Skip to content

Comments

#242 update github actions#247

Merged
ienaga merged 1 commit intomainfrom
develop
Feb 10, 2026
Merged

#242 update github actions#247
ienaga merged 1 commit intomainfrom
develop

Conversation

@ienaga
Copy link
Member

@ienaga ienaga commented Feb 10, 2026

No description provided.

Copilot AI review requested due to automatic review settings February 10, 2026 22:32
Copilot AI reviewed Feb 10, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the npm publish GitHub Actions workflow, seemingly to support a more automated package publish process (and possibly OIDC/trusted publishing) for the repository’s dist outputs.

Changes:

  • Added workflow-level GitHub Actions permissions (id-token: write, contents: read).
  • Replaced the explicit per-package npm publish --access public steps with a loop that finds package.json files under ./dist and publishes via npm publish --workspace=....

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/publish.yml
Comment on lines +8 to +10
permissions:
id-token: write
contents: read
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow-level permissions block grants id-token: write, but this job also defines its own permissions (lines 15-17) which overrides the workflow defaults. As written, the build job will NOT receive id-token: write, so any OIDC/trusted-publishing flow will fail. Consider either adding id-token: write to the job permissions, or removing the job-level permissions block if it’s not needed.

Copilot uses AI. Check for mistakes.
.github/workflows/publish.yml
- name: Publish packages
run: |
find ./dist -name "package.json" -not -path "*/node_modules/*" -exec dirname {} \; | while read dir; do
npm publish --workspace="${dir}"
Copy link

Copilot AI Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

npm publish --workspace="${dir}" is likely incorrect here: the directories under ./dist are not declared as npm workspaces (root package.json only includes packages/*), so this may fail with “no matching workspace” or publish the wrong thing. Also, the previous workflow used --access public and an auth token; this new step doesn’t pass --access public (needed for scoped public packages) or any explicit auth mechanism unless you’re relying on npm trusted publishing (which would also require the correct id-token permission and usually --provenance). Recommend publishing by running npm publish with the needed flags from within each dist/... directory, and ensuring authentication/provenance is configured intentionally.

Suggested change
npm publish --workspace="${dir}"
(cd "$dir" && npm publish --provenance --access public)

Copilot uses AI. Check for mistakes.
@ienaga ienaga merged commit 7b5367a into main Feb 10, 2026
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

@ienaga ienaga

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ienaga