Skip to content

docs(ci): correct the publish root-cause comment; self-trigger on workflow changes#13

Merged
jaruesink merged 2 commits into
mainfrom
fix/publish-root-cause-comment
Jul 17, 2026
Merged

docs(ci): correct the publish root-cause comment; self-trigger on workflow changes#13
jaruesink merged 2 commits into
mainfrom
fix/publish-root-cause-comment

Conversation

@jaruesink

@jaruesink jaruesink commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Correct the publish-workflow history: the July 9 outage came from a stale npm Trusted Publisher binding after the repository was recreated, not from npm skipping OIDC because setup-node wrote a placeholder token.
  • Trigger the publish workflow when its own configuration changes so future repairs validate automatically after merge.
  • Run the repository's formatting gate alongside lint, typecheck, and tests before publishing.

Verification

  • bun run lint
  • bun run format:check
  • bun run typecheck
  • bun test
  • docs / audit artifacts updated when behavior changed — not applicable; this changes release workflow guidance and validation only.

Review checklist

  • I updated rule/report evidence, not just implementation text — not applicable; no audit or rule behavior changed.
  • I called out AI-authored or generated content that needs extra scrutiny — the original correction was generated with Claude Code and was reviewed against the workflow diff.
  • I noted follow-up guardrails or drift risk if this is intentionally partial — publish now self-triggers on workflow changes and enforces all four required gates.

Root-cause note

The merged comment previously recorded a mechanism that later verification disproved. npm attempts OIDC unconditionally; the placeholder token's actual effect was to disguise the stale-binding failure as a 404 instead of ENEEDAUTH. The binding was repaired by deleting and re-adding the Trusted Publisher configuration on npmjs.com on 2026-07-13.

…w changes

The 2026-07-13 fix's comment blamed registry-url's dummy token for blocking OIDC. Verification disproved that mechanism: npm attempts OIDC unconditionally (its own CLI source); the true cause was a stale Trusted Publisher binding after the repo was deleted+recreated for the open-source cut — npm binds the original repository, so the UI string looks right while the binding points at the dead repo. Recovered only after delete+re-add on npmjs.com. The dummy token's real effect was disguising the failure as 404-unauthorized instead of an honest ENEEDAUTH, so registry-url stays out for signal quality and the comment now sends the next debugger to the binding first.

Also adds publish.yml to its own trigger paths — during the outage every repair needed a manual dispatch.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Kitt7TS73PAVzmzteeU7vW
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The publish workflow now re-runs when its own file changes on main, adds a conditional formatting check, and revises trusted-publishing comments to explain stale publisher bindings and the removal of registry-url.

Changes

Publish workflow

Layer / File(s) Summary
Workflow trigger, checks, and trusted-publishing documentation
.github/workflows/publish.yml
The push path list includes the workflow itself, the publish gate runs bun run format:check when needed, and comments describe trusted-publisher binding failures and clearer authentication error reporting.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related PRs

  • lambda-curry/anvil#74: Updates the same publish workflow’s trusted-publishing setup, including OIDC configuration and removal of NPM_TOKEN.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly matches the main changes: correcting the publish root-cause note and making the workflow self-trigger on its own changes.
Description check ✅ Passed The description follows the template well, with complete Summary, Verification, and Review checklist sections plus relevant details.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/publish-root-cause-comment

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yml:
- Around line 15-18: Add a bun run format:check validation step to the publish
workflow before the publish stage, alongside the existing lint, typecheck, and
test checks. Keep the current validation order and publishing behavior otherwise
unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: c268546c-1a84-4277-8dc2-1dafa5ce8690

📥 Commits

Reviewing files that changed from the base of the PR and between 64a8dfc and 4c79c2c.

📒 Files selected for processing (1)
  • .github/workflows/publish.yml

Comment thread .github/workflows/publish.yml
Keep the release workflow aligned with the repository's four mandatory validation gates before any package publish.

Agent-Actor: scout

Agent-Run-Id: anvil-cycle-001
@jaruesink
jaruesink merged commit 41a7e0f into main Jul 17, 2026
3 checks passed
@jaruesink
jaruesink deleted the fix/publish-root-cause-comment branch July 17, 2026 01:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant