Correct token docs, make test procedure reusable

Benefits with reusing this test flow:

1. One source of truth for test procedures.
2. One place to update whenever Node updates.
3. Fewer decisions to make on tests.
   https://www.scientificamerican.com/article/tough-choices-how-making/
4. In the future, it'll become easier to add new test platforms like
   Cloudflare Workers org-wide, as I'd only be doing it once.

.github/workflows/run-tests.yml

@@ -0,0 +1,63 @@
+name: Run tests
+
+on:
+  workflow_call:
+    inputs:
+      all-platforms:
+        type: boolean
+      all-versions:
+        type: boolean
+      test-node:
+        type: boolean
+        default: true
+      test-deno:
+        type: boolean
+        default: false
+
+jobs:
+  lint-build:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version: 20
+    - run: npm ci
+    - run: npm run lint
+    - run: npm run build
+
+  test-node:
+    if: ${{ inputs.test-node }}
+    needs: lint-build
+    strategy:
+      matrix:
+        # See release schedule at https://nodejs.org/en/about/releases/
+        # Only LTS releases will be tested on.
+        version: ${{ fromJson(inputs.all-versions && '[18,20,22,"current"]' || '[20]') }}
+        image: ${{ fromJson((inputs.all-platforms) && '["ubuntu-latest","windows-latest","macos-latest"]' || '["ubuntu-latest"]') }}
+    runs-on: ${{ matrix.image }}
+    continue-on-error: ${{ matrix.version == 'current' }}
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-node@v4
+      with:
+        node-version: ${{ matrix.version }}
+    - run: npm ci-test
+
+  test-deno:
+    needs: lint-build
+    if: ${{ inputs.test-deno }}
+    strategy:
+      matrix:
+        # See release schedule at https://docs.deno.com/runtime/fundamentals/stability_and_releases/
+        # Only LTS releases will be tested on.
+        version: ${{ fromJson(inputs.all-versions && '["v1.x.x","vx.x.x"]' || '["v1.x.x"]') }}
+        image: ${{ fromJson(inputs.all-platforms && '["ubuntu-latest","windows-latest","macos-latest"]' || '["ubuntu-latest"]') }}
+    runs-on: ${{ matrix.image }}
+    continue-on-error: ${{ matrix.version == 'vx.x.x' }}
+    steps:
+    - uses: actions/checkout@v4
+    - uses: denoland/setup-deno@v1
+      with:
+        deno-version: ${{ matrix.version }}
+    - run: deno task test

.github/workflows/test.yml

@@ -1,20 +1,12 @@
 on:
   pull_request:
-    types:
-    - opened
-    - synchronize
+    types: [opened, synchronize]
+    branches: [main]
   push:
-    branches:
-    - main
-
+    branches: [main]
+permissions:
+  actions: write
+  contents: read
 jobs:
   test:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-node@v4
-      with:
-        node-version: 20
-    - run: npm ci
-    - run: npx eslint .
-    - run: npm test
+    uses: ./.github/workflows/run-tests.yml

README.md

@@ -7,6 +7,7 @@ This handles all deploy processes and centralizes all the permissions. It also i
 > Admins should consult [the runbook](./RUNBOOK.md) as well.
 
 - [Deploy](#deploy)
+- [Define tests](#define-tests)
 - [Block a PR with a comment](#block-a-pr-with-a-comment)
 - [Notify triage](#notify-triage)
 - [License](#license)
@@ -33,6 +34,102 @@ It's a multi-step process.
      root_dir: ${{ github.workspace }}/path/to/package
    ```
 
