Update GitHub Actions workflow for NPM package publishing: rename job, adjust permissions, update Node.js and pnpm versions, and switch to pnpm for publishing.

[zahlekhan]

---

EntelligenceAI PR Summary

Migrates NPM publishing workflow from manual token authentication to OIDC-based trusted publishing for enhanced security and automation.

• Added OIDC permissions (id-token: write, contents: read) at workflow level
• Removed repository fork check condition
• Updated actions: checkout@v4, pnpm@v2
• Downgraded Node.js from v22 to v20
• Added pnpm caching configuration
• Installed npm@11.6.4 to enable trusted publishing support
• Changed publish command to pnpm publish --access public with automatic provenance
• Eliminated need for manual NPM_TOKEN secret management

[entelligence-ai-pr-reviews]

Walkthrough

This PR modernizes the NPM publishing workflow by migrating from manual token-based authentication to NPM's trusted publishing with OIDC. The workflow now leverages GitHub's OIDC provider for secure, automated authentication, eliminating the need to manage NPM_TOKEN secrets. The update includes upgrading to newer action versions (checkout@v4, pnpm@v2), adding pnpm caching for improved performance, and downgrading Node.js to v20 for compatibility. A critical addition is the installation of npm@11.6.4, which provides native support for trusted publishing. The publish command switches from npm to pnpm with automatic provenance generation, enhancing supply chain security.

Changes

File(s)

Summary

.github/workflows/publish.yml

Migrated to NPM trusted publishing with OIDC authentication: added OIDC permissions at workflow level, removed repository fork check, updated actions to checkout@v4 and pnpm@v2, downgraded Node.js from v22 to v20, added pnpm caching, installed npm@11.6.4 for trusted publishing support, and changed publish command from npm publish with explicit token to pnpm publish --access public with automatic provenance generation.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    actor Dev as Developer
    participant GHA as GitHub Actions
    participant OIDC as GitHub OIDC Provider
    participant NPM as NPM Registry
    participant Repo as Repository

    Dev->>GHA: Trigger workflow_dispatch
    activate GHA
    
    GHA->>Repo: Checkout code (fetch-depth: 0)
    Repo-->>GHA: Source code
    
    GHA->>GHA: Setup pnpm (v9.15.4)
    GHA->>GHA: Setup Node.js (v20)
    GHA->>GHA: Install npm v11.6.4
    Note over GHA: npm 11.5.1+ required for<br/>trusted publishing
    
    GHA->>GHA: pnpm install
    GHA->>GHA: pnpm run build
    
    GHA->>OIDC: Request OIDC token
    Note over GHA,OIDC: Uses id-token: write permission
    OIDC-->>GHA: OIDC token
    
    GHA->>NPM: pnpm publish --access public
    Note over GHA,NPM: Includes OIDC token for authentication
    
    NPM->>NPM: Verify OIDC token
    NPM->>NPM: Generate provenance automatically
    
    NPM-->>GHA: Publish success
    
    deactivate GHA
    
    Note over Dev,NPM: New flow: OIDC-based trusted publishing<br/>Old flow: Used NODE_AUTH_TOKEN secret

Loading

---

🔗 Cross-Repository Impact Analysis

Enable automatic detection of breaking changes across your dependent repositories. → Set up now

Learn more about Cross-Repository Analysis

What It Does

• Automatically identifies repositories that depend on this code
• Analyzes potential breaking changes across your entire codebase
• Provides risk assessment before merging to prevent cross-repo issues

How to Enable

1. Visit Settings → Code Management
2. Configure repository dependencies
3. Future PRs will automatically include cross-repo impact analysis!

Benefits

• 🛡️ Prevent breaking changes across repositories
• 🔍 Catch integration issues before they reach production
• 📊 Better visibility into your multi-repo architecture

---

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.