CI: move build to release workflow

[thomasttvo]

Summary

• Removes lib/ from git tracking to avoid merge conflicts
• Moves build step from pre-commit hook to CI/CD
• PR checks now verify builds succeed
• GitHub Actions handles build + npm publish on release

Changes

• Remove bob build from pre-commit hook
• Add lib/ to .gitignore
• Update CI workflow to build on PRs
• Create release workflow to build and publish to npm
• Configure release-it to skip npm publish (GitHub Actions handles it)
• Update CONTRIBUTING.md with new process

Release Process

1. Run yarn release locally (creates tag + GitHub release)
2. GitHub Actions automatically builds and publishes to npm

Requires NPM_TOKEN secret to be set in GitHub repo settings.

---

Note

Implements CI/CD for builds and releases, and removes built output from the repo.

• Checks workflow: Updates .github/workflows/lint.yml to run on push (master) and pull_request; sets up Node 16 with yarn cache; installs deps; runs TypeScript, ESLint, and react-native-builder-bob build
• Release workflow: Adds .github/workflows/release.yml to build and npm publish on GitHub Release creation (uses NPM_TOKEN)
• Changelog config: Adds .github/release.yml with label-based release notes categories/exclusions
• Repo hygiene: Adds lib/ to .gitignore and removes committed lib/commonjs/* build artifacts
• Docs: Updates CONTRIBUTING.md and README.md with new build, release, and changelog process

^{Written by Cursor Bugbot for commit 205b2df. Configure here.}

Summary by CodeRabbit

• New Features

  • Added an automated Release workflow to publish packages on GitHub release events.

• Chores

  • CI now runs on PRs and master pushes, uses Node 20, enables Yarn cache, enforces frozen installs, and includes a build check; added build output to .gitignore and simplified pre-commit hooks; package scripts updated.

• Documentation

  • CONTRIBUTING clarified build/release process and publishing requirements.

• Breaking Changes

  • Several runtime components, helpers, animation utilities, and TypeScript typings were removed — imports and types will need updating.

[thomasttvo]

@claude please review this PR

[thomasttvo]

@claude review

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c6a901d8-f239-4b12-a710-b861ea6e5574

📥 Commits

Reviewing files that changed from the base of the PR and between aab9e88 and f178141.

📒 Files selected for processing (2)

• .gitignore
• package.json

✅ Files skipped from review due to trivial changes (2)

• .gitignore
• package.json

---

Walkthrough

Removed the built outputs under lib/ (CommonJS, ESM, and TypeScript declaration files), deleting multiple components, helpers, animations, debug utilities, and typings. Added /lib/ to .gitignore. Modified CI: .github/workflows/lint.yml now triggers on pushes to master and on pull requests, renames the job, upgrades checkout, sets up Node 20 with Yarn caching, uses yarn install --frozen-lockfile, and runs yarn build. Added .github/workflows/release.yml to build and publish on GitHub Release events. Updated package.json, Husky pre-commit hook, and CONTRIBUTING.md to reflect CI-based build/publish flow.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

package.json (1)

25-30: Optional DRY cleanup for build scripts.

Lines 25 and 29 duplicate the same command. Consider chaining prepare to build to avoid script drift.

♻️ Suggested refactor

-    "prepare": "bob build",
+    "prepare": "yarn build",
...
-    "build": "bob build",
+    "build": "bob build",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 25 - 30, The package.json duplicates the bob build
command in both the "prepare" and "build" npm scripts; change "prepare" to
invoke the "build" script instead (e.g., run npm script chaining like "npm run
build" or "yarn build") so "prepare" delegates to the "build" script and avoids
drift—update the "prepare" script entry that currently references bob build to
call the "build" script instead, leaving the "build" script (bob build) intact.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CONTRIBUTING.md`:
- Around line 93-100: The release config in package.json allows local npm
publishes (release-it.npm.publish: true) which contradicts docs; update
package.json to disable local npm publishing by setting the release-it
npm.publish flag to false (or removing it) so publishing only occurs via
CI/GitHub Actions, and ensure release-it config remains present under the
"release-it" key (reference: the release-it.npm.publish setting in package.json)
so local runs of yarn release cannot push to npm.

