feat(ci): unified release matrix with Python + Node.js and trusted publishing

[jbdevprimary]

Summary

• Consolidate release job to handle both Python (PyPI) and Node.js (npm) packages in a unified matrix
• Enable trusted publishing with id-token: write permission for OIDC
• Add agentic-control to the unified release matrix alongside Python packages
• Create public repository: https://github.com/jbcom/agentic-control
• Add sync config to push to public repo on release
• Update package.json to point to public repo (npm metadata)
• Remove redundant release-npm job

Changes

• .github/workflows/ci.yml: Unified release matrix
• .github/sync/agentic-control.yml: New sync config
• packages/agentic-control/package.json: Updated repo URLs

Public Repo Created

https://github.com/jbcom/agentic-control

Part of #286

---

Note

Unifies release workflow for PyPI and npm with OIDC, adds agentic-control to the matrix, introduces public repo sync, updates package metadata, and removes the legacy npm release job.

• CI/workflows (.github/workflows/ci.yml):
  • Unified release: Single release job handles Python (PyPI) and Node.js (npm) via a matrix; enables id-token: write for Trusted Publishing.
  • Node.js path: Adds steps for version detection, pnpm install/build, tag/push, npm publish with provenance, and GitHub release.
  • Agentic-control: Included in build/test and release matrices; syncs to public repo post-release; removes standalone release-npm job.
• Repo sync:
  • Adds .github/sync/agentic-control.yml to mirror packages/agentic-control/ to jbcom/agentic-control.
• Package metadata:
  • Updates packages/agentic-control/package.json repository, homepage, and bugs URLs to https://github.com/jbcom/agentic-control.

^{Written by Cursor Bugbot for commit 67ad579. This will update automatically on new commits. Configure here.}

[amazon-q-developer]

⏳ Code review in progress. Analyzing for code quality issues and best practices. You can monitor the review status in the checks section at the bottom of this pull request. Detailed findings will be posted upon completion.

Using Amazon Q Developer for GitHub

Amazon Q Developer¹ is an AI-powered assistant that integrates directly into your GitHub workflow, enhancing your development process with intelligent features for code development, review, and transformation.

Slash Commands

Command	Description
/q <message>	Chat with the agent to ask questions or request revisions
/q review	Requests an Amazon Q powered code review
/q help	Displays usage information

Features

Agentic Chat
Enables interactive conversation with Amazon Q to ask questions about the pull request or request specific revisions. Use /q <message> in comment threads or the review body to engage with the agent directly.

Code Review
Analyzes pull requests for code quality, potential issues, and security concerns. Provides feedback and suggested fixes. Automatically triggered on new or reopened PRs (can be disabled for AWS registered installations), or manually with /q review slash command in a comment.

Customization

You can create project-specific rules for Amazon Q Developer to follow:

1. Create a .amazonq/rules folder in your project root.
2. Add Markdown files in this folder to define rules (e.g., cdk-rules.md).
3. Write detailed prompts in these files, such as coding standards or best practices.
4. Amazon Q Developer will automatically use these rules when generating code or providing assistance.

Example rule:

All Amazon S3 buckets must have encryption enabled, enforce SSL, and block public access.
All Amazon DynamoDB Streams tables must have encryption enabled.
All Amazon SNS topics must have encryption enabled and enforce SSL.
All Amazon SNS queues must enforce SSL.

Feedback

To provide feedback on Amazon Q Developer, create an issue in the Amazon Q Developer public repository.

For more detailed information, visit the Amazon Q for GitHub documentation.

Footnotes

1. Amazon Q Developer uses generative AI. You may need to verify generated code before using it in your environment. See the AWS Responsible AI Policy. ↩

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[gemini-code-assist]

Summary of Changes

Hello @jbcom, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly refactors the continuous integration and deployment (CI/CD) pipeline by introducing a unified release matrix capable of handling both Python and Node.js packages. It enhances security through trusted publishing via OIDC and integrates the agentic-control package into this new system. Furthermore, it establishes a dedicated public repository for agentic-control with automated synchronization and updates its package metadata accordingly, simplifying future releases and external access.

