ci(release): add npm trusted publishing workflow#50
Conversation
|
Warning Review limit reached
More reviews will be available in 40 minutes and 18 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more credits in the billing tab to continue. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request updates the release readiness documentation for version v0.21.2-alpha.0 and configures the npm publish settings in package.json. However, the documentation references a new GitHub Actions workflow file for npm trusted publishing (.github/workflows/npm-publish.yml) that is missing from the changes and needs to be added.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
|
|
||
| ## npm publish authorization | ||
|
|
||
| Preferred path: use npm trusted publishing for `.github/workflows/npm-publish.yml`. |
There was a problem hiding this comment.
The pull request title and description indicate that a new GitHub Actions workflow for npm trusted publishing (.github/workflows/npm-publish.yml) is being added. However, the workflow file itself is missing from the changes in this pull request. Please add the .github/workflows/npm-publish.yml file to this PR so that the documented setup and CLI triggers can function correctly.
There was a problem hiding this comment.
Pull request overview
Adds an npm publishing path for the @tuel/code-oz package that can run in CI via GitHub Actions and aligns package metadata/docs for a public publish, with the intention of using npm Trusted Publishing (OIDC) instead of local auth.
Changes:
- Added
publishConfigmetadata topackage.jsonto explicitly publish as a public package on the npmjs registry. - Documented npm trusted publisher setup steps and local publish fallback in release readiness docs.
- Introduced a new tag-aware GitHub Actions workflow to publish to npm on GitHub Release publish or manual dispatch.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Adds explicit npm publish configuration (public access + registry). |
| docs/RELEASE_READINESS.md | Updates release readiness status and documents npm trusted publishing setup + fallback steps. |
| .github/workflows/npm-publish.yml | Adds a release/tag-aware npm publish workflow using OIDC permissions and preflight checks. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Setup Node | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: "24" | ||
| registry-url: "https://registry.npmjs.org" | ||
| package-manager-cache: false |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 0fb4de2ba3
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| - name: Publish package | ||
| if: steps.published.outputs.already != 'true' | ||
| run: npm publish --access public |
There was a problem hiding this comment.
Pass --tag when publishing alpha packages
For the current package version (0.21.2-alpha.0), this step invokes npm 11 without a dist-tag. npm 11 made this a hard error for prerelease versions—the npm CLI changelog states, “When publishing a package with a pre-release version, you must explicitly specify a tag,” and npm publish --dry-run --access public in this repo exits with You must specify a tag using --tag.... As written, both the trusted-publish path and the documented fallback command will fail for alpha releases; pass an explicit tag such as --tag alpha or --tag next.
Useful? React with 👍 / 👎.
Summary
Why
Validation