---

Nitpick comments:
In `@package.json`:
- Around line 25-30: The package.json duplicates the bob build command in both
the "prepare" and "build" npm scripts; change "prepare" to invoke the "build"
script instead (e.g., run npm script chaining like "npm run build" or "yarn
build") so "prepare" delegates to the "build" script and avoids drift—update the
"prepare" script entry that currently references bob build to call the "build"
script instead, leaving the "build" script (bob build) intact.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c80e3368-cbea-441a-aaf6-72541604c851

📥 Commits

Reviewing files that changed from the base of the PR and between 58f450c and 285bb39.

⛔ Files ignored due to path filters (26)

• lib/commonjs/ReactNativeZoomableView.js.map is excluded by !**/*.map
• lib/commonjs/animations/index.js.map is excluded by !**/*.map
• lib/commonjs/assets/pin.png is excluded by !**/*.png, !**/*.png
• lib/commonjs/components/AnimatedTouchFeedback.js.map is excluded by !**/*.map
• lib/commonjs/components/StaticPin.js.map is excluded by !**/*.map
• lib/commonjs/components/index.js.map is excluded by !**/*.map
• lib/commonjs/debugHelper/index.js.map is excluded by !**/*.map
• lib/commonjs/helper/applyPanBoundariesToOffset.js.map is excluded by !**/*.map
• lib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js.map is excluded by !**/*.map
• lib/commonjs/helper/coordinateConversion.js.map is excluded by !**/*.map
• lib/commonjs/helper/index.js.map is excluded by !**/*.map
• lib/commonjs/index.js.map is excluded by !**/*.map
• lib/commonjs/typings/index.js.map is excluded by !**/*.map
• lib/module/ReactNativeZoomableView.js.map is excluded by !**/*.map
• lib/module/animations/index.js.map is excluded by !**/*.map
• lib/module/assets/pin.png is excluded by !**/*.png, !**/*.png
• lib/module/components/AnimatedTouchFeedback.js.map is excluded by !**/*.map
• lib/module/components/StaticPin.js.map is excluded by !**/*.map
• lib/module/components/index.js.map is excluded by !**/*.map
• lib/module/debugHelper/index.js.map is excluded by !**/*.map
• lib/module/helper/applyPanBoundariesToOffset.js.map is excluded by !**/*.map
• lib/module/helper/calcNewScaledOffsetForZoomCentering.js.map is excluded by !**/*.map
• lib/module/helper/coordinateConversion.js.map is excluded by !**/*.map
• lib/module/helper/index.js.map is excluded by !**/*.map
• lib/module/index.js.map is excluded by !**/*.map
• lib/module/typings/index.js.map is excluded by !**/*.map

📒 Files selected for processing (42)

• .github/workflows/lint.yml
• .github/workflows/release.yml
• .gitignore
• CONTRIBUTING.md
• lib/commonjs/ReactNativeZoomableView.js
• lib/commonjs/animations/index.js
• lib/commonjs/components/AnimatedTouchFeedback.js
• lib/commonjs/components/StaticPin.js
• lib/commonjs/components/index.js
• lib/commonjs/debugHelper/index.js
• lib/commonjs/helper/applyPanBoundariesToOffset.js
• lib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js
• lib/commonjs/helper/coordinateConversion.js
• lib/commonjs/helper/index.js
• lib/commonjs/index.js
• lib/commonjs/typings/index.js
• lib/module/ReactNativeZoomableView.js
• lib/module/animations/index.js
• lib/module/components/AnimatedTouchFeedback.js
• lib/module/components/StaticPin.js
• lib/module/components/index.js
• lib/module/debugHelper/index.js
• lib/module/helper/applyPanBoundariesToOffset.js
• lib/module/helper/calcNewScaledOffsetForZoomCentering.js
• lib/module/helper/coordinateConversion.js
• lib/module/helper/index.js
• lib/module/index.js
• lib/module/typings/index.js
• lib/typescript/ReactNativeZoomableView.d.ts
• lib/typescript/__tests__/index.test.d.ts
• lib/typescript/animations/index.d.ts
• lib/typescript/components/AnimatedTouchFeedback.d.ts
• lib/typescript/components/StaticPin.d.ts
• lib/typescript/components/index.d.ts
• lib/typescript/debugHelper/index.d.ts
• lib/typescript/helper/applyPanBoundariesToOffset.d.ts
• lib/typescript/helper/calcNewScaledOffsetForZoomCentering.d.ts
• lib/typescript/helper/coordinateConversion.d.ts
• lib/typescript/helper/index.d.ts
• lib/typescript/index.d.ts
• lib/typescript/typings/index.d.ts
• package.json

