Chore/trusted publishing#205
Conversation
adding npm trusted publishing so that we no longer need to use tokens
There was a problem hiding this comment.
Pull request overview
Adds a manual Release GitHub Actions workflow configured for npm Trusted Publishing (OIDC) so publishing can happen without long-lived npm tokens.
Changes:
- Bumps package version to
1.6.3. - Adds
.nvmrc(Node 22) and a new manually-triggered.github/workflows/release.ymlthat builds and publishes with provenance and posts Slack notifications.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| package.json | Version bump for the release. |
| .nvmrc | Defines the Node version used by the release workflow. |
| .github/workflows/release.yml | Implements manual release workflow using OIDC trusted publishing + Slack notifications. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Important Review skippedAuto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Thanks, mainly looks good. I'm thinking this is the best way forward, wdyt: 1 - Don't make the package json bump to 1.6.3 in this PR 2 - It looks like we've done this on NPM. Did you do this just now to support this pr? 3 Then we can merge this PR (without a version bump) 4 Prepare a test version (separate from
& commit that in a dedicated branch. 5 Run the workflow manually targeting that branch
6 After all that is confirmed as working we should update CONTRIBUTING.md to reflect the new process |
What does it do?
Adding npm trusted publishing
Why is it needed?
So we no longer need token's to publish packages
How to test it?
In it's current state, it does not run automatically. A human will need to run the workflow in the GitHub UI