+## Define tests
+
+Tests are extremely easy to set up. First, ensure you have `build`, `lint`, and `test` scripts in your `package.json`. Then, you can just do this, which runs `npm run lint`, `npm run build`, and `npm test`.
+
+```yml
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches: [main]
+  push:
+    branches: [main]
+permissions:
+  actions: write
+  contents: read
+jobs:
+  test:
+    uses: MithrilJS/infra/.github/workflows/run-tests.yml
+```
+
+If you want to test on Deno, you can add `test-deno: true`. You should also add a `deno.json` to your project with a `test` task. Note that building and linting will still use Node.
+
+```yml
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches: [main]
+  push:
+    branches: [main]
+permissions:
+  actions: write
+  contents: read
+jobs:
+  test:
+    uses: MithrilJS/infra/.github/workflows/run-tests.yml
+    with:
+      test-deno: true
+```
+
+If you want to skip tests on Node, you can add `test-node: false`. This is useful in a strictly non-Node project.
+
+```yml
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches: [main]
+  push:
+    branches: [main]
+permissions:
+  actions: write
+  contents: read
+jobs:
+  test:
+    uses: MithrilJS/infra/.github/workflows/run-tests.yml
+    with:
+      test-node: false
+      test-deno: true
+```
+
+If you want to run across all OS platforms, you can add `all-platforms: true`.
+
+```yml
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches: [main]
+  push:
+    branches: [main]
+permissions:
+  actions: write
+  contents: read
+jobs:
+  test:
+    uses: MithrilJS/infra/.github/workflows/run-tests.yml
+    with:
+      all-platforms: true
+```
+
+If you want to run across all runtime versions, you can add `all-versions: true`. This can be combined with `all-platforms: true`.
+
+```yml
+on:
+  pull_request:
+    types: [opened, synchronize]
+    branches: [main]
+  push:
+    branches: [main]
+permissions:
+  actions: write
+  contents: read
+jobs:
+  test:
+    uses: MithrilJS/infra/.github/workflows/run-tests.yml
+    with:
+      all-versions: true
+```
+
 ## Block a PR with a comment
 
 Usage is pretty simple. Suppose development is occurring on `main` and the PR is to the special branch `release`. You can use this workflow to handle it easily.

RUNBOOK.md

@@ -1,68 +1,29 @@
 # Admin Runbook
 
-- [Create a new deployment token](#create-a-new-deployment-token)
-- [Update an existing deployment token](#update-an-existing-deployment-token)
+- [Create a new issue/PR/projects token](#create-a-new-issueprprojects-token)
 - [Create a new npm token](#create-a-new-npm-token)
 
-## Create a new deployment token
+## Create a new issue/PR/projects token
 
-This is for a given repository `$REPO`, like `MithrilJS/mithril.js`, and package name `$NAME`, like `mithril.js`.
+This is used for commenting on issues and PRs and adding them to projects.
 