💤 Files with no reviewable changes (36)

• lib/typescript/components/index.d.ts
• lib/commonjs/components/index.js
• lib/module/components/index.js
• lib/commonjs/typings/index.js
• lib/typescript/components/AnimatedTouchFeedback.d.ts
• lib/module/typings/index.js
• lib/typescript/helper/applyPanBoundariesToOffset.d.ts
• lib/module/index.js
• lib/module/animations/index.js
• lib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js
• lib/commonjs/helper/applyPanBoundariesToOffset.js
• lib/module/components/StaticPin.js
• lib/module/helper/applyPanBoundariesToOffset.js
• lib/commonjs/index.js
• lib/typescript/index.d.ts
• lib/commonjs/debugHelper/index.js
• lib/module/debugHelper/index.js
• lib/commonjs/components/StaticPin.js
• lib/module/helper/calcNewScaledOffsetForZoomCentering.js
• lib/typescript/debugHelper/index.d.ts
• lib/module/components/AnimatedTouchFeedback.js
• lib/typescript/helper/index.d.ts
• lib/commonjs/ReactNativeZoomableView.js
• lib/module/helper/index.js
• lib/commonjs/animations/index.js
• lib/typescript/components/StaticPin.d.ts
• lib/typescript/animations/index.d.ts
• lib/module/helper/coordinateConversion.js
• lib/typescript/typings/index.d.ts
• lib/typescript/helper/coordinateConversion.d.ts
• lib/typescript/helper/calcNewScaledOffsetForZoomCentering.d.ts
• lib/commonjs/helper/coordinateConversion.js
• lib/module/ReactNativeZoomableView.js
• lib/commonjs/components/AnimatedTouchFeedback.js
• lib/typescript/ReactNativeZoomableView.d.ts
• lib/commonjs/helper/index.js

[thomasttvo]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[thomasttvo]

@coderabbitai i'm confused, how do i know whether you finished reviewing or not

[coderabbitai]

@thomasttvo: Great question! Here's how to tell:

1. Review summary comment — When CodeRabbit finishes, it posts a top-level PR comment with a structured summary (e.g., "Walkthrough", "Changes", etc.) along with any inline review comments on specific lines of code.

2. GitHub PR review status — CodeRabbit submits a formal GitHub review, so you'll see it listed under the "Reviews" section of your PR (alongside human reviewers).

3. Inline comments — Any specific code concerns appear as inline comments directly on the diff.

Since this PR already had a review triggered, check if there's already a comment from coderabbitai[bot] with a "Walkthrough" section — that's the finished review. If you don't see one yet, the review may still be processing or may have been skipped because commits were already reviewed previously (CodeRabbit only reviews new/changed commits incrementally).

You can force a fresh full review by posting:

`@coderabbitai` full review

✅ Actions performed

Full review triggered.

[thomasttvo]

@claude review

[coderabbitai]

🧹 Nitpick comments (2)

.gitignore (1)

50-51: Scope ignore rule to the repository root.

If the intent is only the generated top-level build folder, use /lib/ instead of lib/ to avoid unintentionally ignoring nested lib directories.

Suggested change

- lib/
+ /lib/

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.gitignore around lines 50 - 51, The current .gitignore entry uses a broad
"lib/" pattern which ignores any lib directory anywhere; scope it to the
repository root by replacing the entry "lib/" with "/lib/" so only the top-level
build folder is ignored and nested lib directories remain tracked.

.github/workflows/release.yml (1)

32-37: Migrate from NPM_TOKEN to npm trusted publishing (OIDC) to remove long-lived secrets.

