fix: Node.js publish release workflow#14
Conversation
|
Warning Review limit reached
More reviews will be available in 25 minutes and 1 second. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
WalkthroughThe workflow configuration was updated to support Node.js 24 and improve npm authentication. The default Node version input changed from version 22 to 24. A new optional Suggested reviewers
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
.github/workflows/nodejs-publish-release.yml (1)
67-72:⚠️ Potential issue | 🟠 MajorFix npm authentication in release workflow.
nodejs-publish-release.ymlhas noNODE_AUTH_TOKENanywhere in the workflow, so publishing with a classicNPM_TOKENwill fail; setenv: { NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} }on the npm publish step.token: ${{ secrets.NPM_TOKEN }}underactions/setup-nodewon’t provide npm registry auth whenregistry-urlis set;setup-nodeexpects npm auth viaNODE_AUTH_TOKEN. Also,actions/setup-node@v4useswith.cache(notpackage-manager-cache), so ensureactions/setup-node@v6supportspackage-manager-cachebefore relying on it.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/nodejs-publish-release.yml around lines 67 - 72, The release workflow currently uses actions/setup-node@v6 with registry-url and sets token under that step, which does not provide npm registry auth; update the npm publish step to export NODE_AUTH_TOKEN from secrets (set env: { NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} } on the publish job/step) and remove or stop relying on token: ${{ secrets.NPM_TOKEN }} under actions/setup-node@v6 for auth; also verify actions/setup-node@v6 supports the package-manager-cache input — if not, switch to the supported input name (with.cache) or remove the unsupported package-manager-cache setting to avoid misconfiguration.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/nodejs-publish-release.yml:
- Around line 67-72: The release workflow currently uses actions/setup-node@v6
with registry-url and sets token under that step, which does not provide npm
registry auth; update the npm publish step to export NODE_AUTH_TOKEN from
secrets (set env: { NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} } on the publish
job/step) and remove or stop relying on token: ${{ secrets.NPM_TOKEN }} under
actions/setup-node@v6 for auth; also verify actions/setup-node@v6 supports the
package-manager-cache input — if not, switch to the supported input name
(with.cache) or remove the unsupported package-manager-cache setting to avoid
misconfiguration.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: b3234a73-d292-425a-aedf-065c7e37fc8d
📒 Files selected for processing (1)
.github/workflows/nodejs-publish-release.yml
Trusted publishers seemed to not be working on v22.
cdunster
force-pushed
the
fix-nodejs-publish
branch
from
31c4bd1 to
9e0f6e8
Compare
|
✔️ 31a8e9a...9e0f6e8 - Conventional commits check succeeded. |
4 participants
This time it actually does work, I tested it here: https://github.com/holochain/hc-spin/actions/runs/27209734639/job/80335171989
It appears that there was a bug with Trusted Publishers in Node.js v22 (even though the docs claim it should work) after updating to v24 it works.
I also took this oppotunity to disable the caching option (which should be done for release builds) as well as adding
NPM_TOKENback as an optional secret so that this workflow can hopefully be used by projects that are not using Trusted Publishers.