fix(release): add OIDC permissions, pin action versions, fix exports warnings#871
Merged
EdwardMoyse merged 2 commits intoApr 7, 2026
Merged
Conversation
…warnings - Add top-level permissions block with contents:write and id-token:write to enable lerna 9 OIDC trusted publishing support - Pin actions/checkout and actions/setup-node from @main to @v4 to prevent breaking changes from unpinned main branch - Update docker/login-action to v3, setup-buildx-action to v3, build-push-action to v6 - Remove conflicting ./package.json and . exports from phoenix-ui-components source package.json to fix ng-packagr 20 build warnings (module and typings fields still provide resolution) Closes HSF#851
There was a problem hiding this comment.
Pull request overview
This PR aims to resolve outstanding release workflow failures (per #851) by hardening the GitHub Actions release pipeline configuration and adjusting Angular package export metadata to eliminate ng-packagr export warnings.
Changes:
- Add workflow-level GitHub token permissions (
contents: write,id-token: write) to support release publishing (including OIDC). - Pin GitHub Actions used in the release workflow to stable major versions and bump Docker action major versions.
- Remove
exportsentries fromphoenix-ui-componentsthat were conflicting with ng-packagr-generated metadata, retaining only the Sass theming subpath.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
.github/workflows/release.yml |
Adds explicit permissions and pins/updates action versions for release + Docker publishing. |
packages/phoenix-ng/projects/phoenix-ui-components/package.json |
Adjusts exports to reduce ng-packagr export warnings while keeping the Sass theming export. |
Comments suppressed due to low confidence (1)
packages/phoenix-ng/projects/phoenix-ui-components/package.json:50
exportsnow only defines./theming. When a package.json contains anexportsmap but no"."entry, consumers cannot import the package root (e.g.import ... from 'phoenix-ui-components') because the default entrypoint is not exported. If the intent is to rely on ng-packagr’s generatedexports, note this package publishes from the project root (and even deletesdist/package.jsoninprepublishOnly), so the generateddist/package.jsonexports won’t be used by Node/bundlers. Consider restoring the"."export (and optionally./package.json) or removing theexportsfield entirely and using another mechanism for the Sass entrypoint.
"exports": {
"./theming": {
"sass": "./_theming.scss"
}
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The workflow is triggered via workflow_dispatch, so GITHUB_REF_NAME is the branch name (e.g. main), not the release tag. Export the version from lerna.json after publish as a job output, checkout the release tag in push-to-docker, and use the version for Docker image tags.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the remaining release failures reported in #851 after the ESLint fix in #860.
Changes
1. Fix E404 npm publish failure
Pin GitHub Actions versions: Changed
actions/checkoutandactions/setup-nodefrom@mainto@v4. Using@mainis dangerous the main branch can introduce breaking changes at any time. Thesetup-node@mainchange is the most likely cause of the E404, as it may have altered.npmrcgeneration or auth token resolution.Add OIDC permissions: Added top-level
permissionsblock withcontents: write(for git push and GitHub release creation) andid-token: write(for lerna 9's OIDC trusted publishing support). Lerna 9.0.0 introduced OIDC trusted publishing which works automatically when theid-token: writepermission is available.Update Docker action versions:
docker/login-actionv2→v3,docker/setup-buildx-actionv2→v3,docker/build-push-actionv3→v6.2. Fix ng-packagr 20 export warnings
Removed conflicting
./package.jsonand.entries fromphoenix-ui-components/package.jsonexports. ng-packagr 20 auto-generates these entries indist/package.json, and the manual entries in the sourcepackage.jsoncaused build warnings. Themoduleandtypingsfields still provide correct resolution for bundlers and TypeScript. Only the custom./themingSass export is retained.The last successful npm publish was Nov 30, 2024 using lerna 8.1.9. If the
NPM_TOKENrepository secret is a granular access token with an expiration date, it may have expired. Please verify at https://www.npmjs.com/settings/~/tokens.Closes #851