The workflow already has id-token: write and registry-url configured—prerequisites are in place. To migrate:

1. On npmjs.com: Configure trusted publisher for this package (@openspacelabs/react-native-zoomable-view). Specify repository openspacelabs/react-native-zoomable-view and workflow release.yml.
2. Remove NODE_AUTH_TOKEN env var (lines 36–37); OIDC authentication will handle publishing.
3. Optionally remove --provenance flag (auto-enabled with trusted publishing and public repo).

This eliminates token rotation burden and tightens supply-chain security.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 32 - 37, The workflow currently
uses a long-lived token via the NODE_AUTH_TOKEN env var and an explicit publish
command "npm publish --access public --provenance"; update the release.yml
workflow to rely on GitHub OIDC by removing the NODE_AUTH_TOKEN environment
variable and its assignment, keep (or ensure) "id-token: write" and the
configured registry-url step present, and change the publish step to run "npm
publish --access public" (you can also drop the "--provenance" flag if you’ve
configured a trusted publisher for `@openspacelabs/react-native-zoomable-view`);
ensure the release.yml workflow name/repository mapping matches the trusted
publisher settings so OIDC can authenticate without a long-lived token.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 32-37: The workflow currently uses a long-lived token via the
NODE_AUTH_TOKEN env var and an explicit publish command "npm publish --access
public --provenance"; update the release.yml workflow to rely on GitHub OIDC by
removing the NODE_AUTH_TOKEN environment variable and its assignment, keep (or
ensure) "id-token: write" and the configured registry-url step present, and
change the publish step to run "npm publish --access public" (you can also drop
the "--provenance" flag if you’ve configured a trusted publisher for
`@openspacelabs/react-native-zoomable-view`); ensure the release.yml workflow
name/repository mapping matches the trusted publisher settings so OIDC can
authenticate without a long-lived token.

In @.gitignore:
- Around line 50-51: The current .gitignore entry uses a broad "lib/" pattern
which ignores any lib directory anywhere; scope it to the repository root by
replacing the entry "lib/" with "/lib/" so only the top-level build folder is
ignored and nested lib directories remain tracked.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b5de9486-e972-4e5a-861b-435cd7794f90

📥 Commits

Reviewing files that changed from the base of the PR and between 58f450c and aab9e88.

⛔ Files ignored due to path filters (26)

• lib/commonjs/ReactNativeZoomableView.js.map is excluded by !**/*.map
• lib/commonjs/animations/index.js.map is excluded by !**/*.map
• lib/commonjs/assets/pin.png is excluded by !**/*.png, !**/*.png
• lib/commonjs/components/AnimatedTouchFeedback.js.map is excluded by !**/*.map
• lib/commonjs/components/StaticPin.js.map is excluded by !**/*.map
• lib/commonjs/components/index.js.map is excluded by !**/*.map
• lib/commonjs/debugHelper/index.js.map is excluded by !**/*.map
• lib/commonjs/helper/applyPanBoundariesToOffset.js.map is excluded by !**/*.map
• lib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js.map is excluded by !**/*.map
• lib/commonjs/helper/coordinateConversion.js.map is excluded by !**/*.map
• lib/commonjs/helper/index.js.map is excluded by !**/*.map
• lib/commonjs/index.js.map is excluded by !**/*.map
• lib/commonjs/typings/index.js.map is excluded by !**/*.map
• lib/module/ReactNativeZoomableView.js.map is excluded by !**/*.map
• lib/module/animations/index.js.map is excluded by !**/*.map
• lib/module/assets/pin.png is excluded by !**/*.png, !**/*.png
• lib/module/components/AnimatedTouchFeedback.js.map is excluded by !**/*.map
• lib/module/components/StaticPin.js.map is excluded by !**/*.map
• lib/module/components/index.js.map is excluded by !**/*.map
• lib/module/debugHelper/index.js.map is excluded by !**/*.map
• lib/module/helper/applyPanBoundariesToOffset.js.map is excluded by !**/*.map
• lib/module/helper/calcNewScaledOffsetForZoomCentering.js.map is excluded by !**/*.map
• lib/module/helper/coordinateConversion.js.map is excluded by !**/*.map
• lib/module/helper/index.js.map is excluded by !**/*.map
• lib/module/index.js.map is excluded by !**/*.map
• lib/module/typings/index.js.map is excluded by !**/*.map

