Add npm Trusted Publisher workflow and update documentation (#249)

* Add npm Trusted Publisher workflow and update documentation

* Add CODEOWNERS file requiring Maintainers team review

* Add Dependabot config and Security policy

- Configure Dependabot for automated dependency updates
- Add security policy for vulnerability reporting
- Update README with Security & Maintenance documentation
- Fix publish workflow to use master branch only

Author: marksaas

.github/CODEOWNERS

@@ -0,0 +1,3 @@
+# Global code owners
+# All files in the repository require review from the Maintainers team
+* @prerender/maintainers

.github/dependabot.yml

@@ -0,0 +1,48 @@
+version: 2
+updates:
+  # Enable version updates for npm
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 10
+    reviewers:
+      - "@prerender/maintainers"
+    commit-message:
+      prefix: "deps"
+      include: "scope"
+
+  # Enable version updates for Express 3 test app
+  - package-ecosystem: "npm"
+    directory: "/test/support/express3"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "@prerender/maintainers"
+    commit-message:
+      prefix: "deps(express3-test)"
+
+  # Enable version updates for Express 4 test app  
+  - package-ecosystem: "npm"
+    directory: "/test/support/express4"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+    open-pull-requests-limit: 5
+    reviewers:
+      - "@prerender/maintainers"
+    commit-message:
+      prefix: "deps(express4-test)"
+
+  # Enable version updates for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+    reviewers:
+      - "@prerender/maintainers"
+    commit-message:
+      prefix: "ci"

.github/workflows/publish.yml

@@ -0,0 +1,94 @@
+name: Publish to npm
+
+on:
+  push:
+    branches:
+      - master
+  workflow_dispatch:
+
+concurrency:
+  group: npm-publish
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    environment: npm-publish
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '18'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Setup test dependencies
+        run: |
+          cd test/support/express3 && npm install
+          cd ../express4 && npm install
+
+      - name: Run tests
+        run: npm test
+
+      - name: Get current version
+        id: current-version
+        run: echo "version=$(node -p "require('./package.json').version")" >> $GITHUB_OUTPUT
+
+      - name: Get published version
+        id: published-version
+        run: |
+          PUBLISHED_VERSION=$(npm view prerender-node version 2>/dev/null || echo "0.0.0")
+          echo "version=$PUBLISHED_VERSION" >> $GITHUB_OUTPUT
+
+      - name: Compare versions
+        id: version-check
+        run: |
+          CURRENT="${{ steps.current-version.outputs.version }}"
+          PUBLISHED="${{ steps.published-version.outputs.version }}"
+          
+          echo "Current version: $CURRENT"
+          echo "Published version: $PUBLISHED"
+          
+        
+          SHOULD_PUBLISH=$(node -e "
+            const current = '$CURRENT'.split('.').map(Number);
+            const published = '$PUBLISHED'.split('.').map(Number);
+            
+            for (let i = 0; i < 3; i++) {
+              if (current[i] > published[i]) {
+                console.log('true');
+                process.exit(0);
+              }
+              if (current[i] < published[i]) {
+                console.log('false');
+                process.exit(0);
+              }
+            }
+            console.log('false');
+          ")
+          
+          echo "should-publish=$SHOULD_PUBLISH" >> $GITHUB_OUTPUT
+          echo "Should publish: $SHOULD_PUBLISH"
+
+      - name: Publish to npm
+        if: steps.version-check.outputs.should-publish == 'true'
+        run: npm publish --access public --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Output result
+        run: |
+          if [ "${{ steps.version-check.outputs.should-publish }}" == "true" ]; then
+            echo "Published version ${{ steps.current-version.outputs.version }} to npm"
+          else
+            echo "⏭Version ${{ steps.current-version.outputs.version }} already exists-not publishing"
+          fi

