chore(npm): Update release npm action to stop using tokens#49
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR updates the npm release workflow to use OIDC-based trusted publishing instead of static tokens, bumps the package version to 0.2.2, updates numerous development dependencies, and migrates to ESLint v9 with a flat configuration format.
- Migrates from token-based to OIDC trusted publishing for enhanced security
- Updates all development dependencies to their latest versions
- Introduces ESLint v9 with flat config format (eslint.config.mjs)
Reviewed Changes
Copilot reviewed 14 out of 15 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Version bump to 0.2.2, updated all dev dependencies including ESLint v9, Jest v30, TypeScript v5.9, added rimraf package, replaced rm commands |
| eslint.config.mjs | New ESLint v9 flat configuration file replacing legacy .eslintrc.js format |
| .github/workflows/actions/publish-npm/action.yml | Replaced token-based authentication with OIDC via setup-node@v6, added provenance support |
| .github/workflows/release-production.yml | Removed token input, added emojis to step names |
| .github/workflows/release-dev.yml | Removed token input, added step name for publish action, added emojis |
| .github/workflows/test-unit.yml | Updated checkout action to v5, added emojis to step names |
| .github/workflows/main.yml | Added emojis to job names |
| .github/workflows/lint-and-format.yml | Updated checkout action to v5, added emojis to step names |
| .github/workflows/create-production-pr.yml | Updated checkout action to v5, added emojis to step names |
| .github/workflows/build.yml | Updated checkout action to v5, added emojis to step names |
| .github/workflows/actions/upload-archive/action.yml | Added emoji to step name |
| .github/workflows/actions/get-core-dependencies/action.yml | Updated setup-node action to v6, added emojis to step names |
| .github/workflows/actions/download-archive/action.yml | Added emoji to step name |
| .github/CODEOWNERS | Updated team from @ionic-team/stencil to @stenciljs/technical-steering-committee |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 14 out of 15 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 14 out of 15 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 14 out of 15 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 14 out of 15 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (1)
package.json:41
- The
find-updependency was updated to version 8.0.0 which requires Node.js >= 20, but theengines.nodefield still specifies>=12.0.0. This creates a runtime compatibility conflict. Either downgradefind-upto version 7.x (which supports Node >= 18) or update the minimum Node version to>=20.0.0.
"engines": {
"node": ">=12.0.0",
"npm": ">=6.0.0"
},
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull Request Overview
Copilot reviewed 14 out of 15 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
What is the current behavior?
GitHub Issue Number: N/A
What is the new behavior?
Updated test tooling:
find-upto^8.0.0@stencil/coreto^4.38.2@types/eslintto^9.6.1@types/jestto^30.0.0@types/nodeto^24.9.2@typescript-eslint/eslint-pluginto^8.46.2-
@typescript-eslint/parserto^8.46.2-
cspellto^9.2.2-
esbuildto^0.25.11-
eslintto^9.38.0-
eslint-config-prettierto^10.1.8-
eslint-plugin-jsdocto^61.1.11-
eslint-plugin-simple-import-sortto^12.1.1-
eslint-plugin-unused-importsto^4.3.0-
jestto^30.2.0-
prettierto^3.6.2-
rimrafto^6.0.1-
ts-jestto^29.4.5-
typescriptto^5.9.3Configured Node via
actions/setup-node@v6with the npm registry to trigger trusted publishing.Removed
.npmrctoken writes and relied on OIDC-issued credentials.Updated release workflows to call the reusable action without passing secrets.
Kept existing build artifact handling and version bumping untouched.
Documentation
Does this introduce a breaking change?
Testing
Local runs (Windows):
npm cinpm run formatnpm run lintnpm run spellchecknpm run buildnpm run testNot run (workflow-only change).
Other information