Migrate package manager from Yarn to Bun

.github/workflows/install-and-deploy.yml

@@ -25,51 +25,64 @@ on:
         type: boolean
 
 jobs:
-  install:
+  install-build-and-test:
     runs-on: ubuntu-latest
 
     steps:
-      - name: checkout
-        uses: actions/checkout@v4
+      # Pinning to a specific commit hash for security reasons.
+      # This hash corresponds to version 4.3.0 of the actions/checkout action.
+      # To update, find the desired commit hash from the releases page:
+      # https://github.com/actions/checkout/releases
+      - name: Checkout
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955
 
-      - name: node.js
-        uses: actions/setup-node@v4
+      # Pinning to a specific commit hash for security reasons.
+      # This hash corresponds to version 4.0.0 of the actions/setup-node action.
+      # To update, find the desired commit hash from the releases page:
+      # https://github.com/actions/setup-node/releases
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: ${{ inputs.node-version }}
           registry-url: https://registry.npmjs.org/
 
-      - name: cache node modules
+      # Using a pinned commit hash for security reasons, as recommended by GitHub Advanced Security.
+      # This hash corresponds to version 2.0.2 of the oven-sh/setup-bun action.
+      # To update, find the desired commit hash from the releases page:
+      # https://github.com/oven-sh/setup-bun/releases
+      - name: Install Bun
+        uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76
+
+      # Pinning to a specific commit hash for security reasons.
+      # This hash corresponds to version 3.4.3 of the actions/cache action.
+      # To update, find the desired commit hash from the releases page:
+      # https://github.com/actions/cache/releases
+      - name: Cache node_modules
         if: ${{ inputs.cache == true }}
-        uses: actions/cache@v3
-        env:
-          cache-name: cache-node-modules
+        uses: actions/cache@2f8e54208210a422b2efd51efaa6bd6d7ca8920f
         with:
-          # npm cache files are stored in `~/.npm` on Linux/macOS
-          path: ~/.npm
-          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/package-lock.json') }}
+          path: ~/.bun/install/cache
+          key: ${{ runner.os }}-bun-${{ hashFiles('''**/bun.lockb''') }}
           restore-keys: |
-            ${{ runner.os }}-build-${{ env.cache-name }}-
-            ${{ runner.os }}-build-
-            ${{ runner.os }}-
+            ${{ runner.os }}-bun-
 
-      - name: install dependencies
-        run: yarn
+      - name: Install dependencies
+        run: bun install
         working-directory: ${{ inputs.package }}
 
       # Validate the common package, only for Mercury.
       # Commented as this doesn't work at the moment
       # - name: validate (common package)
       #   if: ${{ inputs.common-tests == true }}
-      #   run: yarn test.common.ci
+      #   run: bun test.common.ci
 
-      - name: validate
-        run: yarn validate.ci
+      - name: Run tests
+        run: bun validate.ci
         working-directory: ${{ inputs.package }}
 
-      - name: publish
+      - name: Publish
         if: ${{ inputs.publish == true }}
         run: npm publish --access=public
         env:
           NODE_AUTH_TOKEN: ${{secrets.npm_token}}
         working-directory: ${{ inputs.package }}
-

.github/workflows/node.js.yml

@@ -1,4 +1,6 @@
 name: CI
+permissions:
+  contents: read
 
 on:
   push:
@@ -7,26 +9,26 @@ on:
     branches: [main]
 
 jobs:
-  install-unanimo:
-    uses: genexuslabs/design-systems/.github/workflows/install-and-deploy.yml@main
+  unanimo:
+    uses: ./.github/workflows/install-and-deploy.yml
     with:
       node-version: "20.x"
       cache: true
       common-tests: false
       publish: false
       package: "packages/unanimo"
 
-  install-mercury:
-    uses: genexuslabs/design-systems/.github/workflows/install-and-deploy.yml@main
+  mercury:
+    uses: ./.github/workflows/install-and-deploy.yml
     with:
       node-version: "20.x"
       cache: true
       common-tests: false
       publish: false
       package: "packages/mercury"
 
-  install-svg-sass-generator:
-    uses: genexuslabs/design-systems/.github/workflows/install-and-deploy.yml@main
+  svg-sass-generator:
+    uses: ./.github/workflows/install-and-deploy.yml
     with:
       node-version: "20.x"
       cache: true

.github/workflows/npmpublish.yml

@@ -13,8 +13,12 @@ jobs:
       mercury-changed: ${{ steps.check-mercury.outputs.version-changed }}
       svg-sass-generator-changed: ${{ steps.check-svg-sass-generator.outputs.version-changed }}
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v3
+      # Pinning to a specific commit hash for security reasons.
+      # This hash corresponds to version 4.3.0 of the actions/checkout action.
+      # To update, find the desired commit hash from the releases page:
+      # https://github.com/actions/checkout/releases
+      - name: Checkout
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955
 
       - name: Get the latest Unanimo version
         id: get-latest-unanimo-version
@@ -82,7 +86,7 @@ jobs:
   publish-unanimo:
     needs: check-version
     if: needs.check-version.outputs.unanimo-changed == 'true'
-    uses: genexuslabs/design-systems/.github/workflows/install-and-deploy.yml@main
+    uses: ./.github/workflows/install-and-deploy.yml
     with:
       node-version: "20.x"
       cache: false
@@ -94,7 +98,7 @@ jobs:
   publish-mercury:
     needs: check-version
     if: needs.check-version.outputs.mercury-changed == 'true'
-    uses: genexuslabs/design-systems/.github/workflows/install-and-deploy.yml@main
+    uses: ./.github/workflows/install-and-deploy.yml
     with:
       node-version: "20.x"
       cache: false
@@ -106,7 +110,7 @@ jobs:
   publish-svg-sass-generator:
     needs: check-version
     if: needs.check-version.outputs.svg-sass-generator-changed == 'true'
-    uses: genexuslabs/design-systems/.github/workflows/install-and-deploy.yml@main
+    uses: ./.github/workflows/install-and-deploy.yml
     with:
       node-version: "20.x"
       cache: false

.gitignore

@@ -86,3 +86,8 @@ $RECYCLE.BIN/
 Thumbs.db
 UserInterfaceState.xcuserstate
 packages/mercury/showcase/icons/index.html
+
+# Only bun lock files must be tracked
+yarn.lock
+pnpm-lock.yaml
+package-lock.json