Add npm trusted publishing release workflow#62
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThe CI workflow adds push-to-main triggers, read-only permissions, and a multi-version Node matrix with upgraded checkout/setup-node actions. A new tag-triggered release workflow validates version consistency and publishes to npm. package.json gains repository metadata. ChangesCI and release automation
Estimated code review effort: 2 (Simple) | ~10 minutes Sequence Diagram(s)sequenceDiagram
participant Maintainer
participant GitHubActions
participant GitRepo
participant npmRegistry
Maintainer->>GitRepo: push tag v*
GitRepo->>GitHubActions: trigger release workflow
GitHubActions->>GitRepo: checkout and verify tag ancestry on main
GitHubActions->>GitHubActions: verify tag version matches package.json
GitHubActions->>GitHubActions: install, typecheck, test, build
GitHubActions->>npmRegistry: npm publish
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 23-26: The Checkout step in the release workflow is leaving
credentials persisted, which exposes the job’s token to dependency code. Update
the actions/checkout usage in the release job to explicitly disable credential
persistence, keeping the existing fetch-depth behavior intact. Use the Checkout
step in the release workflow as the place to apply the fix.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro Plus
Run ID: afc0520a-d38b-467a-9a57-39d3330173b9
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (4)
.github/workflows/ci.yml.github/workflows/release.ymlREADME.mdpackage.json
Summary
Verification
Summary by CodeRabbit