Skip to content

chore: update publish workflow to support npm OIDC#559

Merged
rolznz merged 2 commits into
masterfrom
chore/oidc-npm-publish
May 15, 2026
Merged

chore: update publish workflow to support npm OIDC#559
rolznz merged 2 commits into
masterfrom
chore/oidc-npm-publish

Conversation

@rolznz
Copy link
Copy Markdown
Member

@rolznz rolznz commented May 15, 2026
edited by coderabbitai Bot
Loading

Summary by CodeRabbit

  • Chores
    • Updated Node.js version to 24 and upgraded build tooling dependencies.
    • Enhanced package publishing process with provenance verification for improved security and transparency.
    • Modified automated testing workflow configuration.

Review Change Stack

@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 15, 2026
edited
Loading

Warning

Rate limit exceeded

@rolznz has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 54 minutes and 50 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7d70acb2-3413-4e2e-b64a-72444234be56

📥 Commits

Reviewing files that changed from the base of the PR and between 625fadb and bbc23ee.

📒 Files selected for processing (1)
  • .github/workflows/publish.yml
📝 Walkthrough

Walkthrough

The publish workflow is modernized to support OIDC-based package authentication. Node is upgraded from 20 to 24, actions/setup-node moves from v3 to v4, and the build job's test step is disabled. The publish step now uses provenance and public access flags with OIDC authentication instead of NODE_AUTH_TOKEN.

Changes

Publish Workflow Modernization

Layer / File(s) Summary
Build job configuration and OIDC permissions
.github/workflows/publish.yml		 Workflow-level permissions now grant id-token: write (OIDC) and contents: read. The build job upgrades actions/setup-node to v4, switches to Node 24, and comments out the yarn test step.
Publish-npm job configuration
.github/workflows/publish.yml		 The publish-npm job upgrades to actions/setup-node@v4 with Node 24, removes NODE_AUTH_TOKEN environment variable, and publishes with npm publish --provenance --access public.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 A workflow hops into the future bright,
With OIDC tokens and Node twenty-four in sight,
No more secrets hidden in the night,
Just provenance and public—the staging's right!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and specifically summarizes the main change: updating the publish workflow to support npm OIDC authentication.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/oidc-npm-publish

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai Bot reviewed May 15, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
.github/workflows/publish.yml (1)

18-18: ⚡ Quick win

Bump actions/checkout@v3 to v4 while modernizing.

actionlint flags actions/checkout@v3 as too old to run on current GitHub Actions runners (it uses the deprecated Node 16 runtime). Since this PR is already modernizing setup-node and Node, it's a good opportunity to upgrade both checkout invocations as well.

🔧 Proposed fix 
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
   publish-npm:
     needs: build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4

Also applies to: 29-29

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml at line 18, The workflow uses an outdated
checkout action tag "uses: actions/checkout@v3" (present twice) which actionlint
flags; update both occurrences to "uses: actions/checkout@v4" to use the modern
runner/runtime, then run the linter/CI to ensure no other workflow compatibility
issues remain.
🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yml:
- Line 30: The publish-npm job still uses actions/setup-node@v3 while the build
job was bumped to actions/setup-node@v4; update the publish-npm job's setup step
(the actions/setup-node usage) to actions/setup-node@v4 so both jobs are
consistent and no longer rely on the deprecated v3/Node 16 runner.
- Line 23: The CI workflow currently has the tests step disabled (the commented
out line "#- run: yarn test"), which allows the build job — and thus the
dependent publish-npm job — to proceed without running tests; restore test
gating by uncommenting the "run: yarn test" step in the build job (or
move/replicate the test step into a required pre-release workflow that the
publish job depends on) so that the build job fails when tests fail and prevents
publish-npm from running.

---

Nitpick comments:
In @.github/workflows/publish.yml:
- Line 18: The workflow uses an outdated checkout action tag "uses:
actions/checkout@v3" (present twice) which actionlint flags; update both
occurrences to "uses: actions/checkout@v4" to use the modern runner/runtime,
then run the linter/CI to ensure no other workflow compatibility issues remain.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8e78003c-ef04-428d-9778-c5c359851912

📥 Commits

Reviewing files that changed from the base of the PR and between e4864e0 and 625fadb.

📒 Files selected for processing (1)
  • .github/workflows/publish.yml

Comment thread .github/workflows/publish.yml Outdated
Comment thread .github/workflows/publish.yml Outdated
@rolznz rolznz merged commit 8e0cc61 into master May 15, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rolznz