Skip to content

Add npm trusted publishing release workflow#62

Open
Waishnav wants to merge 3 commits into
mainfrom
chore/npm-trusted-publishing
Open

Add npm trusted publishing release workflow#62
Waishnav wants to merge 3 commits into
mainfrom
chore/npm-trusted-publishing

Conversation

@Waishnav

@Waishnav Waishnav commented Jul 5, 2026

Copy link
Copy Markdown
Owner

Summary

  • add tag-driven npm release workflow using GitHub Actions OIDC trusted publishing
  • tighten CI permissions and test Node 24 plus the package minimum Node 22.19.0
  • document npm trusted publisher setup and release commands
  • add repository metadata to package manifests

Verification

  • npm ci
  • npm run typecheck
  • npm test
  • npm run build
  • npm pack --dry-run
  • node dist/cli.js doctor
  • git diff --check

Summary by CodeRabbit

  • Chores
    • Improved CI coverage and reliability with broader test runs and updated tooling.
    • Added automated release checks and publishing steps to help ensure versioned releases are consistent and verified.
    • Included repository metadata in package information for better project identification and publishing support.

@coderabbitai

coderabbitai Bot commented Jul 5, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: b22206de-b463-498b-be9b-a34583794d57

📥 Commits

Reviewing files that changed from the base of the PR and between e4c8c47 and e1428b1.

📒 Files selected for processing (1)
  • .github/workflows/release.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/release.yml

📝 Walkthrough

Walkthrough

The CI workflow adds push-to-main triggers, read-only permissions, and a multi-version Node matrix with upgraded checkout/setup-node actions. A new tag-triggered release workflow validates version consistency and publishes to npm. package.json gains repository metadata.

Changes

CI and release automation

Layer / File(s) Summary
CI workflow trigger, permissions, and Node matrix
.github/workflows/ci.yml
Adds push trigger to main, read-only permissions, expands smoke job's matrix to Node versions 24 and 22.19.0, and upgrades checkout/setup-node actions to v6 using matrix-driven Node version.
Release workflow and publish pipeline
.github/workflows/release.yml, package.json
Adds a tag-triggered (v*) release workflow scoped to the target repository that checks out full history, verifies tag ancestry on main and version match against package.json, then installs, typechecks, tests, builds, and publishes to npm; package.json gains repository metadata.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Maintainer
  participant GitHubActions
  participant GitRepo
  participant npmRegistry

  Maintainer->>GitRepo: push tag v*
  GitRepo->>GitHubActions: trigger release workflow
  GitHubActions->>GitRepo: checkout and verify tag ancestry on main
  GitHubActions->>GitHubActions: verify tag version matches package.json
  GitHubActions->>GitHubActions: install, typecheck, test, build
  GitHubActions->>npmRegistry: npm publish
Loading

Poem

A rabbit hops through YAML fields so bright,
Tags and matrices, all set just right 🐇
Checkout, setup, publish with a cheer,
npm gleams as the release draws near,
Thump thump — ship it, no need to fear! 🚀

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding an npm trusted publishing release workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/npm-trusted-publishing

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release.yml:
- Around line 23-26: The Checkout step in the release workflow is leaving
credentials persisted, which exposes the job’s token to dependency code. Update
the actions/checkout usage in the release job to explicitly disable credential
persistence, keeping the existing fetch-depth behavior intact. Use the Checkout
step in the release workflow as the place to apply the fix.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: afc0520a-d38b-467a-9a57-39d3330173b9

📥 Commits

Reviewing files that changed from the base of the PR and between f6da9a7 and e4c8c47.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (4)
  • .github/workflows/ci.yml
  • .github/workflows/release.yml
  • README.md
  • package.json

Comment thread .github/workflows/release.yml
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant