Update workflow#298
Conversation
![constructor-claude-bedrock[bot]](https://avatars.githubusercontent.com/u/9828194?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This PR migrates NPM publishing from token-based authentication (NPM_TOKEN) to OIDC-based Trusted Publishers, which is a security improvement. The implementation is mostly correct, but there are a few issues worth addressing before merging.
Inline comments: 3 discussions added
Overall Assessment:
| - name: Install npm 11 | ||
| run: npm install -g npm@11 | ||
|
|
||
| - name: Debug node and npm versions |
There was a problem hiding this comment.
Important Issue: This debug step should be removed before merging. Leaving debug steps in production CI workflows adds noise to every future run and may expose version information unnecessarily. If version visibility is needed for troubleshooting, it can be obtained from the runner logs of the setup-node and Install npm 11 steps.
| token: ${{ secrets.NPM_TOKEN }} | ||
| node-version: 22.18.x | ||
|
|
||
| - name: Install npm 11 |
There was a problem hiding this comment.
Important Issue: The npm version is pinned loosely as npm@11, which will silently install whatever the latest npm 11.x.x is at run time. This can introduce unexpected behavior from minor or patch version changes between runs. Pin to a specific version (e.g., npm@11.4.1) to ensure reproducible builds, consistent with how node-version is now pinned to 22.18.x.
There was a problem hiding this comment.
Pull request overview
Updates the npm publish GitHub Actions workflow to support npm “trusted publishers” (OIDC-based auth) instead of using an NPM_TOKEN.
Changes:
- Adds
permissions: id-token: write/contents: readto enable OIDC authentication with npm. - Pins Node to a specific 22.18 minor line and adds a step to install npm v11 (plus a debug version print).
- Removes
NODE_AUTH_TOKENusage duringnpm publish, relying on OIDC instead.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| run: | | ||
| # updates the package.json version field | ||
| jq --arg new_version "${{ steps.version.outputs.without_prefix }}" '.version = $new_version' package.json > tmp.json && mv tmp.json package.json | ||
|
|
||
| echo "new-version=$new_version" >> $GITHUB_OUTPUT |
| with: | ||
| node-version: 22.x | ||
| registry-url: https://registry.npmjs.org/ | ||
| scope: '@constructorio' | ||
| token: ${{ secrets.NPM_TOKEN }} | ||
| node-version: 22.18.x |
Mudaafi
left a comment
Mudaafi
left a comment
There was a problem hiding this comment.
trusted publishers is pretty cool
No description provided.