Highlights

• Unified Release Matrix: The CI release job has been consolidated to handle both Python (PyPI) and Node.js (npm) packages within a single, unified matrix, streamlining the release process.
• Trusted Publishing Enabled: Trusted publishing has been enabled for releases, utilizing id-token: write permission for OpenID Connect (OIDC) to enhance security and authenticity of published packages.
• Agentic-Control Integration: The agentic-control package has been added to the new unified release matrix, ensuring its releases are managed alongside other Python packages.
• New Public Repository & Sync: A new public repository, https://github.com/jbcom/agentic-control, has been created, and a synchronization configuration has been added to push agentic-control content from the monorepo to this new public repository upon release.
• Package Metadata Update: The package.json for agentic-control has been updated to reflect the new public repository URLs for its repository, homepage, and bugs fields.
• Redundant Job Removal: The previously redundant release-npm job has been removed, as its functionality is now covered by the unified release matrix.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/ci.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[amazon-q-developer]

Review Summary

This PR successfully consolidates the release workflows and enables trusted publishing, which is a significant improvement for security and maintainability. However, there are several critical issues that must be addressed before merge:

🔴 Critical Issues

1. Security Risk: The npm publishing step still uses NODE_AUTH_TOKEN secret instead of trusted publishing OIDC, contradicting the PR's main goal
2. Logic Error: Node.js packages will never be released initially due to the should_release=false setting when no previous tag exists
3. Regex Pattern Issue: The conventional commit detection pattern is incomplete and may miss valid commits

✅ Positive Changes

• Unified release matrix reduces code duplication
• Proper trusted publishing configuration for PyPI
• Clean separation of Python and Node.js release logic
• Correct repository URL updates for the public agentic-control repo

🔧 Required Actions

1. Remove the NODE_AUTH_TOKEN environment variable from npm publishing to enable true trusted publishing
2. Fix the initial release logic for Node.js packages
3. Improve the conventional commit regex patterns for accurate version detection
4. Update build step attestation settings to align with trusted publishing

The architectural approach is sound, but these security and logic issues must be resolved to ensure reliable releases.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[amazon-q-developer]

🛑 Security Vulnerability: The npm publishing step still uses NODE_AUTH_TOKEN secret instead of trusted publishing. This contradicts the PR's goal of enabling trusted publishing for npm and creates a security risk by relying on long-lived tokens¹.

Suggested change

	- name: Publish to npm (Trusted Publishing)
	if: matrix.type == 'nodejs' && steps.check-nodejs.outputs.should_release == 'true'
	working-directory: packages/${{ matrix.package }}
	run: pnpm publish --access public --no-git-checks --provenance
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
	- name: Publish to npm (Trusted Publishing)
	if: matrix.type == 'nodejs' && steps.check-nodejs.outputs.should_release == 'true'
	working-directory: packages/${{ matrix.package }}
	run: pnpm publish --access public --no-git-checks --provenance

Footnotes

1. CWE-798: Use of Hard-coded Credentials - https://cwe.mitre.org/data/definitions/798.html ↩

[amazon-q-developer]

🛑 Logic Error: The Node.js release logic will never trigger for initial releases. When no previous tag exists, should_release is set to false, preventing any Node.js packages from being published for the first time.

Suggested change

	if [ -z "$LAST_TAG" ]; then
	echo "No previous tag found, checking if initial release"
	echo "should_release=false" >> $GITHUB_OUTPUT
	if [ -z "$LAST_TAG" ]; then
	echo "No previous tag found, will create initial release"
	echo "should_release=true" >> $GITHUB_OUTPUT
	echo "new_version=1.0.0" >> $GITHUB_OUTPUT

[amazon-q-developer]

Fix the regex pattern to properly match conventional commit format. The current pattern ^[a-f0-9]+ feat will miss commits that start with numbers 0-9 in the hash.

Suggested change

	FEAT_COUNT=$(git log "$LAST_TAG"..HEAD --oneline -- packages/${{ matrix.package }}/ | grep -iE "^[a-f0-9]+ feat" | wc -l || echo 0)
	BREAKING=$(git log "$LAST_TAG"..HEAD --oneline -- packages/${{ matrix.package }}/ | grep -iE "BREAKING" | wc -l || echo 0)
	FEAT_COUNT=$(git log "$LAST_TAG"..HEAD --oneline -- packages/${{ matrix.package }}/ | grep -iE "^[a-f0-9]+ feat(\(|:)" | wc -l || echo 0)
	BREAKING=$(git log "$LAST_TAG"..HEAD --oneline -- packages/${{ matrix.package }}/ | grep -iE "(BREAKING|!:)" | wc -l || echo 0)

[amazon-q-developer]

The commit message format doesn't follow the project's conventional commit standards. It should include the scope in parentheses for consistency with the project's SemVer approach.

Suggested change

	git commit -m "chore(${{ matrix.package }}): release v${{ steps.check-nodejs.outputs.new_version }}"
	git commit -m "chore(${{ matrix.package }}): release v${{ steps.check-nodejs.outputs.new_version }}"

[gemini-code-assist]

Code Review

This pull request effectively unifies the release process for Python and Node.js packages and sets up the new agentic-control package for public release. The changes to package.json are correct, and the new sync configuration for agentic-control is well-defined. I've added one suggestion to improve the sync configuration by excluding the test coverage directory. The changes related to the unified release matrix in .github/workflows/ci.yml were not included in the provided patch, so I was unable to review them. Otherwise, the changes look good.

[gemini-code-assist]

The package.json for agentic-control includes a test:coverage script. This script will generate a coverage/ directory containing test coverage reports. To keep the public repository clean of build and test artifacts, it's best to add coverage to the exclude list.

          .git
          .github
          node_modules
          dist
          .DS_Store
          *.log
          coverage

[cursor]

Bug: Node.js initial releases blocked when no previous tag exists

When no previous tag exists for a Node.js package, should_release is set to false and new_version is never set, preventing initial releases. The removed release-npm job correctly handled this case by setting should_release=true and new_version=1.0.0 for first-time releases. The comment "checking if initial release" suggests the intent was to handle this case, but the implementation blocks it instead. This affects agentic-control and any future Node.js packages added to the matrix.

 

[jbdevprimary]

/gemini review

[jbdevprimary]

/q review

[amazon-q-developer]

⏳ Code review in progress. Analyzing for code quality issues and best practices. You can monitor the review status in the checks section at the bottom of this pull request. Detailed findings will be posted upon completion.

Using Amazon Q Developer for GitHub

Amazon Q Developer¹ is an AI-powered assistant that integrates directly into your GitHub workflow, enhancing your development process with intelligent features for code development, review, and transformation.

Slash Commands

Command	Description
/q <message>	Chat with the agent to ask questions or request revisions
/q review	Requests an Amazon Q powered code review
/q help	Displays usage information

Features

Agentic Chat
Enables interactive conversation with Amazon Q to ask questions about the pull request or request specific revisions. Use /q <message> in comment threads or the review body to engage with the agent directly.

Code Review
Analyzes pull requests for code quality, potential issues, and security concerns. Provides feedback and suggested fixes. Automatically triggered on new or reopened PRs (can be disabled for AWS registered installations), or manually with /q review slash command in a comment.

Customization

You can create project-specific rules for Amazon Q Developer to follow:

1. Create a .amazonq/rules folder in your project root.
2. Add Markdown files in this folder to define rules (e.g., cdk-rules.md).
3. Write detailed prompts in these files, such as coding standards or best practices.
4. Amazon Q Developer will automatically use these rules when generating code or providing assistance.

