chore: use semantic release (#1767)

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,8 +1,6 @@
 
 <!--
 
-	If release PR, add ?template=release.md to the PR url to use the release PR template.
-
 	If badging PR, add ?template=badges.md to the PR url to use the badges PR template.
 
 	Otherwise, you are stating this PR fixes an issue that has been submitted; or,
@@ -48,6 +46,5 @@ Describe what code combination got you there
 
 In most cases, this should be a different person than the contributor.
 
-- [ ] Draft GitHub release notes have been updated.
 - [ ] CI is green (no forced merge required).
-- [ ] Merge PR
+- [ ] Squash and Merge PR following [conventional commit guidelines](https://www.conventionalcommits.org/).

.github/PULL_REQUEST_TEMPLATE/release.md

@@ -1,25 +0,0 @@
-## Publisher
-
-- [ ] `$ npm version` has been run.
-- [ ] Release notes in [draft GitHub release](https://github.com/markedjs/marked/releases) are up to date
-- [ ] Release notes include which flavors and versions of Markdown are supported by this release
-- [ ] Committer checklist is complete.
-- [ ] Merge PR.
-- [ ] Publish GitHub release using `master` with correct version number.
-- [ ] `$ npm publish` has been run.
-- [ ] Create draft GitHub release to prepare next release.
-
-Note: If merges to `master` occur after submitting this PR and before running `$ npm pubish` you should be able to
-
-1. pull from `upstream/master` (`git pull upstream master`) into the branch holding this version,
-2. run `$ npm run build` to regenerate the `min` file, and
-3. commit and push the updated changes.
-
-## Committer
-
-In most cases, this should be someone different than the publisher.
-
-- [ ] Version in `package.json` has been updated (see [PUBLISHING.md](https://github.com/markedjs/marked/blob/master/docs/PUBLISHING.md)).
-- [ ] The `marked.min.js` has been updated; or,
-- [ ] release does not change library.
-- [ ] CI is green (no forced merge required).

.github/dependabot.yml

@@ -0,0 +1,10 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,71 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+name: "CodeQL"
+
+on:
+  push:
+    branches: [master]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [master]
+  schedule:
+    - cron: '0 9 * * 3'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+
+    strategy:
+      fail-fast: false
+      matrix:
+        # Override automatic language detection by changing the below list
+        # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python']
+        language: ['javascript']
+        # Learn more...
+        # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+      with:
+        # We must fetch at least the immediate parents so that if this is
+        # a pull request then we can checkout the head.
+        fetch-depth: 2
+
+    # If this run was triggered by a pull request event, then checkout
+    # the head of the pull request instead of the merge commit.
+    - run: git checkout HEAD^2
+      if: ${{ github.event_name == 'pull_request' }}
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v1
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v1
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v1

.github/workflows/tests.yml

@@ -37,9 +37,11 @@ jobs:
       - name: Lint ✨
         run: npm run test:lint
 
-  Build:
+  Release:
     needs: [Test, Lint]
-    if: github.ref == 'refs/heads/master'
+    if: |
+      github.ref == 'refs/heads/master' &&
+      github.event.repository.fork == false
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
@@ -47,16 +49,18 @@ jobs:
       - name: Install Dependencies
         run: npm ci
       - name: Build 🗜️
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           npm run build
           if ! git diff --quiet; then
             git config --global user.email "<>"
             git config --global user.name "MarkedJS bot"
             git commit -am "🗜️ build [skip ci]"
-            git push "https://${GITHUB_ACTOR}:${GITHUB_TOKEN}@github.com/markedjs/marked.git" HEAD:master
           fi
+      - name: Release 🎉
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npx semantic-release
 
   Skip:
     if: contains(github.event.head_commit.message, '[skip ci]')

docs/PUBLISHING.md

@@ -1,13 +1,10 @@
 # Releasing Marked
 
-- [ ] See [contributing](/contributing)
-- [ ] Create release branch from `master` (`release-x.y.z`)
-- [ ] Submit PR with minimal name: Release x.y.z
-- [ ] Complete PR checklists
+Marked uses [semantic-release](https://github.com/semantic-release/semantic-release) to release new versions. All PRs should use the "Squash and merge" strategy and the commit message should follow the [conventional commit guidelines](https://www.conventionalcommits.org/).
 
 ## Overall strategy
 
-**Master is always shippable:** We try to merge PRs in such a way that `master` is the only branch to really be concerned about *and* `master` can always be released. This allows smoother flow between new features, bug fixes, and so on. (Almost a continuous deployment setup, without automation.)
+**Master is always shippable:** We try to merge PRs in such a way that `master` is the only branch to really be concerned about *and* `master` can always be released. This allows smoother flow between new features, bug fixes, and so on.
 
 ## Versioning
 

package.json

@@ -31,29 +31,35 @@
     "html"
   ],
   "devDependencies": {
-    "@babel/core": "^7.10.4",
-    "@babel/preset-env": "^7.10.4",
-    "@markedjs/html-differ": "^3.0.2",
+    "@babel/core": "^7.11.6",
+    "@babel/preset-env": "^7.11.5",
+    "@markedjs/html-differ": "^3.0.3",
+    "@semantic-release/commit-analyzer": "^8.0.1",
+    "@semantic-release/git": "^9.0.0",
+    "@semantic-release/github": "^7.1.1",
+    "@semantic-release/npm": "^7.0.6",
+    "@semantic-release/release-notes-generator": "^9.0.1",
     "cheerio": "^1.0.0-rc.3",
-    "commonmark": "0.29.1",
-    "eslint": "^7.4.0",
+    "commonmark": "0.29.2",
+    "eslint": "^7.10.0",
     "eslint-config-standard": "^14.1.1",
-    "eslint-plugin-import": "^2.22.0",
+    "eslint-plugin-import": "^2.22.1",
     "eslint-plugin-node": "^11.1.0",
     "eslint-plugin-promise": "^4.2.1",
     "eslint-plugin-standard": "^4.0.1",
     "front-matter": "^4.0.2",
-    "highlight.js": "^10.1.2",
-    "jasmine": "^3.5.0",
+    "highlight.js": "^10.2.0",
+    "jasmine": "^3.6.1",
     "markdown": "0.5.x",
-    "markdown-it": "11.x",
-    "node-fetch": "^2.6.0",
-    "rollup": "^2.21.0",
+    "markdown-it": "11.0.1",
+    "node-fetch": "^2.6.1",
+    "rollup": "^2.28.2",
     "rollup-plugin-babel": "^4.4.0",
     "rollup-plugin-commonjs": "^10.1.0",
-    "rollup-plugin-license": "^2.1.0",
+    "rollup-plugin-license": "^2.2.0",
+    "semantic-release": "^17.1.2",
     "titleize": "^2.1.0",
-    "uglify-js": "^3.10.0",
+    "uglify-js": "^3.11.0",
     "vuln-regex-detector": "^1.3.0"
   },
   "scripts": {

release.config.js

@@ -0,0 +1,9 @@
+module.exports = {
+  plugins: [
+    '@semantic-release/commit-analyzer',
+    '@semantic-release/release-notes-generator',
+    '@semantic-release/npm',
+    '@semantic-release/github',
+    '@semantic-release/git'
+  ]
+};