Skip to content

[ef-42] feat: re-add --provenance to npm publish for public repo#42

Merged
NiveditJain merged 1 commit into
mainfrom
ef-42
Apr 7, 2026
Merged

[ef-42] feat: re-add --provenance to npm publish for public repo#42
NiveditJain merged 1 commit into
mainfrom
ef-42

Conversation

@NiveditJain

@NiveditJain NiveditJain commented Apr 7, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Member

Summary

  • Re-adds --provenance flag to npm publish in the publish workflow
  • Re-adds id-token: write permission required for npm provenance attestation
  • These were removed in 407611f because npm provenance requires a public repository — now that the repo is going public, re-enable them

Test plan

  • Verify CI passes on this PR
  • Provenance attestation will be validated on the next npm publish triggered by a GitHub release

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Enhanced package publishing workflow with improved security and verification capabilities through provenance support.

@NiveditJain @claude
[ef-42] feat: re-add --provenance to npm publish for public repo
da04515 
The --provenance flag and id-token permission were removed in 407611f
because npm provenance requires a public repository. Now that the repo
is going public, re-enable provenance attestation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Apr 7, 2026
edited
Loading

Copy link
Copy Markdown
ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Free

Run ID: 02528dd3-8844-442c-b971-de8cbec5db79

📥 Commits

Reviewing files that changed from the base of the PR and between 74b1518 and da04515.

📒 Files selected for processing (1)
  • .github/workflows/publish.yml
📝 Walkthrough

Walkthrough

The GitHub Actions publish workflow is updated to enable npm package provenance. The job permissions are expanded to include id-token: write alongside existing contents: read, and the npm publish command includes the --provenance flag for generating package provenance data.

Changes

Cohort / File(s) Summary
GitHub Actions Workflow Configuration
.github/workflows/publish.yml		 Added id-token: write permission and appended --provenance flag to npm publish command to enable provenance attestation for published packages.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A hoppy skip through workflow gates,
We seal our packages with provenance weights,
Trust tokens signed, npm approved,
Our rabbit's signature: proved!

Note

🎁 Summarized by CodeRabbit Free

Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.

Comment @coderabbitai help to get the list of available commands and usage tips.

@NiveditJain NiveditJain merged commit 0205606 into main Apr 7, 2026
8 checks passed
@NiveditJain NiveditJain deleted the ef-42 branch April 21, 2026 01:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@NiveditJain