Conversation
Node 22 ships with npm 10.x which doesn't support OIDC trusted publishing (requires npm >= 11.5.1). Also add registry-url to setup-node so npm knows which registry to authenticate against.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (6)
✅ Files skipped from review due to trivial changes (6)
📝 WalkthroughWalkthroughUpdated the publish GitHub Actions workflow to use Node.js 24 and set the npm registry URL; added Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Running this here: https://github.com/enviodev/hypersync-client-node/actions/runs/23645722276 |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/publish_to_npm.yaml (1)
289-289: Minor inconsistency: Build job still uses Node.js 22.The publish job now uses Node.js 24, but the build job (line 71) and its name (line 63: "node@22") still reference Node.js 22. This shouldn't cause functional issues since native bindings are architecture-specific rather than Node version-specific, but you may want to align them for consistency.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/publish_to_npm.yaml at line 289, The build job still references Node.js 22 (job name "node@22" and its node-version setting); update that job to use node-version: 24 and rename the job label from "node@22" to "node@24" so it matches the publish job's Node.js version for consistency (search for the job named "node@22" and the build job's node-version field to apply the change).
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/publish_to_npm.yaml:
- Line 292: Update the publish step to support OIDC trusted publishers by adding
the --provenance flag to the npm publish command and removing the explicit env
authentication (remove the env: GITHUB_TOKEN block) so OIDC can authenticate
automatically; ensure the workflow still retains the registry-url:
'https://registry.npmjs.org' and the id-token: write permission but do not set
GITHUB_TOKEN for the publish step.
---
Nitpick comments:
In @.github/workflows/publish_to_npm.yaml:
- Line 289: The build job still references Node.js 22 (job name "node@22" and
its node-version setting); update that job to use node-version: 24 and rename
the job label from "node@22" to "node@24" so it matches the publish job's
Node.js version for consistency (search for the job named "node@22" and the
build job's node-version field to apply the change).
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 5fb9fc3f-4728-46ac-ac7c-f9f3912de3b8
📒 Files selected for processing (1)
.github/workflows/publish_to_npm.yaml
| node-version: 24 | ||
| check-latest: true | ||
| cache: yarn | ||
| registry-url: 'https://registry.npmjs.org' |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
How to configure npm trusted publishers with GitHub Actions OIDC authentication?
💡 Result:
To configure npm trusted publishers with GitHub Actions OIDC authentication, follow these steps: 1. Ensure your package exists on npmjs.com (you cannot create new packages with OIDC; publish once manually with a token if needed). 2. Configure the trusted publisher on npmjs.com: - Go to https://www.npmjs.com/package/YOUR_PACKAGE/settings (or /access tab). - In "Trusted Publisher" section, select GitHub Actions. - Enter: - Owner: Your GitHub username or organization. - Repository: Repository name (without owner). - Workflow filename: e.g., publish.yml (must be in .github/workflows/, include .yml or .yaml extension). - Environment: Optional, e.g., 'npm' (must match workflow if used). - Save. Each package needs its own configuration; only one per package. Alternatively, use CLI (npm v11.10+): npm trust github --file publish.yml --repo owner/repo --env npm. 3. Update your GitHub Actions workflow (.github/workflows/publish.yml): name: Publish on: push: tags: ['v*'] # Or release: types: [created] permissions: id-token: write # Required for OIDC contents: read jobs: publish: runs-on: ubuntu-latest environment: npm # Optional, match npm config steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: '24' # npm 11.5.1+ required; Node 24 includes it registry-url: 'https://registry.npmjs.org' - run: npm ci - run: npm run build # If needed - run: npm publish --provenance # Or set "publishConfig": {"provenance": true} in package.json - Do NOT set NODE_AUTH_TOKEN or registry-url with token; OIDC handles auth. - Use Node 24+ or install npm@latest. - Ensure package.json has "repository" field matching GitHub repo. 4. Remove any old NPM_TOKEN secrets. 5. Test by pushing a tag (e.g., git tag v1.0.1; git push --tags). Notes: - Requires npm CLI 11.5.1+ in workflow. - Automatically generates provenance attestation. - For monorepos, configure per package.
Citations:
- 1: https://npmdigest.com/guides/npm-trusted-publishing
- 2: https://docs.npmjs.com/trusted-publishers/
- 3: https://philna.sh/blog/2026/01/28/trusted-publishing-npm/
- 4: https://docs.npmjs.com/cli/v11/commands/npm-trust
- 5: https://medium.com/@n.saarberg/trusted-publishing-with-github-oidc-668961051bf4
- 6: Trusted Publisher documentation actions/setup-node#1445
🏁 Script executed:
# Find and view the publish_to_npm.yaml file
git ls-files | grep -i "publish.*npm"Repository: enviodev/hypersync-client-node
Length of output: 111
🏁 Script executed:
# View the workflow file around the relevant lines
sed -n '280,320p' .github/workflows/publish_to_npm.yamlRepository: enviodev/hypersync-client-node
Length of output: 915
🏁 Script executed:
# Check the permissions section at the top of the workflow
head -n 30 .github/workflows/publish_to_npm.yamlRepository: enviodev/hypersync-client-node
Length of output: 687
Add --provenance flag and remove authentication env variable for OIDC trusted publishers.
The registry-url and id-token: write permission are correctly configured for OIDC, but the publish step needs two changes:
- Add the
--provenanceflag (required for npm trusted publishers with OIDC) - Remove the
envblock—OIDC handles authentication automatically;GITHUB_TOKENwill not work with npm's registry
Required fix for npm OIDC trusted publishers
- name: Publish
- run: npm publish --access public
- env:
- GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ run: npm publish --access public --provenance🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/publish_to_npm.yaml at line 292, Update the publish step
to support OIDC trusted publishers by adding the --provenance flag to the npm
publish command and removing the explicit env authentication (remove the env:
GITHUB_TOKEN block) so OIDC can authenticate automatically; ensure the workflow
still retains the registry-url: 'https://registry.npmjs.org' and the id-token:
write permission but do not set GITHUB_TOKEN for the publish step.
Trusted publishing auto-generates provenance attestations, which require repository.url to match the GitHub repo URL.
2 participants
Summary by CodeRabbit