chore(deps): reconfigure semantic-release

[MikeMcC399]

• closes semantic-release fails #165

Situation

• The current configuration of semantic-release does not work. See also semantic-release fails #165

[email protected] configured in the repo, was released on Nov 16, 2020, and it contains multiple vulnerabilities:

36 vulnerabilities (1 low, 19 moderate, 12 high, 4 critical)

semantic-release is disabled from running in .github/workflows/main.yml since it is commented out

Change

• Update from [email protected] to the current version [email protected] to remediate all related vulnerabilities. Refer to [email protected] for migration instructions.

In the workflow .github/workflows/main.yml:

• Add the following so that semantic-release only runs in the master branch of the parent repository, not in a fork:

# only release from the master branch
# in parent repository, not in a fork
if: (github.ref == 'refs/heads/master') &&
  (github.repository == 'cypress-io/commit-info')

• Add secrets, so that the workflow passes the necessary credentials to semantic-release. Reference semantic-release > GitHub Actions:

env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

• Call semantic-release directly with npx, instead of through a package.json script:

npx semantic-release

For testing purposes, and until a real release is needed, the --dry-run option is added.

Configuration verification

Execute locally:

npx semantic-release

Reference

• https://semantic-release.gitbook.io/semantic-release/
• https://semantic-release.gitbook.io/semantic-release/usage/installation

[MikeMcC399]

Local check:

$ npx semantic-release
[semantic-release] › ℹ  Running semantic-release version 24.2.7
[semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/npm"
[semantic-release] › ✔  Loaded plugin "verifyConditions" from "@semantic-release/github"
[semantic-release] › ✔  Loaded plugin "analyzeCommits" from "@semantic-release/commit-analyzer"
[semantic-release] › ✔  Loaded plugin "generateNotes" from "@semantic-release/release-notes-generator"
[semantic-release] › ✔  Loaded plugin "prepare" from "@semantic-release/npm"
[semantic-release] › ✔  Loaded plugin "publish" from "@semantic-release/npm"
[semantic-release] › ✔  Loaded plugin "publish" from "@semantic-release/github"
[semantic-release] › ✔  Loaded plugin "addChannel" from "@semantic-release/npm"
[semantic-release] › ✔  Loaded plugin "addChannel" from "@semantic-release/github"
[semantic-release] › ✔  Loaded plugin "success" from "@semantic-release/github"
[semantic-release] › ✔  Loaded plugin "fail" from "@semantic-release/github"
[semantic-release] › ⚠  This run was not triggered in a known CI environment, running in dry-run mode.
[5:59:14 PM] [semantic-release] › ℹ  This test run was triggered on the branch reconfigure/semantic-release, while semantic-release is configured to only publish from master, therefore a new version won’t be published.

[MikeMcC399]

@AtofStryker

Here is one more PR for you to please review and merge.

The main goal is to re-enable semantic-release which was broken.

A secondary effect is to reduce the quantity of vulnerabilities. At a minimum I would like to see no critical vulnerabilities when cloning and building the repo. After merging this PR, there are still the following being reported after executing npm ci:

54 vulnerabilities (8 low, 12 moderate, 14 high, 20 critical)

so, still some way to go.

[AtofStryker]

Thank you for doing this @MikeMcC399!

[AtofStryker]

whenever we are ready for this @MikeMcC399 let me know as I likely need to update the NPM_TOKEN

[MikeMcC399]

@AtofStryker

Merge into the master branch is showing that the NPM_TOKEN is indeed missing.

See https://github.com/cypress-io/commit-info/actions/runs/17409432544/job/49422571964

That was the only point that I was unable to view and to test with only having external access privileges.

If cypress-io does not set NPM_TOKEN at an organizational level in GitHub, then it will need to be defined here in this repo, and this should be done now (without any particular urgency), so that the dry-run workflow can be checked as successful.

Thanks once again for reviewing and merging! I will keep doing updates here at a steady pace. They have to come one after another because otherwise it creates package.json conflicts.

[AtofStryker]

@MikeMcC399 the NPM_TOKEN should now be present and passed on a rerun https://github.com/cypress-io/commit-info/actions/runs/17409432544/job/49430709280

[MikeMcC399]

@AtofStryker

Great to see that the dry-run is now working! 🎉 It has revealed that there is a pending patch release due to PRs that were merged back in 2023!

I would currently leave the release workflow in its dry-run setting and come back to this in due course after completing more of the maintenance work.

---

2.2.1 (v2.2.0...v2.2.1) (2025-09-02)

Bug Fixes

* **deps:** update debug to 4.3.4 🌟 ([e563983](https://github.com/cypress-io/commit-info/commit/e5639832cae219a7150587f987a4fefe5464c2da))
* **deps:** update dependency bluebird to version 3.7.2 🌟 ([#150](https://github.com/cypress-io/commit-info/issues/150)) ([5b96920](https://github.com/cypress-io/commit-info/commit/5b969201e7e7404f022be67315b0089d898906e9))

[github-actions]

🎉 This PR is included in version 2.2.1 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