chore: disable npm publishing

[bmadcode]

Summary

• Removed publish.yaml workflow (tag-triggered npm auto-publish)
• Removed npm publish step from manual-release.yaml
• Added "private": true to package.json to prevent accidental publishes

Module content is delivered via git clone in the bmm installer, not npm packages. The npm publish was only being used as a version lookup service for the installer's status/update-check, which can be replaced with git tags.

Test plan

• Verify manual-release.yaml still creates git tags and GitHub releases
• Verify npm publish fails locally due to "private": true

Summary by CodeRabbit

• Chores
  • Disabled NPM package publishing. The package is now marked as private and will no longer be available on the NPM registry.

[coderabbitai]

Warning

Rate limit exceeded

@bmadcode has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 26 minutes and 50 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c9644724-6217-4b7d-a878-67b0aed993a9

📥 Commits

Reviewing files that changed from the base of the PR and between a9bf473 and d46608c.

📒 Files selected for processing (1)

• package.json

Walkthrough

The pull request removes NPM publishing capabilities from the project by eliminating the dedicated publish workflow, removing npm distribution steps from the manual release workflow, and marking the package as private in package.json. This prevents automated npm package publishing.

Changes

Cohort / File(s)	Summary
NPM Publishing Removal .github/workflows/manual-release.yaml, .github/workflows/publish.yaml	Deleted the publish.yaml workflow entirely and removed the Publish to NPM step from manual-release.yaml, including NPM_TOKEN secret usage, conditional tag logic, and registry configuration. Updated workflow summary with corrected GitHub Release link.
Package Configuration package.json	Added "private": true field to mark the npm package as non-publishable, preventing distribution via standard npm publish flow.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 By Rabbit Editor
No more npm publishing spree,
The package now private, wild and free,
Workflows hopped away without a trace,
Our code stays safe in this cozy space! 🔒

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: disable npm publishing' directly and accurately summarizes the main change: removing npm publishing from the workflow and marking the package as private.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/disable-npm-publish

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[augmentcode]

🤖 Augment PR Summary

Summary: Disables npm publishing for bmad-builder to prevent accidental registry releases.
Changes:

• Removed .github/workflows/publish.yaml and the NPM publish step from manual-release.yaml.
• Adjusted manual-release.yaml permissions/setup-node config and updated the release step summary to only reference GitHub releases.
• Set "private": true in package.json to hard-block npm publish.

Technical Notes: Intended distribution/version lookup should move to git tags / GitHub releases instead of the npm registry.

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 2 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

This step summary now links to bmad-builder releases, but the workflow still generates release metadata/links referencing BMAD-METHOD / "BMad Method", which may confuse users following the release output. Consider making the repo/product references consistent throughout the workflow (e.g., release name and the “Full Changelog” URL).

Severity: medium

Other Locations

• .github/workflows/manual-release.yaml:127
• .github/workflows/manual-release.yaml:158

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[augmentcode]

Setting "private": true will hard-fail any npm publish attempts, but it also means anything still relying on the npm registry as a version lookup will stop working. If there’s still an installer/status check querying npm for versions, it likely needs to be fully switched to git tags/GitHub releases.

Severity: medium

_{🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 4: package.json is failing Prettier --check; run the project's formatter
to normalize formatting (e.g., run the npm script "format:fix" or execute
"prettier --write package.json"), review the resulting changes to package.json,
and commit the formatted file so the Prettier check passes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: faab9f7a-19d4-45ba-b533-18c4ea506918

📥 Commits

Reviewing files that changed from the base of the PR and between 0b6a2f2 and a9bf473.

📒 Files selected for processing (3)

• .github/workflows/manual-release.yaml
• .github/workflows/publish.yaml
• package.json

💤 Files with no reviewable changes (1)

• .github/workflows/publish.yaml