chore(ci): update build pipeline to match concerto-docs (#532)

- Upgrade Node.js from 14.x to 20.x
- Upgrade Docusaurus from 3.7.0 to 3.10.0
- Update GitHub Actions: checkout@v4, setup-node@v4
- Switch from AWS access keys to OIDC role assumption
- Replace jakejarvis/s3-sync-action with native aws s3 sync
- Add security linting: syncpack + lockfile-lint
- Pin all dependencies to exact versions (no caret ranges)
- Add .nvmrc for consistent local development
- Add @docusaurus/faster for improved build performance
- Add timeout-minutes and environment to workflow

Signed-off-by: Matt Roberts <code@rbrts.uk>

Author: mttrbrts

.github/workflows/build-and-publish.yml

@@ -5,56 +5,64 @@ on:
     branches: 
       - main
 
+permissions:
+  id-token: write   # This is required for requesting the JWT
+  contents: read    # This is required for actions/checkout
+
 jobs:
 
   build:
 
     runs-on: ubuntu-latest
-    env:
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+    environment: production
+    timeout-minutes: 30
 
     strategy:
       matrix:
-        node-version: [14.x]
+        node-version: [20.x]
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
-      - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v1
+      - name: Use Node.js 20.x
+        uses: actions/setup-node@v4
         with:
-          node-version: ${{ matrix.node-version }}
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+        # Ensure npm 11.5.1 or later for trusted publishing
+      - run: npm install -g npm@latest
 
       - name: NPM Install
         if: github.ref == 'refs/heads/main'
-        run: |
-          cd ./website
-          pwd
-          npm install
+        working-directory: ./website
+        run: npm install
 
       - name: NPM Build
         if: github.ref == 'refs/heads/main'
-        run: |
-          cd ./website
-          pwd
-          npm run build
+        working-directory: ./website
+        run: npm run build
 
-      - name: Set S3 
+      - name: configure aws credentials
         if: github.ref == 'refs/heads/main'
-        run: |
-            echo "AWS_S3_BUCKET=${{secrets.AWS_S3_BUCKET}}" >> $GITHUB_ENV
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE }}
+          aws-region: ${{ secrets.AWS_REGION }}
 
       - name: Deploy to S3
         if: github.ref == 'refs/heads/main'
-        uses: jakejarvis/s3-sync-action@master
-        with:
-          args: --acl public-read --follow-symlinks --delete
+        run: |
+          aws s3 sync website/build s3://${{ secrets.AWS_S3_BUCKET }} \
+            --acl public-read \
+            --follow-symlinks \
+            --delete
         env:
-          SOURCE_DIR: 'website/build/techdocs'
+          AWS_REGION: ${{ secrets.AWS_REGION }}
 
       - name: Invalidate Cloudfront
+        if: github.ref == 'refs/heads/main'
         uses: chetan/invalidate-cloudfront-action@master
         env:
           DISTRIBUTION: ${{ secrets.AWS_CLOUDFRONT_DISTRIBUTION_ID }}

.nvmrc

@@ -0,0 +1 @@
+20.14.0