chore: use npm trust publish

[fengmk2]

Summary by CodeRabbit

• Chores
  • Expanded CI to test against Node.js 24 for broader compatibility.
  • Switched release pipeline to an npm-based workflow to streamline publishing.
  • Updated workflow permissions to enable necessary write operations.
  • Removed an unused NPM token from secrets; retained the Git token.
  • No user-facing changes.

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Updates CI configuration: adds Node.js 24 to the Node.js workflow matrix, and switches the release workflow to use npm-release.yml, introducing explicit permissions and removing NPM_TOKEN from secrets while retaining GIT_TOKEN.

Changes

Cohort / File(s)	Summary of Changes
Node.js CI Matrix Update .github/workflows/nodejs.yml	Expanded matrix versions to include Node.js 24: 16, 18.19.0, 18, 20, 22, 24. No other logic changes.
Release Workflow Switch & Permissions .github/workflows/release.yml	Replaced use of node-release.yml with npm-release.yml. Added a permissions block (contents, deployments, issues, pull-requests, id-token) with write access. Removed NPM_TOKEN secret; kept GIT_TOKEN.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub Actions
  participant Rel as Release Job (npm-release.yml)
  participant Reg as npm Registry

  Dev->>GH: Push tag / release trigger
  GH->>Rel: Start workflow (with explicit permissions)
  note over GH,Rel: contents/deployments/issues/pull-requests/id-token: write
  Rel->>Reg: Publish package (auth via configured token)
  Reg-->>Rel: Publish result
  Rel-->>GH: Job status

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

I thump my paws on CI ground,
A new Node hops in—twenty-four is found.
Releases switch their burrow’s trail,
Permissions penned, we set the sail.
Tokens trimmed, the carrots align—
Ship it, nibble, all runs fine. 🥕✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title Check	⚠️ Warning	The title “chore: use npm trust publish” introduces the term “trust” which does not appear in the PR and does not clearly describe the two main changes of updating the release workflow to use npm-release.yml and adding Node.js 24 to the test matrix, making it misleading and insufficiently descriptive.	Rename the title to concisely and accurately reflect the primary change, for example “chore: switch release workflow to npm-release and add Node.js 24 support.”

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch trust-publish

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 06c422d and f540613.

📒 Files selected for processing (2)

• .github/workflows/nodejs.yml (1 hunks)
• .github/workflows/release.yml (1 hunks)

🔇 Additional comments (1)

.github/workflows/release.yml (1)

16-16: Pin reusable workflow to an immutable ref

This still pulls the release workflow from @master, so any upstream change can silently break or alter our publish pipeline. Please pin it to a tagged release or commit SHA before merging.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @fengmk2, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on a minor code formatting improvement within src/index.ts. While the PR title suggests a broader chore related to npm trust publish, the actual code change specifically ensures that the src/index.ts file concludes with a newline character, which is a standard practice for text files and helps prevent issues with various tools and version control systems.

Highlights

• Code Formatting: A minor formatting adjustment was made to src/index.ts to ensure it ends with a newline character.
• File Integrity: The change addresses the \ No newline at end of file warning, aligning the file with common coding standards.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/nodejs.yml
  • .github/workflows/release.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[Copilot]

Pull Request Overview

This PR updates the GitHub Actions workflow to use npm's trusted publishing mechanism and adds Node.js 24 support to the test matrix.

• Migrates from manual NPM token authentication to npm's trusted publishing system
• Adds required OIDC permissions for trusted publishing
• Updates Node.js test matrix to include version 24

Reviewed Changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/release.yml	Configures OIDC permissions and switches to npm-release workflow for trusted publishing
.github/workflows/nodejs.yml	Adds Node.js 24 to the test version matrix

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[gemini-code-assist]

Code Review

This pull request includes a change that removes the trailing newline from src/index.ts. It is a standard practice to have a newline at the end of files for compatibility with various tools and to follow POSIX standards. I've added a suggestion to restore it.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 97.22%. Comparing base (34ad0d0) to head (f540613).
⚠️ Report is 3 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master       #9   +/-   ##
=======================================
  Coverage   97.22%   97.22%           
=======================================
  Files           1        1           
  Lines          72       72           
  Branches       16       16           
=======================================
  Hits           70       70           
  Misses          2        2           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🎉 This PR is included in version 3.0.2 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