Modernize CI workflows to fix failures and improve publishing

[Copilot]

Modernize CI & dependencies

This PR addresses the issue of outdated CI configuration and workflows:

Completed:

• Update jest.yml workflow
  • Update node-version matrix to latest three supported versions (20.x, 22.x, 23.x)
  • Change registry-url from landrush.npme.io to registry.npmjs.org
  • Update actions versions to latest (checkout@v4, setup-node@v4)
• Replace publish.yml workflow with modern template
  • Update to latest actions versions
  • Add proper npm pack and GitHub release creation
  • Add changelog.json configuration file (without emojis)
  • Update NPM package reference in release body (copc-validator)
  • Add explicit permissions for security
  • Update documentation to reflect actual scripts used (prepare vs prepack)
• Test that updated workflows are syntactically correct
• Verify no breaking changes to existing behavior
• Address security vulnerabilities

Changes Made:

1. jest.yml:

   • Updated Node.js versions from [14.x, 16.x, 18.x] to [20.x, 22.x, 23.x]
   • Changed registry-url from https://registry.landrush.npme.io/ to https://registry.npmjs.org/
   • Updated actions to v4 (checkout@v4, setup-node@v4)

2. publish.yml:

   • Complete rewrite with modern template
   • Added support for alpha releases (tags with -alpha.)
   • Added GitHub release creation with changelog
   • Improved security by using --ignore-scripts during npm ci
   • Added explicit permissions blocks for both jobs
   • Updated to Node.js 22 and latest actions (v4)
   • Added artifact upload for package tarball
   • Updated documentation to correctly reference "prepare" script used by this project

3. changelog.json:

   • Added configuration file for release-changelog-builder-action
   • Categorizes PRs by feature, fix, and maintenance labels
   • Clean formatting without emojis

Verification:

• All YAML/JSON files validated for syntax correctness
• Build and lint still work correctly
• No breaking changes to existing behavior
• Security scans passed

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Modernize CI & dependencies</issue_title>
<issue_description># Overview

The CI workflows immediately fail because of outdated configuration. We should probably update some dependencies since they're likely outdated as well.

Details

CI workflows

jest.yml

• node-version: [14.x, 16.x, 18.x] should be updated to the latest three supported node versions
• registry-url should be changed to https://registry.npmjs.org/ as https://registry.landrush.npme.io/ no longer exists (AFAICT)
• Further changes may be necessary to prevent additional failures
• May require updates based on updated dependencies

publish.yml

This workflow has never been ran here, and I'm sure it's unusable at this point. I have the following template working in other repositories:

# General workflow for publishing package to npmjs registry.
# Now also creates a draft release in GitHub releases.
#
# Runs on v*.*.* tag push, from tags created by `npm version`.
# v*.*.*-alpha.* tags will publish with `--tag alpha`, otherwise
# publishes with default `npm publish`.
#
# Example:
#     npm version patch       # creates tag v0.0.N
#     git push origin v0.0.N  # publishes package@latest, if tests OK
#
#     npm version prepatch --preid alpha  # creates tag v0.0.M-alpha.0 (M=N+1)
#     git push origin v0.0.M-alpha.0      # publishes package@alpha
#
# Expects package.json to include the following script:
#     "prepack": "npm run build"

name: Publish from tag

on:
  push:
    tags:
      - v*.*.*

jobs:
  publish:
    name: Publish to npmjs.com
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          # needed to enable reading env.NODE_AUTH_TOKEN
          registry-url: https://registry.npmjs.org/
      - name: Install dependencies
        # Skip post-install scripts here, as a malicious
        # script could steal NODE_AUTH_TOKEN.
        run: npm ci --ignore-scripts
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
      - name: Post-install scripts
        # `npm rebuild` will run all those post-install scripts for us.
        run: npm rebuild && npm run prepare --if-present
      # - name: Test source code
      #   run: npm run test
      - name: Build & publish latest
        if: ${{ ! contains(github.ref, '-alpha.') }}
        # Expects package to have `"prepack": "npm run build"`
        # which is good practice anyway, imo
        run: npm publish
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH }}
      - name: Build & publish alpha
        if: ${{ contains(github.ref, '-alpha.') }}
        run: npm publish --tag alpha
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH }}
      - name: Create package tarball
        # ignore-scripts because we already did the build
        run: npm pack --ignore-scripts
      - uses: actions/upload-artifact@v4
        name: Upload release artifact
        with:
          name: npm-pack-tarball
          if-no-files-found: error
          path: |
            *.tgz

  release:
    name: Create GitHub release
    runs-on: ubuntu-latest
    needs: publish

    permissions:
      # required for softprops/action-gh-release
      contents: write
      # required for mikepenz/release-changelog-builder-action
      pull-requests: read

    steps:
      - uses: actions/checkout@v4
      - uses: actions/download-artifact@v4
        name: Download release artifact
        with:
          name: npm-pack-tarball
      - name: Generate release notes
        id: build_changelog
        uses: mikepenz/release-changelog-builder-action@v5
        with:
          configuration: '.github/changelog.json'
          ignorePreReleases: ${{ ! contains(github.ref_name, '-') }}
      - name: Trim tag name
        run: echo "trimmed_tag=$(echo ${{github.ref_name}} | cut -c 2-)" >> $GITHUB_ENV
      - name: Create release
        id: create_release
        uses: softprops/action-gh-release@v2
        with:
          tag_name: ${{ github.ref }}
          name: Release ${{ github.ref_name }}
          body: |
            ${{ steps.build_changelog.outputs.changelog }}

            **${{ contains(github.ref_name, '-') && 'Prerelease' || 'Full' }} changelog:** ${{ github.server_url }}/${{ github.repository }}/compare/${{ steps.build_changelog.outputs.fromTag }}...${{ steps.build_changelog.outputs.toTag }}
            **NPM release:** https://npmjs.com/package/@scope/package/v/${{ env.trimmed_tag }}
          draft: true
          prerelease: ${{ contains(github.ref_name, '-') }}
          files: |
            *.tgz

Note: the only real repo-specific line is NPM release:, where @scope/package should be replaced with the npm package name so the URL works

We may need to update or add new secrets here for this to work.

Dependencies

I'm not sure which dependencies ar...

• Fixes Modernize CI & dependencies #4

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[TheMrCam]

@copilot I think my template should be updated a bit to reflect that we use the "prepare" script here instead of "prepack", otherwise we'll end up re-building the package more than necessary.

[TheMrCam]

This says "prepack", but we use "prepare". This should still work, right? In which case, please update the documentation here to reflect the scripts (and pre-scripts) we actually use.

[Copilot]

Updated the documentation to reflect that this project uses "prepare" instead of "prepack". The workflow will still work correctly since "prepare" runs automatically during npm publish. (a78a409)

[TheMrCam]

I think this should be changed around a bit since we use "prepare" instead of "prepack"

[Copilot]

Updated the comment to clarify that the "prepare" script runs automatically during npm publish. (a78a409)

[TheMrCam]

@copilot Please make the requested changes

[Copilot]

@copilot Please make the requested changes

Changes made to update workflow documentation to reflect the use of "prepare" script. (a78a409)

[TheMrCam]

LGTM! Best way to confirm now is to let it run