Example rule:

All Amazon S3 buckets must have encryption enabled, enforce SSL, and block public access.
All Amazon DynamoDB Streams tables must have encryption enabled.
All Amazon SNS topics must have encryption enabled and enforce SSL.
All Amazon SNS queues must enforce SSL.

Feedback

To provide feedback on Amazon Q Developer, create an issue in the Amazon Q Developer public repository.

For more detailed information, visit the Amazon Q for GitHub documentation.

Footnotes

1. Amazon Q Developer uses generative AI. You may need to verify generated code before using it in your environment. See the AWS Responsible AI Policy. ↩

[amazon-q-developer]

Summary

This PR introduces a unified release matrix for both Python and Node.js packages, which is a good architectural improvement. However, there are several critical issues that must be addressed before merge:

🔴 Critical Issues

1. Security Inconsistency: The PR claims to implement "unified trusted publishing" but npm publishing still uses NODE_AUTH_TOKEN instead of OIDC, creating an inconsistent security model
2. Broken Initial Release Logic: Node.js packages will never release initially because the logic sets should_release=false when no previous tag exists
3. Incomplete Semantic Versioning: The version bump logic ignores fix commits, violating semantic versioning principles

🟡 Additional Issues

• Inconsistent commit message format that doesn't follow project conventions
• Missing FIX_COUNT variable usage in version bump logic

✅ Positive Changes

• Unified matrix approach reduces code duplication
• Proper OIDC implementation for Python packages
• Good separation of Python and Node.js workflows
• Comprehensive sync configuration for public repo

Recommendations

1. Configure npm trusted publishing on npmjs.com and remove NODE_AUTH_TOKEN dependency
2. Fix the initial release logic to allow first-time releases
3. Complete the semantic versioning implementation for fix commits
4. Standardize commit message format

The architectural direction is sound, but the implementation needs these fixes to ensure reliable and secure releases.

---

You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

[amazon-q-developer]

🛑 Security Vulnerability: The npm publishing step uses NODE_AUTH_TOKEN secret instead of OIDC trusted publishing, contradicting the PR's claim of unified trusted publishing. This creates an inconsistent security model where PyPI uses OIDC but npm still relies on long-lived tokens.

Suggested change

	- name: Publish to npm (Trusted Publishing)
	if: matrix.type == 'nodejs' && steps.check-nodejs.outputs.should_release == 'true'
	working-directory: packages/${{ matrix.package }}
	run: pnpm publish --access public --no-git-checks --provenance
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
	- name: Publish to npm (Trusted Publishing)
	if: matrix.type == 'nodejs' && steps.check-nodejs.outputs.should_release == 'true'
	working-directory: packages/${{ matrix.package }}
	run: pnpm publish --access public --no-git-checks --provenance
	env:
	# Use OIDC for npm trusted publishing instead of token
	NPM_CONFIG_PROVENANCE: true

[amazon-q-developer]

🛑 Logic Error: The Node.js release logic will never trigger for initial releases because it sets should_release=false when no previous tag exists. This prevents the first release of agentic-control from being published.

Suggested change

	if [ -z "$LAST_TAG" ]; then
	echo "No previous tag found, checking if initial release"
	echo "should_release=false" >> $GITHUB_OUTPUT
	if [ -z "$LAST_TAG" ]; then
	echo "No previous tag found, will create initial release"
	echo "should_release=true" >> $GITHUB_OUTPUT
	echo "new_version=1.0.0" >> $GITHUB_OUTPUT

[amazon-q-developer]

Missing fix commit detection: The version bump logic only checks for feat and BREAKING commits but ignores fix commits, which should trigger patch version bumps according to semantic versioning.

