fix: update ci to publish on npm#167
Conversation
There was a problem hiding this comment.
Pull request overview
This PR migrates the ducsvg and ducpdf packages from using the @semantic-release/npm plugin to using npm publish directly within the @semantic-release/exec plugin. The workflows are updated to include Node.js setup and npm update steps to support OIDC-based publishing.
Key Changes:
- Removed
@semantic-release/npmplugin configuration and switched tonpm publishcommand in@semantic-release/exec - Added Node.js setup and npm update steps to both release workflows
- Added npm audit signatures verification step to both workflows
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| packages/ducsvg/release.config.cjs | Replaced @semantic-release/npm plugin with npm publish command in @semantic-release/exec |
| packages/ducpdf/release.config.cjs | Replaced @semantic-release/npm plugin with npm publish command in @semantic-release/exec |
| .github/workflows/release-ducsvg.yml | Added Node.js setup, npm update, and npm audit signatures steps to support npm publishing |
| .github/workflows/release-ducpdf.yml | Added Node.js setup, npm update, and npm audit signatures steps to support npm publishing |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20.x |
There was a problem hiding this comment.
NPM authentication is not configured in the workflow. The setup-node action should include registry-url and the Release step should include NPM_TOKEN in the environment variables. Without this, npm publish will fail with authentication errors. Add registry-url: 'https://registry.npmjs.org' to the Setup Node.js step and add NPM_TOKEN: secrets.NPM_TOKEN to the Release step's environment variables.
| - name: Update npm | ||
| run: npm install -g npm@latest | ||
|
|
||
|
|
There was a problem hiding this comment.
There are two consecutive blank lines here. The codebase typically uses single blank lines between sections for consistency. Consider removing one blank line.
| - name: Update npm | ||
| run: npm install -g npm@latest | ||
|
|
||
|
|
There was a problem hiding this comment.
There are two consecutive blank lines here. The codebase typically uses single blank lines between sections for consistency. Consider removing one blank line.
| "@semantic-release/exec", | ||
| { | ||
| prepareCmd: "node ../../scripts/semrel-set-version.js packages/ducsvg ${nextRelease.version}", | ||
| publishCmd: "npm publish", |
There was a problem hiding this comment.
The npm publish command is missing the --provenance flag that was previously configured via @semantic-release/npm. OIDC-based provenance publishing provides cryptographic proof of where and how the package was built, which is a security best practice. Without this flag, packages will be published without provenance attestations. Consider adding the --provenance flag: "npm publish --provenance"
| publishCmd: "npm publish", | |
| publishCmd: "npm publish --provenance", |
| "@semantic-release/exec", | ||
| { | ||
| prepareCmd: "node ../../scripts/semrel-set-version.js packages/ducpdf ${nextRelease.version}", | ||
| publishCmd: "npm publish", |
There was a problem hiding this comment.
The npm publish command is missing the --provenance flag that was previously configured via @semantic-release/npm. OIDC-based provenance publishing provides cryptographic proof of where and how the package was built, which is a security best practice. Without this flag, packages will be published without provenance attestations. Consider adding the --provenance flag: "npm publish --provenance"
| publishCmd: "npm publish", | |
| publishCmd: "npm publish --provenance", |
| - name: Setup Node.js | ||
| uses: actions/setup-node@v4 | ||
| with: | ||
| node-version: 20.x |
There was a problem hiding this comment.
NPM authentication is not configured in the workflow. The setup-node action should include registry-url and the Release step should include NPM_TOKEN in the environment variables. Without this, npm publish will fail with authentication errors. Add registry-url: 'https://registry.npmjs.org' to the Setup Node.js step and add NPM_TOKEN: secrets.NPM_TOKEN to the Release step's environment variables.
|
🎉 This PR is included in version 3.1.2 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 3.1.2 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 2.3.1 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 2.2.3 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 2.1.1 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
fix: update ci to publish on npm
fix: update ci to publish on npm
No description provided.