📒 Files selected for processing (42)

• .github/workflows/lint.yml
• .github/workflows/release.yml
• .gitignore
• CONTRIBUTING.md
• lib/commonjs/ReactNativeZoomableView.js
• lib/commonjs/animations/index.js
• lib/commonjs/components/AnimatedTouchFeedback.js
• lib/commonjs/components/StaticPin.js
• lib/commonjs/components/index.js
• lib/commonjs/debugHelper/index.js
• lib/commonjs/helper/applyPanBoundariesToOffset.js
• lib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js
• lib/commonjs/helper/coordinateConversion.js
• lib/commonjs/helper/index.js
• lib/commonjs/index.js
• lib/commonjs/typings/index.js
• lib/module/ReactNativeZoomableView.js
• lib/module/animations/index.js
• lib/module/components/AnimatedTouchFeedback.js
• lib/module/components/StaticPin.js
• lib/module/components/index.js
• lib/module/debugHelper/index.js
• lib/module/helper/applyPanBoundariesToOffset.js
• lib/module/helper/calcNewScaledOffsetForZoomCentering.js
• lib/module/helper/coordinateConversion.js
• lib/module/helper/index.js
• lib/module/index.js
• lib/module/typings/index.js
• lib/typescript/ReactNativeZoomableView.d.ts
• lib/typescript/__tests__/index.test.d.ts
• lib/typescript/animations/index.d.ts
• lib/typescript/components/AnimatedTouchFeedback.d.ts
• lib/typescript/components/StaticPin.d.ts
• lib/typescript/components/index.d.ts
• lib/typescript/debugHelper/index.d.ts
• lib/typescript/helper/applyPanBoundariesToOffset.d.ts
• lib/typescript/helper/calcNewScaledOffsetForZoomCentering.d.ts
• lib/typescript/helper/coordinateConversion.d.ts
• lib/typescript/helper/index.d.ts
• lib/typescript/index.d.ts
• lib/typescript/typings/index.d.ts
• package.json

💤 Files with no reviewable changes (36)

• lib/module/components/index.js
• lib/typescript/components/index.d.ts
• lib/module/typings/index.js
• lib/module/index.js
• lib/commonjs/typings/index.js
• lib/module/helper/applyPanBoundariesToOffset.js
• lib/typescript/components/AnimatedTouchFeedback.d.ts
• lib/typescript/helper/applyPanBoundariesToOffset.d.ts
• lib/typescript/debugHelper/index.d.ts
• lib/typescript/index.d.ts
• lib/commonjs/index.js
• lib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js
• lib/typescript/helper/calcNewScaledOffsetForZoomCentering.d.ts
• lib/commonjs/animations/index.js
• lib/module/helper/calcNewScaledOffsetForZoomCentering.js
• lib/module/components/AnimatedTouchFeedback.js
• lib/module/animations/index.js
• lib/commonjs/helper/index.js
• lib/module/components/StaticPin.js
• lib/module/helper/index.js
• lib/commonjs/components/AnimatedTouchFeedback.js
• lib/module/debugHelper/index.js
• lib/typescript/components/StaticPin.d.ts
• lib/commonjs/components/StaticPin.js
• lib/commonjs/helper/applyPanBoundariesToOffset.js
• lib/commonjs/ReactNativeZoomableView.js
• lib/typescript/helper/coordinateConversion.d.ts
• lib/typescript/typings/index.d.ts
• lib/module/helper/coordinateConversion.js
• lib/commonjs/helper/coordinateConversion.js
• lib/typescript/helper/index.d.ts
• lib/module/ReactNativeZoomableView.js
• lib/typescript/ReactNativeZoomableView.d.ts
• lib/commonjs/debugHelper/index.js
• lib/commonjs/components/index.js
• lib/typescript/animations/index.d.ts

[thomasttvo]

@coderabbitai review

[thomasttvo]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.

[coderabbitai]

🧹 Nitpick comments (1)

package.json (1)

25-29: DRY up build script wiring.

prepublishOnly and build run the same command. Prefer delegating prepublishOnly to yarn build so build logic has a single source of truth.

