Conversation
There was a problem hiding this comment.
Pull request overview
This PR refactors the npm publishing workflow to use a composite action instead of inline steps. It also adds manual workflow triggering capability and permissions required for npm provenance.
Changes:
- Replaces inline npm setup, build, and publish steps with a composite action from the scheduleonce/github-workflows repository
- Adds workflow_dispatch trigger to allow manual execution of the publish workflow
- Adds permissions block with id-token: write and contents: read for npm provenance support
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
|
|
||
| - name: Publish to npm | ||
| uses: scheduleonce/github-workflows/.github/actions/npm-publish@feature/npm-publish-action |
There was a problem hiding this comment.
The composite action is referenced using a feature branch (@feature/npm-publish-action) instead of a versioned tag. This is risky because:
- The feature branch can be modified or deleted at any time, breaking this workflow
- There's no stability guarantee - changes to the branch will immediately affect this workflow without review
- It violates GitHub Actions best practices for production workflows
Consider using a stable version tag (e.g., @v1 or @v1.2.3) once the composite action is merged and released. If you need to test the feature branch temporarily, this should be documented and tracked for update before merging to the main branch.
| uses: scheduleonce/github-workflows/.github/actions/npm-publish@feature/npm-publish-action | |
| uses: scheduleonce/github-workflows/.github/actions/npm-publish@v1 |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
|
|
||
| - name: Publish to npm | ||
| uses: scheduleonce/github-workflows/.github/actions/npm-publish@feature/npm-publish-action |
There was a problem hiding this comment.
The composite action usage doesn't show any inputs being passed. The previous implementation used the NPM_TOKEN secret for authentication. Verify that either:
- The composite action automatically accesses secrets.NPM_TOKEN from the repository secrets, or
- The action requires an input parameter for the token (e.g., 'token' or 'npm-token')
Without proper authentication configuration, the npm publish step will fail. Review the composite action's documentation to ensure the authentication is properly configured.
| uses: scheduleonce/github-workflows/.github/actions/npm-publish@feature/npm-publish-action | |
| uses: scheduleonce/github-workflows/.github/actions/npm-publish@feature/npm-publish-action | |
| with: | |
| npm-token: ${{ secrets.NPM_TOKEN }} |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
|
|
||
| - name: Publish to npm | ||
| uses: scheduleonce/github-workflows/.github/actions/npm-publish@feature/npm-publish-action |
There was a problem hiding this comment.
The PR title contains a typo: "Use to use composite action" should likely be "Use composite action" or "Update to use composite action". The repeated "use to use" appears to be a grammatical error.
No description provided.