fix: npm trusted publishing #134
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
There was a problem hiding this comment.
Greptile Overview
Greptile Summary
This PR configures npm trusted publishing with provenance attestations for the @formo/analytics package. The changes pin Node.js to version 22.14.0 across CI and release workflows, upgrade @semantic-release/npm to v13.1.1 (which supports provenance), and add .nvmrc for version consistency.
Key changes:
- Pinned Node.js to 22.14.0 in both workflows and new
.nvmrcfile - Upgraded
@semantic-release/npmfrom 12.0.1 to 13.1.1 to support provenance publishing - Upgraded
@types/nodeto v22.0.0 to match Node version package.jsonalready hasprovenance: trueinpublishConfig- Release workflow already has
id-token: writepermission for OIDC tokens
The configuration correctly implements npm's trusted publishing requirements: OIDC authentication via GitHub Actions, provenance flag in package.json, and a semantic-release plugin version that supports provenance.
Confidence Score: 5/5
- This PR is safe to merge with no issues - it correctly implements npm trusted publishing
- All changes are configuration updates that correctly implement npm trusted publishing. The Node.js version upgrade to 22.14.0 is stable, the semantic-release/npm v13.1.1 supports provenance, and all required permissions and settings are properly configured. No code logic changes or potential runtime issues.
- No files require special attention
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| .github/workflows/release.yml | 5/5 | Updated Node.js version from "20" to "22.14.0" for npm trusted publishing support; workflow correctly configured with id-token permission |
| .nvmrc | 5/5 | New file pinning Node.js version to 22.14.0 for consistency across environments |
| package.json | 5/5 | Upgraded @semantic-release/npm to v13.1.1 (adds provenance support) and @types/node to v22.0.0; provenance: true already configured |
Sequence Diagram
sequenceDiagram
participant Dev as Developer
participant GH as GitHub Actions
participant Node as Node.js 22.14.0
participant SR as semantic-release
participant NPM as npm Registry
Dev->>GH: Push to main branch
GH->>GH: Checkout code
GH->>Node: Setup Node 22.14.0
GH->>Node: Update npm to latest
GH->>Node: Install dependencies (yarn)
GH->>Node: Build SDK
GH->>SR: Run semantic-release
SR->>SR: Analyze commits
SR->>SR: Generate release notes
SR->>NPM: Publish with --provenance flag
Note over NPM: OIDC token from id-token permission
NPM->>NPM: Generate provenance attestation
NPM-->>SR: Publish success
SR->>GH: Create GitHub release
SR->>GH: Comment on PRs
SR-->>GH: Release complete
4 files reviewed, no comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Note
Updates GitHub Actions release workflow for npm trusted publishing, tweaks CI, updates Node version, and adjusts package configuration.
/.github/workflows/release.ymlto use npm trusted publishing./.github/workflows/ci.yml./.nvmrc.package.json(publishing/config/scripts).Written by Cursor Bugbot for commit f41f0d5. This will update automatically on new commits. Configure here.