Skip to content

feat: npm build command input#19

Merged
shavonn merged 1 commit into
mainfrom
feat/npm-build-cmd-input
Apr 2, 2026
Merged

feat: npm build command input#19
shavonn merged 1 commit into
mainfrom
feat/npm-build-cmd-input

Conversation

@shavonn
Copy link
Copy Markdown
Contributor

@shavonn shavonn commented Apr 2, 2026

No description provided.

Copilot AI review requested due to automatic review settings April 2, 2026 12:28
@shavonn shavonn merged commit dabcc4a into main Apr 2, 2026
1 check passed
@shavonn shavonn deleted the feat/npm-build-cmd-input branch April 2, 2026 12:28
Copilot AI reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an optional GitHub Action input to run a user-specified npm build step during Phase 2 (finalize release) before publishing to an npm registry.

Changes:

  • Introduces a new npm-build-command input exposed via action.yml.
  • Runs an optional build step (currently npm install + command execution) before npm publish in scripts/finalize-release.sh.
  • Documents the new input and usage examples in README.md.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
scripts/finalize-release.sh Adds conditional pre-publish build execution when npm-build-command is provided.
action.yml Defines and wires the new npm-build-command input into the composite action environment.
README.md Documents the new input and shows usage examples for npm publish flows.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread scripts/finalize-release.sh
if [[ -n "${INPUT_NPM_BUILD_COMMAND:-}" ]]; then
echo "Running build: ${INPUT_NPM_BUILD_COMMAND}"
npm install
eval "$INPUT_NPM_BUILD_COMMAND"
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using eval to run the build command adds an extra round of shell parsing/expansion (beyond what bash -c would do) and can lead to unexpected behavior or command injection if the input ever becomes attacker-controlled. Prefer invoking a shell with -c (or restricting this input to an npm run <script> pattern) instead of eval.

Suggested change
eval "$INPUT_NPM_BUILD_COMMAND"
bash -c "$INPUT_NPM_BUILD_COMMAND"

Copilot uses AI. Check for mistakes.
Comment thread scripts/finalize-release.sh
Comment on lines 79 to +85
echo "${registry_host}/:_authToken=${INPUT_NPM_TOKEN}" > .npmrc
echo "registry=${registry}" >> .npmrc

if [[ -n "${INPUT_NPM_BUILD_COMMAND:-}" ]]; then
echo "Running build: ${INPUT_NPM_BUILD_COMMAND}"
npm install
eval "$INPUT_NPM_BUILD_COMMAND"
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The .npmrc containing the publish token is written before npm install / the build command runs. That means dependency lifecycle scripts (and any build tooling) can read/exfiltrate the token, and if the build fails the .npmrc cleanup won’t run. Consider (1) moving .npmrc creation to immediately before npm publish (or using NODE_AUTH_TOKEN just for publish), and (2) adding an EXIT trap to reliably remove .npmrc even on failures.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shavonn