Skip to content

Revert "ci(core): remove npm ci update for provenance"#405

Closed
chakrihacker wants to merge 1 commit into
mainfrom
revert-404-fix/publish-workflow-remove-npm-update
Closed

Revert "ci(core): remove npm ci update for provenance"#405
chakrihacker wants to merge 1 commit into
mainfrom
revert-404-fix/publish-workflow-remove-npm-update

Conversation

@chakrihacker

@chakrihacker chakrihacker commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Reverts #404

Summary by CodeRabbit

  • Chores
    • Updated the package publishing process to use the latest npm CLI before releases.

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The public npm publish workflow now globally upgrades npm to the latest version before running version and registry checks, installation, build, and publish steps.

Changes

Public npm publishing

Layer / File(s) Summary
Upgrade npm before publishing
.github/workflows/publish-public-npm.yml
Adds npm install -g npm@latest before the publish workflow’s pre-flight checks and subsequent operations.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related PRs

Suggested reviewers: rax7389

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately indicates this PR reverts the npm CI provenance-related change.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch revert-404-fix/publish-workflow-remove-npm-update

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/publish-public-npm.yml (1)

66-68: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

LGTM!

The step correctly ensures the latest npm CLI is available for --provenance publishing. Since pnpm handles installs/builds and npm handles registry checks/publishing, there's no conflict. The static analysis adhoc-packages warning is expected here — upgrading the CLI tool in CI is a standard pattern.

One minor consideration: npm@latest is unpinned, so the npm version can drift between runs. If reproducibility becomes a concern, consider pinning to a specific major (e.g., npm@11). This is optional and low priority for a publish workflow.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-public-npm.yml around lines 66 - 68, Optionally
improve reproducibility in the “Upgrade npm to latest version” workflow step by
replacing the unpinned npm@latest installation with a pinned major version such
as npm@11.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/publish-public-npm.yml:
- Around line 66-68: Optionally improve reproducibility in the “Upgrade npm to
latest version” workflow step by replacing the unpinned npm@latest installation
with a pinned major version such as npm@11.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 9ed026f5-c428-495c-bfb4-1c2611cdc092

📥 Commits

Reviewing files that changed from the base of the PR and between 339e200 and 6e4aaf8.

📒 Files selected for processing (1)
  • .github/workflows/publish-public-npm.yml

@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.70%. Comparing base (339e200) to head (6e4aaf8).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #405   +/-   ##
=======================================
  Coverage   88.70%   88.70%           
=======================================
  Files         203      203           
  Lines       17299    17299           
  Branches     2292     2292           
=======================================
  Hits        15345    15345           
  Misses       1954     1954           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants