Revert "ci(core): remove npm ci update for provenance"#405
Conversation
📝 WalkthroughWalkthroughThe public npm publish workflow now globally upgrades npm to the latest version before running version and registry checks, installation, build, and publish steps. ChangesPublic npm publishing
Estimated code review effort: 1 (Trivial) | ~3 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/publish-public-npm.yml (1)
66-68: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueLGTM!
The step correctly ensures the latest npm CLI is available for
--provenancepublishing. Since pnpm handles installs/builds and npm handles registry checks/publishing, there's no conflict. The static analysis adhoc-packages warning is expected here — upgrading the CLI tool in CI is a standard pattern.One minor consideration:
npm@latestis unpinned, so the npm version can drift between runs. If reproducibility becomes a concern, consider pinning to a specific major (e.g.,npm@11). This is optional and low priority for a publish workflow.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/publish-public-npm.yml around lines 66 - 68, Optionally improve reproducibility in the “Upgrade npm to latest version” workflow step by replacing the unpinned npm@latest installation with a pinned major version such as npm@11.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/publish-public-npm.yml:
- Around line 66-68: Optionally improve reproducibility in the “Upgrade npm to
latest version” workflow step by replacing the unpinned npm@latest installation
with a pinned major version such as npm@11.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 9ed026f5-c428-495c-bfb4-1c2611cdc092
📒 Files selected for processing (1)
.github/workflows/publish-public-npm.yml
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #405 +/- ##
=======================================
Coverage 88.70% 88.70%
=======================================
Files 203 203
Lines 17299 17299
Branches 2292 2292
=======================================
Hits 15345 15345
Misses 1954 1954 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Reverts #404
Summary by CodeRabbit