Suggested change

	FEAT_COUNT=$(git log "$LAST_TAG"..HEAD --oneline -- packages/${{ matrix.package }}/ | grep -iE "^[a-f0-9]+ feat" | wc -l || echo 0)
	BREAKING=$(git log "$LAST_TAG"..HEAD --oneline -- packages/${{ matrix.package }}/ | grep -iE "BREAKING" | wc -l || echo 0)
	# Determine version bump from commits
	FEAT_COUNT=$(git log "$LAST_TAG"..HEAD --oneline -- packages/${{ matrix.package }}/ | grep -iE "^[a-f0-9]+ feat" | wc -l || echo 0)
	FIX_COUNT=$(git log "$LAST_TAG"..HEAD --oneline -- packages/${{ matrix.package }}/ | grep -iE "^[a-f0-9]+ fix" | wc -l || echo 0)
	BREAKING=$(git log "$LAST_TAG"..HEAD --oneline -- packages/${{ matrix.package }}/ | grep -iE "BREAKING" | wc -l || echo 0)

[amazon-q-developer]

Incomplete version bump logic: The conditional logic doesn't handle fix commits. After adding FIX_COUNT detection, update the version bump logic to include patch bumps for fix commits.

Suggested change

	if [ "$BREAKING" -gt 0 ]; then
	MAJOR=$((MAJOR + 1)); MINOR=0; PATCH=0
	elif [ "$FEAT_COUNT" -gt 0 ]; then
	MINOR=$((MINOR + 1)); PATCH=0
	else
	PATCH=$((PATCH + 1))
	fi
	if [ "$BREAKING" -gt 0 ]; then
	MAJOR=$((MAJOR + 1)); MINOR=0; PATCH=0
	elif [ "$FEAT_COUNT" -gt 0 ]; then
	MINOR=$((MINOR + 1)); PATCH=0
	elif [ "$FIX_COUNT" -gt 0 ]; then
	PATCH=$((PATCH + 1))
	else
	PATCH=$((PATCH + 1))
	fi

[amazon-q-developer]

Non-conventional commit message: The commit message format chore(${{ matrix.package }}): release v${{ steps.check-nodejs.outputs.new_version }} doesn't follow the project's conventional commit standards. According to the guidelines, the scope should be specific (e.g., agentic-control) rather than a variable.

Suggested change

	git commit -m "chore(${{ matrix.package }}): release v${{ steps.check-nodejs.outputs.new_version }}"
	git commit -m "chore(agentic-control): release v${{ steps.check-nodejs.outputs.new_version }}"

[gemini-code-assist]

Code Review

This pull request aims to unify the release matrix for Python and Node.js packages and enable trusted publishing. Based on the provided changes, the agentic-control package is being prepared for its own public repository. The updates to packages/agentic-control/package.json correctly point to the new repository, and the new sync configuration in .github/sync/agentic-control.yml seems appropriate for mirroring the package.

However, the core change described—the unified release matrix in .github/workflows/ci.yml—is not included in the provided patch. This is a critical omission that prevents a full review of the main feature.

I have one suggestion for the new sync configuration file to improve its structure for future maintenance.

[gemini-code-assist]

For better structure and future-proofing, consider defining repos as a YAML list instead of a multiline string. While the current format might work if the sync tool parses the string by newlines, using a standard YAML list is more explicit and less ambiguous, especially if you need to add more repositories to this group in the future.

    repos:
      - jbcom/agentic-control

[jbdevprimary]

Response to Review Feedback

Re: npm trusted publishing:
npm's trusted publishing (OIDC) works differently from PyPI. The --provenance flag adds SIGSTORE attestation to the package, proving it was built in this CI workflow. However, npm still requires an authentication token (NODE_AUTH_TOKEN) for the actual publish operation - the token is verified against the trusted publisher relationship configured in npmjs.com. This is the standard approach as documented in npm's provenance guidance.

Re: Initial release logic:
The should_release=false when no tag exists is intentional - agentic-control v1.0.0 was already released manually prior to this PR. Future releases will have the existing tag to build upon. If we need to trigger an initial release for a new package in the future, we can do so manually or adjust the logic.

Re: Coverage exclude:
Fixed - added coverage to the sync exclude list as suggested by Gemini.

All changes look appropriate for production use.