 1. Create a new [fine-grained personal access token](https://github.com/settings/personal-access-tokens/new).
-2. For the name, use `$REPO deploy request`. Feel free to shorten the repo name if needed - it's just important that you're able to find it.
+2. For the name, use `MithrilJS projects and comment token`
 3. Set the expiration to 1 year from now. This is the longest the selector will let you choose.
-4. For the description, it's up to you.
-5. Set the resource owner to `@MithrilJS`.
-6. In repository access, click "Only select repositories", open the "Select repositories" dropdown, and search and add `MithrilJS/infra` as the sole repository.
-7. In "Permissions", set Repository Permissions > Deployments to "Read and write"
-   > Unfortunately, this isn't as secure as it could be: https://github.com/orgs/community/discussions/138551, https://github.com/MithrilJS/infra/issues/1
-8. Go to the bottom of the page and click "Generate token".
-9.  Copy the resulting token.
-10. Go to the target repo's settings, find "Secrets and variables", click the navigation dropdown, and click "Actions".
-8. Click "New repository secret".
-9. Set the name to `DEPLOY_TOKEN`. If it's not the only deployment token, feel free to pick another name.
-10. Paste the copied token into the "Secret" field.
-11. Click "Add secret".
-12. Come back to this repo, and in the relevant project object of `projects` in `lib/config.js`, add a `$NAME` property set to an object with the following properties:
-    - `location`: `$REPO`.
-    - `tokenExpiryDate`: the expiry date for the newly created token.
-    - `tokenName`: the token needed to perform the deployment.
-
-## Update an existing deployment token
-
-This is for a given repository `$REPO`, like `MithrilJS/mithril.js`, and package name `$NAME`, like `mithril.js`.
-
-If the token is yours:
-
-1. [Go to your developer settings](https://github.com/settings/apps), click the "Personal access tokens" navigation dropdown, and click "Fine-grained tokens".
-2. Find the token those name is `$REPO deploy request` and click its linked title.
-3. Find the "Regenerate token" button and click it.
-4. Set the expiration to 1 year from now. This is the longest the selector will let you choose.
-5. Click "Regenerate token".
-6. Copy the resulting token.
-7. Go to the target repo's settings, find "Secrets and variables", click the navigation dropdown, and click "Actions".
-8. In "Repository secrets", find `GH_PAGES_TOKEN` and click its edit icon.
-9. Paste the copied token into the "Secret" field.
-10. Click "Add secret".
-11. Come back to this repo, find the `$NAME` property in the relevant project object of `projects` in `lib/config.js`, and update its `tokenExpiryDate` to match the new expiry date for the token you're updating.
-
-If the token is not yours:
-
-1. Create a new [fine-grained personal access token](https://github.com/settings/personal-access-tokens/new).
-2. For the name, use `$REPO deploy request`. Feel free to shorten the repo name if needed - it's just important that you're able to find it.
-3. Set the expiration to 1 year from now. This is the longest the selector will let you choose.
-4. For the description, it's up to you.
-5. Set the resource owner to `@MithrilJS`.
-6. In repository access, click "Only select repositories", open the "Select repositories" dropdown, and search and add `MithrilJS/infra` as the sole repository.
-7. In "Permissions", set Repository Permissions > Deployments to "Read and write"
-   > Unfortunately, this isn't as secure as it could be: https://github.com/orgs/community/discussions/138551, https://github.com/MithrilJS/infra/issues/1
-8. Go to the bottom of the page and click "Generate token".
-9.  Copy the resulting token.
-10. Go to the target repo's settings, find "Secrets and variables", click the navigation dropdown, and click "Actions".
-11. In "Repository secrets", find `GH_PAGES_TOKEN` and click its edit icon.
-12. Paste the copied token into the "Secret" field.
-13. Click "Add secret".
-14. Come back to this repo, find the `$NAME` property in the relevant project object of `projects` in `lib/config.js`, and update its `tokenExpiryDate` to match the new expiry date for the token you're updating.
+4. Set the resource owner to `@MithrilJS`.
+5. In repository access, click "All repositories".
+6. In "Permissions", set:
+   - Repository Permissions > Issues to "Read and write"
+   - Repository Permissions > Pull requests to "Read and write"
+   - Organization Permissions > Projects to "Read and write"
+   > I wish these could be narrowed...
+7. Go to the bottom of the page and click "Generate token".
+8. Copy the resulting token.
+9. Go to the target repo's settings, find "Secrets and variables", click the navigation dropdown, and click "Actions".
+10. In "Repository secrets", find `ISSUE_PR_PROJECTS_TOKEN` and click its edit icon.
+11. Paste the copied token into the "Secret" field.
+12. Click "Add secret".
+13. Come back to this repo, find the `$NAME` property in the relevant project object of `projects` in `lib/config.js`, and update its `tokenExpiryDate` to match the new expiry date for the token you're updating.
 
 ## Create a new npm token
 

lib/config.js

@@ -34,7 +34,7 @@ export const projects = {
 export const localTokenExpiryDates = {
     INFRA_TEST_TOKEN: 8640000000000000, // max date
     NPM_TOKEN: d(2025, 9, 13),
-    PROJECTS_TOKEN: d(2025, 9, 24),
+    ISSUE_PR_PROJECTS_TOKEN: d(2025, 9, 24),
 }
 
 /**

package.json

@@ -3,6 +3,8 @@
   "private": true,
   "type": "module",
   "scripts": {
+    "build": "rollup -c",
+    "lint": "eslint . --cache",
     "test": "node ./test/index.js"
   },
   "dependencies": {