.gitignore

@@ -1,2 +1,3 @@
 node_modules
-.DS_Store
+.DS_Store
+WARP.md

README.md

@@ -183,6 +183,67 @@ As an alternative, you can pass `prerenderServiceUrl` in the options object duri
 app.use(require('prerender-node').set('prerenderServiceUrl', '<new url>'));
 ```
 
+## Publishing
+
+This package uses npm Trusted Publisher with GitHub Actions for secure, automated publishing.
+
+### Setup
+
+1. **npm Trusted Publisher**: Configured with OpenID Connect (OIDC) for secure publishing without storing npm tokens
+   - Publisher: GitHub Actions
+   - Organization: prerender
+   - Repository: prerender-node
+   - Workflow: `publish.yml`
+   - Environment: `npm-publish`
+
+2. **GitHub Environment**: The `npm-publish` environment is configured with required reviewers for additional security
+
+### Publishing Process
+
+**Automatic Publishing**: The workflow automatically publishes to npm when:
+- Code is pushed to `main` or `master` branch
+- The version in `package.json` is higher than the current published version
+- All tests pass
+
+**Manual Publishing**: Trigger via GitHub Actions "Run workflow" button
+
+### Workflow Steps
+
+1. **Setup**: Checkout code, install Node.js and dependencies
+2. **Test**: Run full test suite including Express 3/4 integration tests
+3. **Version Check**: Compare `package.json` version with npm registry
+4. **Publish**: If version is higher, publish with `--provenance` flag for supply chain security
+
+To publish a new version:
+1. Update version in `package.json` using `npm version [major|minor|patch]`
+2. Push to master branch
+3. GitHub Actions will automatically publish if tests pass
+
+## Security & Maintenance
+
+### Automated Dependency Updates
+This repository uses **Dependabot** to automatically create pull requests for:
+- Security vulnerability fixes
+- Dependency updates for the main package
+- Test dependencies for Express 3 and Express 4 integration tests
+- GitHub Actions workflow updates
+
+Dependabot runs weekly and creates PRs with conventional commit messages:
+- `deps: update package-name from x.x.x to y.y.y` - Main dependencies
+- `deps(express3-test): update package-name` - Express 3 test app dependencies
+- `deps(express4-test): update package-name` - Express 4 test app dependencies  
+- `ci: update actions/checkout from v4 to v5` - GitHub Actions updates
+
+### Express Version Support
+This middleware is tested against **Express 3 and Express 4** to ensure compatibility:
+- `test/support/express3/` - Express 3.x integration tests
+- `test/support/express4/` - Express 4.x integration tests
+
+Both test apps have separate `package.json` files with their respective Express versions to verify the middleware works correctly across different Express major versions.
+
+### Security Policy
+For security vulnerabilities, please see our [Security Policy](SECURITY.md). Do not report security issues through public GitHub issues.
+
 ## Contributing
 
 We love any contributions! Feel free to create issues, pull requests, or middleware for other languages/frameworks!

SECURITY.md

@@ -0,0 +1,56 @@
+# Security Policy
+
+## Supported Versions
+
+We actively support the following versions of prerender-node with security updates:
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 3.8.x   | :white_check_mark: |
+| 3.7.x   | :white_check_mark: |
+| < 3.7   | :x:                |
+
+## Reporting a Vulnerability
+
+We take security vulnerabilities seriously. If you discover a security vulnerability in prerender-node, please report it privately.
+
+### How to Report
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report vulnerabilities by:
+
+1. **Email**: Send details to [security@prerender.io](mailto:security@prerender.io)
+2. **GitHub Security**: Use GitHub's private vulnerability reporting feature
+
+### What to Include
+
+Please include the following information in your report:
+
+- Description of the vulnerability
+- Steps to reproduce the issue
+- Affected versions
+- Potential impact
+- Any suggested fixes (if available)
+
+### Response Timeline
+
+- **Initial Response**: We aim to acknowledge receipt within 24-48 hours
+- **Status Update**: We will provide regular updates on our investigation
+- **Resolution**: We will work to resolve confirmed vulnerabilities as quickly as possible
+
+### Responsible Disclosure
+
+We kindly ask that you:
+- Give us reasonable time to investigate and fix the vulnerability
+- Do not publicly disclose the vulnerability until we have released a fix
+- Do not exploit the vulnerability or access data beyond what is necessary to demonstrate the issue
+
+## Security Updates
+
+Security updates are released as patch versions and announced through:
+- GitHub releases
+- npm advisory database
+- Security advisories on this repository
+
+Thank you for helping keep prerender-node secure!