Skip to content

chore(ci): split release.yml into build/publish/release-notes/notify jobs#128

Merged
mscolnick merged 4 commits into
mainfrom
myles/release-artifact-handoff
May 12, 2026
Merged

chore(ci): split release.yml into build/publish/release-notes/notify jobs#128
mscolnick merged 4 commits into
mainfrom
myles/release-artifact-handoff

Conversation

@mscolnick
Copy link
Copy Markdown
Contributor

@mscolnick mscolnick commented May 12, 2026

Splits the single release job into 4 jobs so the id-token: write scope is held only by a publish job that runs npm publish exclusively (no install/test/build/exec).

  • build (no id-token): install, typecheck, test, build, validate, upload dist/ + package metadata as artifact.
  • publish (id-token: write): download artifact, npm publish --ignore-scripts.
  • release-notes (contents: write, no id-token): npx changelogithub.
  • notify (if: always()): slack notification, aggregates needs.*.result.

Workflow-level permissions are tightened to contents: read; each job opts in to only the scopes it needs.

Resolves the supply-chain audit oidc-publish-fused finding. Motivated by the TanStack npm supply-chain compromise (May 2026). Mirrors marimo-team/codemirror-ai#111.

@mscolnick
chore(ci): split release.yml into build/publish/release-notes/notify …
fc1101d 
…jobs

Splits the single release job into 4 jobs so the `id-token: write` scope is held only by a publish job that runs `npm publish` exclusively (no install/test/build/exec).

- build (no id-token): install, typecheck, test, build, validate, upload dist/ + package metadata as artifact.
- publish (id-token: write): download artifact, npm publish --ignore-scripts.
- release-notes (contents: write, no id-token): npx changelogithub.
- notify (if: always()): slack notification, aggregates needs.*.result.

Resolves the supply-chain audit oidc-publish-fused finding. Motivated by the TanStack npm supply-chain compromise (May 2026).
Copilot AI review requested due to automatic review settings May 12, 2026 17:29
Copilot AI reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors the release GitHub Actions workflow to reduce the exposure of sensitive permissions (notably id-token: write) by splitting the previous single release job into separate jobs for build, publish, release notes, and notification.

Changes:

  • Tighten workflow-level permissions to contents: read, and scope elevated permissions to the specific jobs that need them.
  • Add a dedicated build job that produces and uploads a package artifact (built dist/ + package metadata).
  • Add separate publish, release-notes, and always-run notify jobs, with notification aggregating results across needs.*.result.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/release.yml
Comment thread .github/workflows/release.yml Outdated
@mscolnick
Copy link
Copy Markdown
Contributor Author

mscolnick commented May 12, 2026

Intentional: only the publish and release-notes jobs need node 24 (bundled npm 11+ for npm OIDC trusted publishing). The build job stays on the repo's existing version to match what test.yml/ci.yml validates — bumping it would change the CI matrix and is a separate decision from the supply-chain fix.

@mscolnick mscolnick merged commit 480fd87 into main May 12, 2026
4 checks passed
@mscolnick mscolnick deleted the myles/release-artifact-handoff branch May 12, 2026 17:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mscolnick