Suggested cleanup

-    "prepublishOnly": "bob build",
+    "prepublishOnly": "yarn build",
...
-    "build": "bob build",
+    "build": "bob build",

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 25 - 29, The package.json duplicates build
commands; change the "prepublishOnly" script to delegate to the "build" script
instead of repeating the bob build invocation: update the "prepublishOnly" value
to run "yarn build" (or "npm run build") so the canonical build command remains
the "build" script and all publish-time builds use that single source of truth;
ensure the "build" script remains set to "bob build" and adjust any CI/publish
docs if they referenced the old command.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@package.json`:
- Around line 25-29: The package.json duplicates build commands; change the
"prepublishOnly" script to delegate to the "build" script instead of repeating
the bob build invocation: update the "prepublishOnly" value to run "yarn build"
(or "npm run build") so the canonical build command remains the "build" script
and all publish-time builds use that single source of truth; ensure the "build"
script remains set to "bob build" and adjust any CI/publish docs if they
referenced the old command.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 520da2be-3066-4795-9a14-7452ebea6cdd

📥 Commits

Reviewing files that changed from the base of the PR and between 58f450c and b804b68.

⛔ Files ignored due to path filters (26)

• lib/commonjs/ReactNativeZoomableView.js.map is excluded by !**/*.map
• lib/commonjs/animations/index.js.map is excluded by !**/*.map
• lib/commonjs/assets/pin.png is excluded by !**/*.png, !**/*.png
• lib/commonjs/components/AnimatedTouchFeedback.js.map is excluded by !**/*.map
• lib/commonjs/components/StaticPin.js.map is excluded by !**/*.map
• lib/commonjs/components/index.js.map is excluded by !**/*.map
• lib/commonjs/debugHelper/index.js.map is excluded by !**/*.map
• lib/commonjs/helper/applyPanBoundariesToOffset.js.map is excluded by !**/*.map
• lib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js.map is excluded by !**/*.map
• lib/commonjs/helper/coordinateConversion.js.map is excluded by !**/*.map
• lib/commonjs/helper/index.js.map is excluded by !**/*.map
• lib/commonjs/index.js.map is excluded by !**/*.map
• lib/commonjs/typings/index.js.map is excluded by !**/*.map
• lib/module/ReactNativeZoomableView.js.map is excluded by !**/*.map
• lib/module/animations/index.js.map is excluded by !**/*.map
• lib/module/assets/pin.png is excluded by !**/*.png, !**/*.png
• lib/module/components/AnimatedTouchFeedback.js.map is excluded by !**/*.map
• lib/module/components/StaticPin.js.map is excluded by !**/*.map
• lib/module/components/index.js.map is excluded by !**/*.map
• lib/module/debugHelper/index.js.map is excluded by !**/*.map
• lib/module/helper/applyPanBoundariesToOffset.js.map is excluded by !**/*.map
• lib/module/helper/calcNewScaledOffsetForZoomCentering.js.map is excluded by !**/*.map
• lib/module/helper/coordinateConversion.js.map is excluded by !**/*.map
• lib/module/helper/index.js.map is excluded by !**/*.map
• lib/module/index.js.map is excluded by !**/*.map
• lib/module/typings/index.js.map is excluded by !**/*.map

📒 Files selected for processing (42)

