Fix npm trusted publishing#14
Conversation
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 0b5db76. Configure here.
There was a problem hiding this comment.
Pull request overview
This PR updates the manual npm publish workflow to use npm Trusted Publishing via GitHub OIDC (instead of token/provenance publishing) and tightens the published tarball contents to the Unity package surface.
Changes:
- Switch publish authentication to OIDC-based npm Trusted Publishing and add an npm version gate (>= 11.5.1) to fail fast.
- Move the workflow to Node 24 and adjust Node setup behavior.
- Add a
package.json.filesallowlist sonpm packincludes only the intended Unity package directories and required root.metafiles.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
package.json |
Adds a files allowlist to constrain what goes into the npm tarball to the Unity package surface (and root .meta files). |
.github/workflows/npm-publish.yml |
Migrates the manual publish workflow to OIDC-based Trusted Publishing, updates Node version, and adds an npm CLI minimum-version check. |
Comments suppressed due to low confidence (1)
.github/workflows/npm-publish.yml:32
actions/checkout@v7does not appear to be a released major version ofactions/checkout(v4 is the latest). This will cause the workflow to fail at checkout time and block publishing.
- name: Checkout
uses: actions/checkout@v7
with:
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Follow-up on Copilot's suppressed low-confidence note: verified against GitHub's tags API that |
|
Validation update: manually dispatched |
Summary
>=11.5.1.package.json.filesallowlist so the npm tarball contains only the Unity package surface and required root Unity.metafiles.Root Cause
The publish job still exported
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}and usednpm publish --provenance. The secret is no longer populated, so npm did not authenticate through Trusted Publishing and failed withENEEDAUTH. Node 22 also risks bundling npm below the Trusted Publishing minimum.Validation
npm pack --dry-run --jsonruby -e "require 'yaml'; YAML.load_file('.github/workflows/npm-publish.yml')"git diff --check.npmignoreblocklist with the currentpackage.json.filesallowlist, the second found zero issues.Risk / Rollback
Risk is limited to the manual npm publish workflow and package tarball contents. Rollback is reverting this commit and restoring token-based publishing while npm Trusted Publisher settings are corrected.
Note
Medium Risk
Changes only affect the manual publish workflow and tarball contents; wrong OIDC/npm setup or a bad
fileslist could block releases or omit required Unity assets.Overview
Fixes manual npm publishing that failed with
ENEEDAUTHafterNPM_TOKENwas removed: the workflow now relies on npm Trusted Publishing via GitHub OIDC (id-token: write), dropsNODE_AUTH_TOKENand--provenance, and documents that model in comments.The publish job moves to Node 24, sets
package-manager-cache: false, and adds a fail-fast check that npm ≥ 11.5.1 (Trusted Publishing minimum) before publish.package.jsongains afilesallowlist sonpm packships only the Unity package layout (Editor, Runtime, Tests, docs, and required root.metafiles) instead of unrelated repo content.Reviewed by Cursor Bugbot for commit 0b5db76. Bugbot is set up for automated code reviews on this repo. Configure here.