fix: Use ubuntu-latest for dependabot workflow security (#741) #539

	name: Release

	on:
	push:
	branches: [main]

	jobs:
	release:
	name: Release
	runs-on: ubuntu-latest
	permissions:
	contents: write
	id-token: write
	steps:
	- name: Check out Git repository
	uses: actions/checkout@v6
	with:
	fetch-depth: 0
	# Use custom token from repo secrets to allow semantic release to push commit:
	# https://github.com/semantic-release/semantic-release/blob/master/docs/recipes/github-actions.md#pushing-packagejson-changes-to-a-master-branch
	persist-credentials: false
	token: ${{ secrets.GH_TOKEN }}

	- name: Set up Node.js
	uses: actions/setup-node@v6
	with:
	node-version: 24

	- name: Get yarn cache
	uses: actions/cache@v5
	id: yarn-cache
	with:
	path: \|
	**/node_modules
	~/.cache
	key: ${{ runner.os }}-node-24-yarn-${{ hashFiles('/yarn.lock') }}-${{ hashFiles('.github/workflows/.yml') }}

	- name: Install Node.js dependencies
	if: steps.yarn-cache.outputs.cache-hit != 'true'
	run: yarn install --frozen-lockfile

	- run: yarn lerna bootstrap
	- run: yarn build
	env:
	NODE_ENV: 'production'
	# Configure .npmrc with auth token for GitHub Packages
	- run: rm ./.npmrc
	- run: \|
	cat > .npmrc << EOF
	//npm.pkg.github.com/:_authToken=${GH_TOKEN}
	EOF
	env:
	GH_TOKEN: ${{ secrets.GH_TOKEN }}

	- run: yarn release
	env:
	GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
	SEGMENT_WRITE_KEY: ${{ secrets.DEPLOYMENT_SEGMENT_WRITE_KEY }}

	- uses: 8398a7/action-slack@v3
	if: failure()
	with:
	status: ${{ job.status }}
	fields: repo,message,commit,author,action
	env:
	SLACK_WEBHOOK_URL: ${{ secrets.ACTION_MONITORING_SLACK }}

Provide feedback