Skip to content

ci: add --provenance flag for npm trusted publishing#10

Merged
jakeklassen merged 2 commits into
mainfrom
ci/trusted-publishing
Mar 13, 2026
Merged

ci: add --provenance flag for npm trusted publishing#10
jakeklassen merged 2 commits into
mainfrom
ci/trusted-publishing

Conversation

@jakeklassen

@jakeklassen jakeklassen commented Mar 13, 2026

Copy link
Copy Markdown
Owner

Summary

  • Add --provenance flag to pnpm publish in release workflow
  • Add NODE_AUTH_TOKEN env var for authentication

Closes #9

Test plan

  • Next release should show trusted publishing badge on npmx.dev/package/objecs
  • Published package should include provenance attestation

🤖 Generated with Claude Code

Summary by CodeRabbit

  • Chores
    • Release workflow updated: publish step now includes provenance metadata when publishing.
    • Workflow notes indicate OIDC trusted publishing with no token environment variables required; explicit references to supplying NODE_AUTH_TOKEN were removed.
    • Existing publish filters and flags remain unchanged.

Closes #9

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@netlify

netlify Bot commented Mar 13, 2026

Copy link
Copy Markdown

Deploy Preview for objecs ready!

Name Link
🔨 Latest commit 6cde582
🔍 Latest deploy log https://app.netlify.com/projects/objecs/deploys/69b429e6dce01b0008b6391f
😎 Deploy Preview https://deploy-preview-10--objecs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@coderabbitai

coderabbitai Bot commented Mar 13, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 873108f3-0700-4e17-a0c1-46ca6cf55a35

📥 Commits

Reviewing files that changed from the base of the PR and between aa4a6b7 and 6cde582.

📒 Files selected for processing (1)
  • .github/workflows/release.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/release.yml

📝 Walkthrough

Walkthrough

The release workflow's publish step was modified to add the --provenance flag to pnpm publish; references to supplying NODE_AUTH_TOKEN were removed and a comment indicating OIDC trusted publishing (no token needed) was added. Control flow of the workflow remains the same.

Changes

Cohort / File(s) Summary
Release workflow
\.github/workflows/release.yml
Publish step updated to include --provenance; removed explicit NODE_AUTH_TOKEN usage and added comment about OIDC trusted publishing (no token required).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I hopped into the CI at dawn,
Added provenance, then I yawned.
No token pouch, OIDC in sight,
Trusted publishing—what a delight! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly describes the main change: adding the --provenance flag for npm trusted publishing in the CI workflow.
Linked Issues check ✅ Passed The PR adds the --provenance flag and updates the publish command, addressing issue #9's requirement to update the release workflow with OIDC permissions and --provenance flag.
Out of Scope Changes check ✅ Passed The changes are limited to the release workflow with --provenance flag addition and removal of NODE_AUTH_TOKEN references, which are directly aligned with issue #9 objectives.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch ci/trusted-publishing
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 32-33: Remove the NODE_AUTH_TOKEN environment variable from the
publish step to enforce OIDC-only publishing: locate the publish job's env block
(the entry that sets NODE_AUTH_TOKEN) and delete that variable so npm will rely
on OIDC instead of falling back to token auth; ensure no other steps in the same
publish job reintroduce NODE_AUTH_TOKEN and, if desired, add a comment
referencing that npm OIDC is used and recommend enabling the npm package setting
"Require two-factor authentication and disallow tokens."

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 60ed2693-39a9-46ca-a258-96afd3d7c0e1

📥 Commits

Reviewing files that changed from the base of the PR and between 0eb2092 and aa4a6b7.

📒 Files selected for processing (1)
  • .github/workflows/release.yml

Comment thread .github/workflows/release.yml Outdated
With trusted publishing configured, npm uses OIDC directly. Keeping
NODE_AUTH_TOKEN would allow fallback to token-based auth, defeating
the purpose of the migration.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jakeklassen jakeklassen merged commit 235b61e into main Mar 13, 2026
7 checks passed
@jakeklassen jakeklassen deleted the ci/trusted-publishing branch March 13, 2026 15:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci: adopt npm trusted publishing for releases

1 participant