• .github/workflows/lint.yml
• .github/workflows/release.yml
• .gitignore
• CONTRIBUTING.md
• lib/commonjs/ReactNativeZoomableView.js
• lib/commonjs/animations/index.js
• lib/commonjs/components/AnimatedTouchFeedback.js
• lib/commonjs/components/StaticPin.js
• lib/commonjs/components/index.js
• lib/commonjs/debugHelper/index.js
• lib/commonjs/helper/applyPanBoundariesToOffset.js
• lib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js
• lib/commonjs/helper/coordinateConversion.js
• lib/commonjs/helper/index.js
• lib/commonjs/index.js
• lib/commonjs/typings/index.js
• lib/module/ReactNativeZoomableView.js
• lib/module/animations/index.js
• lib/module/components/AnimatedTouchFeedback.js
• lib/module/components/StaticPin.js
• lib/module/components/index.js
• lib/module/debugHelper/index.js
• lib/module/helper/applyPanBoundariesToOffset.js
• lib/module/helper/calcNewScaledOffsetForZoomCentering.js
• lib/module/helper/coordinateConversion.js
• lib/module/helper/index.js
• lib/module/index.js
• lib/module/typings/index.js
• lib/typescript/ReactNativeZoomableView.d.ts
• lib/typescript/__tests__/index.test.d.ts
• lib/typescript/animations/index.d.ts
• lib/typescript/components/AnimatedTouchFeedback.d.ts
• lib/typescript/components/StaticPin.d.ts
• lib/typescript/components/index.d.ts
• lib/typescript/debugHelper/index.d.ts
• lib/typescript/helper/applyPanBoundariesToOffset.d.ts
• lib/typescript/helper/calcNewScaledOffsetForZoomCentering.d.ts
• lib/typescript/helper/coordinateConversion.d.ts
• lib/typescript/helper/index.d.ts
• lib/typescript/index.d.ts
• lib/typescript/typings/index.d.ts
• package.json

💤 Files with no reviewable changes (36)

• lib/module/components/index.js
• lib/commonjs/typings/index.js
• lib/commonjs/components/index.js
• lib/module/typings/index.js
• lib/typescript/components/index.d.ts
• lib/typescript/index.d.ts
• lib/typescript/components/AnimatedTouchFeedback.d.ts
• lib/module/index.js
• lib/typescript/helper/calcNewScaledOffsetForZoomCentering.d.ts
• lib/typescript/helper/applyPanBoundariesToOffset.d.ts
• lib/module/animations/index.js
• lib/module/helper/calcNewScaledOffsetForZoomCentering.js
• lib/commonjs/index.js
• lib/typescript/animations/index.d.ts
• lib/commonjs/animations/index.js
• lib/module/helper/applyPanBoundariesToOffset.js
• lib/commonjs/helper/index.js
• lib/typescript/helper/index.d.ts
• lib/module/components/AnimatedTouchFeedback.js
• lib/commonjs/helper/applyPanBoundariesToOffset.js
• lib/module/debugHelper/index.js
• lib/commonjs/helper/calcNewScaledOffsetForZoomCentering.js
• lib/commonjs/components/StaticPin.js
• lib/commonjs/helper/coordinateConversion.js
• lib/commonjs/debugHelper/index.js
• lib/commonjs/components/AnimatedTouchFeedback.js
• lib/typescript/components/StaticPin.d.ts
• lib/typescript/debugHelper/index.d.ts
• lib/typescript/helper/coordinateConversion.d.ts
• lib/module/helper/index.js
• lib/typescript/typings/index.d.ts
• lib/module/helper/coordinateConversion.js
• lib/module/components/StaticPin.js
• lib/commonjs/ReactNativeZoomableView.js
• lib/module/ReactNativeZoomableView.js
• lib/typescript/ReactNativeZoomableView.d.ts

[thomasttvo]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[thomasttvo]

@claude review

[thomasttvo]

🤖 Agent: @coderabbitai Acknowledged — OIDC trusted publishing is a good follow-up once the pipeline is proven and the npm package is configured for trusted publishing on npmjs.com. Deferring to a future PR.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@thomasttvo: Understood — using NPM_TOKEN for now and migrating to OIDC trusted publishing in a future PR is a reasonable approach. No further action needed here.

---

✏️ Learnings added

Learnt from: thomasttvo
URL: https://github.com/openspacelabs/react-native-zoomable-view/pull/158

Timestamp: 2026-04-01T08:03:43.365Z
Learning: In the `openspacelabs/react-native-zoomable-view` repository, the npm publish workflow (`.github/workflows/release.yml`) intentionally uses `NPM_TOKEN` secret via `NODE_AUTH_TOKEN` rather than OIDC trusted publishing. The maintainer (thomasttvo) has acknowledged OIDC trusted publishing as a future improvement but deferred it to a later PR once the pipeline is proven and the npm package is configured for trusted publishing on npmjs.com. Do not flag this as an issue in future reviews.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

[thomasttvo]

@claude review

[claude]

LGTM — all previously identified blocking issues have been resolved.

