Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Adds an npm release/publish pipeline intended to support npm “trusted publishing” via GitHub OIDC: one workflow bumps/creates a release on main, and another publishes to npm when a v* tag is pushed.
Changes:
- Add a new
npm-releaseworkflow that runs onmainpushes and delegates to the reusablecz-bump-releaseworkflow. - Rework
npm-publishto run onv*tag pushes and publish vianpm publishwith OIDC (id-token: write) instead of token-basednpm-bump.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| .github/workflows/npm-release.yaml | Adds a repo-triggered release workflow that calls the reusable commitizen bump/release workflow. |
| .github/workflows/npm-publish.yaml | Switches publishing to tag-based triggers and uses OIDC permissions with direct npm publish steps. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| name: Bump, Release, and Publish | ||
| name: Publish to NPM | ||
|
|
||
| on: |
There was a problem hiding this comment.
This workflow is no longer reusable: switching the trigger from workflow_call to push means downstream repos (and this repo’s own workflow-templates/npm-publish.yml) can’t uses: prosegrinder/.github/.github/workflows/npm-publish.yaml@... anymore. If the intent is to keep a reusable publish workflow, restore on: workflow_call (with the required secrets/inputs) and put the tag-triggered “starter” workflow in workflow-templates/ instead (or publish both entrypoints).
| on: | |
| on: | |
| workflow_call: |
| permissions: | ||
| id-token: write | ||
| contents: read |
There was a problem hiding this comment.
permissions: id-token: write is granted workflow-wide, including the lint/test reusable jobs that don’t need OIDC. To follow least-privilege, move id-token: write to the publish job only (keep minimal read permissions at the workflow level if needed).
| token: ${{ secrets.VERSION_BUMP_TAG_TOKEN }} | ||
| - name: Setup Node.js | ||
| uses: actions/setup-node@v6.2.0 | ||
| uses: actions/setup-node@v6 |
There was a problem hiding this comment.
This changes actions/setup-node from the previously pinned @v6.2.0 used elsewhere in this repo to the floating major @v6. For reproducibility (and to match the existing convention in other workflows here), pin this to a specific version (or ideally a commit SHA).
| uses: actions/setup-node@v6 | |
| uses: actions/setup-node@v6.2.0 |
| push: | ||
| branches: | ||
| - main |
There was a problem hiding this comment.
This file is added under .github/workflows/ but is a repo-executed workflow (on: push) rather than a reusable workflow (on: workflow_call), unlike the other workflows in this directory. If this is intended as a starter workflow for consumers, it should live under workflow-templates/; if it’s intended to be reusable, switch it to workflow_call and provide a corresponding starter template that invokes it.
| push: | |
| branches: | |
| - main | |
| workflow_call: | |
| secrets: | |
| VERSION_BUMP_TAG_TOKEN: | |
| required: true |
No description provided.