chore: reduce renovate updates noise (#750)

.github/renovate.json

@@ -16,7 +16,11 @@
 		"group:commitlintMonorepo"
 	],
 	"schedule": ["before 5am every weekday", "every weekend"],
-	"lockFileMaintenance": { "enabled": true, "automerge": true },
+	"lockFileMaintenance": {
+		"enabled": true,
+		"automerge": true,
+		"automergeType": "branch"
+	},
 	"labels": ["dependencies"],
 	"osvVulnerabilityAlerts": true,
 	"packageRules": [
@@ -67,7 +71,8 @@
 		{
 			"matchDepTypes": ["devDependencies"],
 			"matchUpdateTypes": ["minor", "patch"],
-			"automerge": true
+			"automerge": true,
+			"automergeType": "branch"
 		}
 	]
 }

.github/workflows/release.yml

@@ -1,4 +1,4 @@
-name: Test & Release
+name: Release
 
 on:
   push:
@@ -8,16 +8,13 @@ on:
       - '+([0-9])?(.{+([0-9]),x}).x'
 
 jobs:
-  lint-and-test:
+  test:
     uses: ./.github/workflows/test.yml
-    secrets: inherit
 
   release:
-    needs: lint-and-test
+    needs: test
 
     runs-on: ubuntu-latest
-    env:
-      node-version: 20.x
 
     steps:
       - name: Harden Runner
@@ -29,16 +26,24 @@ jobs:
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
         with:
           persist-credentials: false
-      - name: Use Node.js ${{ env.node-version }}
+
+      - name: Use Node.js LTS
         uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
         with:
-          node-version: ${{ env.node-version }}
+          node-version: 'lts/*'
+          cache: npm
+
       - name: Install packages
         run: npm ci
+
+      - name: Audit npm signatures
+        run: npm audit signatures
+
       - name: Build project
         run: npm run build
+
       - name: Run Semantic Release
-        run: npm run release
+        run: npx semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.CI_GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/test.yml

@@ -1,23 +1,28 @@
-name: Lint & Test
+name: Test
 
 on:
-  workflow_call:
+  push:
+    branches:
+      - renovate/** # branches generated by https://github.com/apps/renovate
   pull_request:
     branches:
       - main
       - beta
       - '+([0-9])?(.{+([0-9]),x}).x'
+  workflow_call:
 
 permissions:
   contents: read
 
 jobs:
-  lint-and-test:
-    runs-on: ${{ matrix.os }}
+  test_matrix:
     strategy:
       matrix:
-        node: [16.x, 18.x, 20.x]
         os: [ubuntu-latest, windows-latest, macos-latest]
+        node: [16, 18, 20]
+
+    runs-on: ${{ matrix.os }}
+    timeout-minutes: 5
 
     steps:
       - name: Harden Runner
@@ -27,18 +32,41 @@ jobs:
 
       - name: Checkout project
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
+
       - name: Use Node.js ${{ matrix.node }}
         uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
         with:
           node-version: ${{ matrix.node }}
           cache: 'npm'
+
       - name: Install packages
         run: npm ci
-      - name: Build project
-        run: npm run build
+
+      - name: Audit npm signatures
+        run: npm audit signatures
+
       - name: Check codestyle compliance
         run: npm run lint
+
+      - name: Build project
+        run: npm run build
+
       - name: Run tests
         run: npm run test
+
       - name: Run fuzz tests
         run: npm run test:fuzz
+
+  # separate job to set as required status check in branch protection
+  required_check:
+    runs-on: ubuntu-latest
+    needs:
+      - test_matrix
+    if: always()
+    steps:
+      - name: All required jobs and matrix versions passed
+        if: ${{ !(contains(needs.*.result, 'failure')) }}
+        run: exit 0
+      - name: Some required jobs or matrix versions failed
+        if: ${{ contains(needs.*.result, 'failure') }}
+        run: exit 1