Skip to content

fix: remove --provenance flag from npm publish#14

Merged
joalves merged 1 commit intomainfrom
fix/remove-provenance-flag
Apr 13, 2026
Merged

fix: remove --provenance flag from npm publish#14
joalves merged 1 commit intomainfrom
fix/remove-provenance-flag

Conversation

@joalves
Copy link
Copy Markdown
Collaborator

@joalves joalves commented Apr 13, 2026
edited by coderabbitai Bot
Loading

Summary

  • Remove --provenance flag — blocked by npm org 2FA settings
  • Keep OIDC trusted publishing for authentication (environment: npm, id-token: write)

Test plan

  • Merge, delete v1.2.0 release/tag, let release-please recreate and publish

Summary by CodeRabbit

  • Chores
    • Updated internal release process configuration.

@joalves
fix: remove --provenance flag from npm publish
d39c590 
OIDC trusted publishing works for auth but --provenance is blocked
by the npm org's 2FA settings. Keep OIDC environment for auth,
just drop the provenance attestation.
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented Apr 13, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6d2937e5-9daf-46f0-be9b-6fe56f146cda

📥 Commits

Reviewing files that changed from the base of the PR and between b8dd883 and d39c590.

📒 Files selected for processing (1)
  • .github/workflows/release-please.yml

Walkthrough

The pull request modifies the npm publish command in the release-please GitHub Actions workflow by removing the --provenance flag. The command previously included both --provenance and --access public, but now includes only --access public. No other workflow logic, dependencies, or conditions are altered.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

  • PR #10: Directly related—this PR added the --provenance flag and id-token permission to the npm publish step, which the main PR now removes.
  • PR #12: Related—modifies the same publish job and npm publish invocation, though with different scope.
  • PR #4: Related—touches the same GitHub Actions workflow file and the publish step that is being modified.

Poem

🐰 A flag takes flight, no proof required,
npm publishes clean and unired,
Provenance gone, simplicity stays,
The bunny approves in so many ways! ✨

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely describes the main change: removing the --provenance flag from the npm publish command in the workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/remove-provenance-flag

Comment @coderabbitai help to get the list of available commands and usage tips.

@joalves joalves merged commit ca04b56 into main Apr 13, 2026
5 checks passed
This was referenced Apr 13, 2026
Merged
Merged
Closed
Merged
@coderabbitai coderabbitai Bot mentioned this pull request May 4, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joalves