.event.workflow_run.event == 'push' &&
+      github.repository == 'nodejs/nodejs.org')
+    outputs:
+      # Output the matrix of packages to publish for use in the publish job
+      matrix: ${{ steps.generate-matrix.outputs.matrix }}
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Verify commit authenticity
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Get commit data from GitHub API to verify its authenticity
+          COMMIT_DATA=$(gh api repos/${{ github.repository }}/commits/$COMMIT_SHA)
+          # Check if commit signature is verified (GPG signed)
+          VERIFIED=$(echo "$COMMIT_DATA" | jq -r '.commit.verification.verified')
+          # Check if commit was made through GitHub's web interface (merge queue)
+          COMMITTER=$(echo "$COMMIT_DATA" | jq -r '.commit.committer.email')
+
+          # Security checks to ensure we only publish from verified and trusted sources
+          if [[ "$VERIFIED" != "true" ]]; then
+            echo "❌ Unverified commit! Aborting."
+            exit 1
+          fi
+
+          if [[ "$COMMITTER" != "[email protected]" ]]; then
+            echo "❌ Not merged with the merge queue! Aborting."
+            exit 1
+          fi
+
+          echo "✅ Commit is verified and trusted."
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          fetch-depth: 2 # Need at least 2 commits to detect changes between commits
+
+      - name: Generate package matrix
+        id: generate-matrix
+        env:
+          PACKAGE: ${{ github.event.inputs.package }}
+          EVENT_NAME: ${{ github.event_name }}
+        run: |
+          if [ -n "$PACKAGE" ]; then
+            # If a specific package is requested via workflow_dispatch, just publish that one
+            echo "matrix={\"package\":[\"$PACKAGE\"]}" >> $GITHUB_OUTPUT
+          else
+            # Otherwise, identify all packages with changes since the last commit
+            CHANGED_PACKAGES=()
+            for pkg in $(ls -d packages/*); do
+              PKG_NAME=$(basename "$pkg")
+              # For manual runs, include all packages. For automatic runs, only include packages with changes
+              if [ "$EVENT_NAME" == "workflow_dispatch" ] || ! git diff --quiet $COMMIT_SHA~1 $COMMIT_SHA -- "$pkg/"; then
+                CHANGED_PACKAGES+=("$PKG_NAME")
+              fi
+            done
+
+            # Format the output for GitHub Actions matrix using jq
+            PACKAGES_JSON=$(jq -n '$ARGS.positional' --args "${CHANGED_PACKAGES[@]}" -c)
+            echo "matrix={\"package\":$PACKAGES_JSON}" >> $GITHUB_OUTPUT
+          fi
+
+  publish:
+    needs: prepare-packages
+    runs-on: ubuntu-latest
+    # Use the dynamic matrix from prepare-packages job to create parallel jobs for each package
+    strategy:
+      matrix: ${{ fromJson(needs.prepare-packages.outputs.matrix) }}
+      fail-fast: false # Continue publishing other packages even if one fails
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+
+      - name: Set up pnpm
+        uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
+        with:
+          cache: true
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version-file: '.nvmrc'
+          registry-url: 'https://registry.npmjs.org'
+          cache: pnpm
+
+      - name: Publish
+        working-directory: packages/${{ matrix.package }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          # Create a unique version using the commit SHA as a prerelease identifier
+          # This ensures we can publish multiple times from the same codebase with unique versions
+          npm version --no-git-tag-version 1.0.1-$COMMIT_SHA
+          # Publish the package to the npm registry with public access flag
+          pnpm publish --access public --no-git-checks
+
+      - name: Notify on Manual Release
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # 2.3.3
+        env:
+          SLACK_COLOR: '#43853D'
+          SLACK_ICON: https://github.com/nodejs.png?size=48
+          SLACK_TITLE: ':rocket: Package Published: ${{ matrix.package }}'
+          SLACK_MESSAGE: |
+            :package: *Package*: `${{ matrix.package }}` (<https://www.npmjs.com/package/@node-core/${{ matrix.package }}|View on npm>)
+            :bust_in_silhouette: *Published by*: ${{ github.triggering_actor }}
+            :octocat: *Commit*: <https://github.com/${{ github.repository }}/commit/${{ env.COMMIT_SHA }}|${{ env.COMMIT_SHA }}>
+          SLACK_USERNAME: nodejs-bot
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}

.github/workflows/translations-sync.yml

@@ -18,12 +18,12 @@ concurrency:
 permissions:
   contents: read
 
+env:
+  BRANCH_NAME: chore/crowdin
+
 jobs:
   synchronize-with-crowdin:
     runs-on: ubuntu-latest
-    outputs:
-      pull_request_number: ${{ steps.crowdin_pr.outputs.pull_request_number }}
-
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0
@@ -38,14 +38,13 @@ jobs:
         # see all the options at https://github.com/crowdin/github-action
       - name: Crowdin PR
         uses: crowdin/github-action@b8012bd5491b8aa8578b73ab5b5f5e7c94aaa6e2 # v2.7.0
-        id: crowdin_pr
         with:
           # do not upload anything - this is a one-way operation download
           upload_sources: false
           upload_translations: false
           # the rest of this controls how the PR comes in with new translations
           download_translations: true
-          localization_branch_name: chore/crowdin
+          localization_branch_name: ${{ env.BRANCH_NAME }}
           create_pull_request: true
           pull_request_title: '[automated]: crowdin sync'
           pull_request_body: 'New Crowdin translations from the [Node.js Crowdin project](https://crowdin.com/project/nodejs-web)'
@@ -74,8 +73,7 @@ jobs:
       - name: Git Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
-          # Use the number from the output of crowdin/github-action
-          ref: refs/pull/${{ needs.synchronize-with-crowdin.outputs.pull_request_number }}/head
+          ref: ${{ env.BRANCH_NAME }}
           token: ${{ secrets.CROWDIN_GITHUB_BOT_TOKEN }}
 
       - name: Restore Lint Cache
@@ -109,15 +107,12 @@ jobs:
       - name: Install packages
         run: pnpm install --frozen-lockfile
 
-      - name: Run `lint:md --fix`
-        # This runs a specific version of ESLint with only the Translation Pages Globbing
-        # This avoid that unrelated changes get linted/modified within this PR
-        run: pnpm exec eslint "apps/site/pages/**/*.md?(x)" --fix --cache --cache-strategy=metadata --cache-file=apps/site/.eslintmdcache --config=apps/site/eslint.config.js
+      - name: Run ESLint
+        working-directory: apps/site
+        run: pnpm lint:md --fix
 
-      - name: Run `prettier --write`
-        # This runs a specific version of Prettier with only the Translation Pages Globbing
-        # This avoid that unrelated changes get prettied/modified within this PR
-        run: pnpm exec prettier "apps/site/{pages,i18n}/**/*.{json,md,mdx}" --check --write --cache --cache-strategy=metadata --cache-location=apps/site/.prettiercache
+      - name: Run Prettier
+        run: pnpm prettier:fix
 
       - name: Push Changes back to Pull Request
         uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403 # v5.2.0

.gitignore

@@ -33,7 +33,6 @@ cache
 
 # TypeScript
 tsconfig.tsbuildinfo
-
 dist/
 
 # Ignore the blog-data json that we generate during dev and build
@@ -43,3 +42,7 @@ apps/site/public/blog-data.json
 apps/site/.open-next
 apps/site/.wrangler
 
+
+## Playwright
+test-results
+playwright-report