ci: add --provenance flag for npm trusted publishing#10
Conversation
Closes #9 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
✅ Deploy Preview for objecs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📝 WalkthroughWalkthroughThe release workflow's publish step was modified to add the Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/release.yml:
- Around line 32-33: Remove the NODE_AUTH_TOKEN environment variable from the
publish step to enforce OIDC-only publishing: locate the publish job's env block
(the entry that sets NODE_AUTH_TOKEN) and delete that variable so npm will rely
on OIDC instead of falling back to token auth; ensure no other steps in the same
publish job reintroduce NODE_AUTH_TOKEN and, if desired, add a comment
referencing that npm OIDC is used and recommend enabling the npm package setting
"Require two-factor authentication and disallow tokens."
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 60ed2693-39a9-46ca-a258-96afd3d7c0e1
📒 Files selected for processing (1)
.github/workflows/release.yml
With trusted publishing configured, npm uses OIDC directly. Keeping NODE_AUTH_TOKEN would allow fallback to token-based auth, defeating the purpose of the migration. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Summary
--provenanceflag topnpm publishin release workflowNODE_AUTH_TOKENenv var for authenticationCloses #9
Test plan
🤖 Generated with Claude Code
Summary by CodeRabbit