chore: fix staging pipelines for 2.9.15#1715
Conversation
📝 WalkthroughWalkthroughAdds NPM token presence checks, strict-mode gating, continue-on-error handling, and unified publish-result reporting to the npm-publish GitHub Actions workflow; also downgrades Changes
Sequence Diagram(s)(omitted — changes are workflow-level and do not introduce a new multi-component runtime control flow that benefits from a sequence diagram) Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 1 | ❌ 2❌ Failed checks (1 warning, 1 inconclusive)
✅ Passed checks (1 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c5b5776df9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Fix all issues with AI agents
In @.github/workflows/npm-publish.yml:
- Around line 99-120: The publish step ("Publish to npm", id: publish) currently
uses continue-on-error: true which masks real publish failures; remove that
step-level continue-on-error so the step fails visibly (or if you must not block
the job, move continue-on-error to the job-level instead and keep the step-level
failure), and add a TODO comment like "TODO: remove job-level continue-on-error
once token rotation is complete" to avoid it becoming permanent; ensure the
Publish result step then inspects steps.publish.outcome to report warnings or
success as intended.
- Around line 89-97: The "Check NPM Token" step currently interpolates ${{
secrets.NPM_TOKEN }} directly into the shell which risks injection; update the
step (id: check-token, name: Check NPM Token) to read the token from an
environment variable instead (e.g., set env: NPM_TOKEN: ${{ secrets.NPM_TOKEN
}}) and then reference $NPM_TOKEN inside the run block to check emptiness and
write token_available to $GITHUB_OUTPUT; apply the same change to the other
publish job steps that repeat this pattern.
🧹 Nitpick comments (1)
.github/workflows/npm-publish.yml (1)
89-120: Extract the token-check + publish-result pattern into a composite action.The identical ~17-line block (Check NPM Token + conditional publish gate + Publish result) is copy-pasted across all 7 publish jobs. This is a significant DRY violation—any future change (e.g., the secret-interpolation fix above) must be applied in 7 places.
Consider creating a composite action (e.g.,
.github/actions/npm-publish-with-check) that encapsulates:
- Token availability check
- Conditional publish execution
- Result reporting
Each job could then replace the boilerplate with a single action call, passing the working directory, access level, and tag as inputs.
Also applies to: 141-172, 192-223, 240-271, 291-322, 344-375
1 participant
Description
A brief description of the changes, what and how is being changed.
Tested
Explain how the change has been tested (for example by manual testing, unit tests etc) or why it's not necessary (for example version bump).
How to QA
How can the change be tested in a repeatable manner?
Summary by CodeRabbit