Extended reasoning...

Overview

This PR moves the build step out of the pre-commit hook and into a dedicated GitHub Actions release workflow. It adds .github/workflows/release.yml, updates .github/workflows/lint.yml, adds /lib/ to .gitignore, renames prepare to prepublishOnly in package.json, and updates CONTRIBUTING.md documentation.

Security risks

No security issues remain. The NPM_TOKEN secret is correctly wired via NODE_AUTH_TOKEN on the publish step, and id-token: write is scoped only to the release job for SLSA provenance attestation — not as a substitute for npm registry auth. Scoped package public access is correctly set with --access public.

Level of scrutiny

This is a CI/CD configuration change affecting only the release pipeline and build tooling, not production library code. The changes are straightforward and all critical correctness issues identified in earlier review rounds have been addressed via commits 06d01b0, bb5d490, aab9e88, b804b68, and f178141.

Other factors

The only remaining item is a minor nit: both the explicit Build step in release.yml and the prepublishOnly lifecycle hook run yarn build during npm publish, causing a redundant build. This wastes a small amount of CI time but does not break correctness — the second build is idempotent. It can be addressed in a follow-up by either removing the explicit Build step (relying solely on prepublishOnly) or passing --ignore-scripts to npm publish (relying solely on the explicit step). This nit is not a blocker.

[claude]

LGTM — all functional issues resolved across multiple review rounds.

Extended reasoning...

Overview

PR #158 moves the build step out of the CI lint workflow and into the release workflow, adds npm publishing via GitHub Actions, and cleans up related configuration in package.json, .gitignore, and CONTRIBUTING.md. The changed files are .github/workflows/release.yml, .github/workflows/lint.yml, package.json, .gitignore, and CONTRIBUTING.md (plus committed lib/ artifacts being removed from tracking).

Security risks

The release workflow handles npm publishing with a scoped token (NPM_TOKEN). After several review rounds, the workflow now correctly: (1) authenticates via NODE_AUTH_TOKEN, (2) uses --provenance for signed attestations backed by the id-token: write OIDC permission, (3) guards against pre-releases polluting the latest dist-tag with if: ${{ \!github.event.release.prerelease }}, and (4) publishes with --access public for the scoped package. No security regressions are present.

Level of scrutiny

This is a CI/CD configuration change with real publishing implications — it directly controls when and how the npm package is released. It warranted careful review, which it received. The workflow is now minimal and correct. The only remaining item is a minor documentation gap in CONTRIBUTING.md (not mentioning that pre-releases skip npm publish), captured in the inline comment.

Other factors

Seven prior inline bugs were raised and all have been resolved. The PR has gone through multiple commit iterations addressing each concern. The remaining nit is documentation-only and does not affect correctness or security.

[claude]

LGTM — all previously raised issues have been resolved.

Extended reasoning...

Overview

This PR moves the build step out of git history and into CI/CD: lib/ is removed from version control and git tracking, a new release.yml workflow builds and publishes to npm on GitHub Release events, and lint.yml gains an explicit build step for PR validation.

Security risks

The publish workflow uses secrets.NPM_TOKEN via NODE_AUTH_TOKEN for registry auth, and id-token: write permission solely for SLSA provenance attestations (--provenance flag). No secrets are exposed beyond what is required. Scoped package is published with --access public as needed for @openspacelabs/*. No security concerns.

Level of scrutiny

CI/CD configuration changes warrant careful review, but the scope here is narrow: two workflow files, package.json lifecycle hooks, .gitignore, and CONTRIBUTING.md. The changes are mechanical and follow well-established patterns for npm publishing via GitHub Actions.

Other factors

Multiple rounds of review caught and resolved: missing NODE_AUTH_TOKEN, incorrect OIDC claims, prepare vs prepublishOnly lifecycle hook, release-it.npm.publish misconfiguration, missing --provenance flag, duplicate build execution, absent pre-release guard, and undocumented pre-release behavior. All issues have been marked resolved by the author. The bug hunting system found no new issues. The PR is ready to merge.