Skip to content

ci(release): add npm trusted publishing workflow#50

Merged
omerakben merged 1 commit into
mainfrom
codex/npm-publish-unblock
Jun 14, 2026
Merged

ci(release): add npm trusted publishing workflow#50
omerakben merged 1 commit into
mainfrom
codex/npm-publish-unblock

Conversation

@omerakben

Copy link
Copy Markdown
Owner

Summary

  • Add a tag-aware npm publish workflow that uses GitHub Actions OIDC for npm trusted publishing
  • Add explicit public npm publish metadata to package.json
  • Document the remaining npm account-side trusted publisher setup and local publish fallback

Why

  • The package is ready, but local npm publish is blocked by E401 because this machine is not authenticated to npm
  • npm now recommends trusted publishing over long-lived tokens for CI/CD publishing

Validation

  • npm pack --dry-run --json
  • npm publish --dry-run --access public
  • npm pack --dry-run --json from v0.21.2-alpha.0 tag via temporary worktree
  • ruby -e "require 'yaml'; YAML.load_file('.github/workflows/npm-publish.yml'); puts 'yaml ok'"\n- git diff --check\n\n## Risks / follow-ups\n- npm package settings still need a trusted publisher entry for workflow filename npm-publish.yml before the workflow can publish\n- actionlint is not installed locally, so GitHub CI is the workflow validation gate\n- If trusted publishing is not configured, fallback is npm login plus npm publish --access public from the release tag\n

Copilot AI review requested due to automatic review settings June 14, 2026 16:24
@coderabbitai

coderabbitai Bot commented Jun 14, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@omerakben, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 40 minutes and 18 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3694601e-ba7b-4af3-bc3c-caf5fc1fba62

📥 Commits

Reviewing files that changed from the base of the PR and between f5bd2e9 and 0fb4de2.

📒 Files selected for processing (3)
  • .github/workflows/npm-publish.yml
  • docs/RELEASE_READINESS.md
  • package.json
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/npm-publish-unblock

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the release readiness documentation for version v0.21.2-alpha.0 and configures the npm publish settings in package.json. However, the documentation references a new GitHub Actions workflow file for npm trusted publishing (.github/workflows/npm-publish.yml) that is missing from the changes and needs to be added.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread docs/RELEASE_READINESS.md

## npm publish authorization

Preferred path: use npm trusted publishing for `.github/workflows/npm-publish.yml`.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The pull request title and description indicate that a new GitHub Actions workflow for npm trusted publishing (.github/workflows/npm-publish.yml) is being added. However, the workflow file itself is missing from the changes in this pull request. Please add the .github/workflows/npm-publish.yml file to this PR so that the documented setup and CLI triggers can function correctly.

@omerakben omerakben merged commit f9491c5 into main Jun 14, 2026
4 checks passed
@omerakben omerakben deleted the codex/npm-publish-unblock branch June 14, 2026 16:26

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an npm publishing path for the @tuel/code-oz package that can run in CI via GitHub Actions and aligns package metadata/docs for a public publish, with the intention of using npm Trusted Publishing (OIDC) instead of local auth.

Changes:

  • Added publishConfig metadata to package.json to explicitly publish as a public package on the npmjs registry.
  • Documented npm trusted publisher setup steps and local publish fallback in release readiness docs.
  • Introduced a new tag-aware GitHub Actions workflow to publish to npm on GitHub Release publish or manual dispatch.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
package.json Adds explicit npm publish configuration (public access + registry).
docs/RELEASE_READINESS.md Updates release readiness status and documents npm trusted publishing setup + fallback steps.
.github/workflows/npm-publish.yml Adds a release/tag-aware npm publish workflow using OIDC permissions and preflight checks.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +45 to +50
- name: Setup Node
uses: actions/setup-node@v6
with:
node-version: "24"
registry-url: "https://registry.npmjs.org"
package-manager-cache: false

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0fb4de2ba3

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".


- name: Publish package
if: steps.published.outputs.already != 'true'
run: npm publish --access public

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Pass --tag when publishing alpha packages

For the current package version (0.21.2-alpha.0), this step invokes npm 11 without a dist-tag. npm 11 made this a hard error for prerelease versions—the npm CLI changelog states, “When publishing a package with a pre-release version, you must explicitly specify a tag,” and npm publish --dry-run --access public in this repo exits with You must specify a tag using --tag.... As written, both the trusted-publish path and the documented fallback command will fail for alpha releases; pass an explicit tag such as --tag alpha or --tag next.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants