ci: test npm trusted publishing on every push#2814
Conversation
📝 WalkthroughWalkthroughThe npm package release workflow now triggers on all pushes, skips commits created by the workflow, and no longer forwards CI failure or cancellation status to Telegram. ChangesRelease workflow
Estimated code review effort: 2 (Simple) | ~5 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/npm-package-release.yml:
- Around line 2-6: Restrict the workflow trigger or the release job condition in
the `release` job so it only runs from the intended protected branch and
preserves the existing commit-message loop prevention. Do not rely on the
`head_commit.message` check as the branch authorization boundary; ensure
arbitrary branch pushes cannot execute the privileged publishing path.
- Line 2: Restrict the workflow trigger in the top-level on configuration to
branch pushes only, replacing the unrestricted push trigger with an equivalent
branches filter that matches all branches. Ensure tag pushes do not start the
npm package release job, while normal branch pushes continue to trigger it.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: ece921c7-0eb6-4e77-82de-9ea6810e15e9
📒 Files selected for processing (1)
.github/workflows/npm-package-release.yml
| push: | ||
| branches: | ||
| - main | ||
| on: [push] |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Map the workflow file structure first.
ast-grep outline .github/workflows/npm-package-release.yml --view expanded || true
echo
echo "=== File with line numbers (first 360 lines) ==="
nl -ba .github/workflows/npm-package-release.yml | sed -n '1,360p'
echo
echo "=== Search for push/tag filters and release-related steps in workflow files ==="
rg -n --no-heading 'on:|branches:|tags:|push:|release|npm package|Telegram|telegram|tag' .github/workflows -g '*.yml'Repository: rainlanguage/raindex
Length of output: 304
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Workflow file with line numbers ==="
sed -n '1,360p' .github/workflows/npm-package-release.yml | cat -n
echo
echo "=== Relevant workflow trigger and release-step search ==="
rg -n --no-heading '^(on:| push:| branches:| tags:|.*release|.*Telegram|.*telegram|.*tag)' .github/workflows/npm-package-release.yml
echo
echo "=== Other workflow files mentioning npm-package-release or similar release triggers ==="
rg -n --no-heading 'npm-package-release|on:\s*\[push\]|branches:|tags:' .github/workflows -g '*.yml'Repository: rainlanguage/raindex
Length of output: 17325
Exclude tag pushes from .github/workflows/npm-package-release.yml:2. on: [push] also runs for tag pushes, and this job publishes before the later git push/release steps. On a detached tag ref, that can leave npm packages published without the matching commit/tag updates; use a branch-only push filter such as on: { push: { branches: ['**'] } }.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/npm-package-release.yml at line 2, Restrict the workflow
trigger in the top-level on configuration to branch pushes only, replacing the
unrestricted push trigger with an equivalent branches filter that matches all
branches. Ensure tag pushes do not start the npm package release job, while
normal branch pushes continue to trigger it.
Source: MCP tools
| on: [push] | ||
| jobs: | ||
| release: | ||
| # skip this job if the commit was created by this workflow (prevents infinite loop) | ||
| if: ${{ github.ref == 'refs/heads/main' && !startsWith(github.event.head_commit.message, 'NPM Package Release') }} | ||
| if: ${{ !startsWith(github.event.head_commit.message, 'NPM Package Release') }} |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Map the workflow structure first.
ast-grep outline .github/workflows/npm-package-release.yml --view expanded || true
# Read the relevant top section and the release job permissions/guards.
sed -n '1,120p' .github/workflows/npm-package-release.yml
# Find references to branch/ref filters, permissions, and release-related push operations.
rg -n "refs/heads|refs/tags|permissions:|id-token: write|contents: write|NPM Package Release|push:" .github/workflows/npm-package-release.ymlRepository: rainlanguage/raindex
Length of output: 6371
Keep the release job off arbitrary branches. .github/workflows/npm-package-release.yml now runs on every push while still granting id-token: write, contents: write, secrets, and push access. The commit-message check is not a trust boundary, so anyone who can push a branch can execute the privileged publishing path.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/npm-package-release.yml around lines 2 - 6, Restrict the
workflow trigger or the release job condition in the `release` job so it only
runs from the intended protected branch and preserves the existing
commit-message loop prevention. Do not rely on the `head_commit.message` check
as the branch authorization boundary; ensure arbitrary branch pushes cannot
execute the privileged publishing path.
Source: MCP tools
Motivation
The npm package release workflow currently runs only after commits reach
main, which makes the npm trusted-publisher configuration slow to diagnose. The latest release run received a GitHub OIDC token but npm rejected the exchange withOIDC token exchange error - package not found.Both target packages already exist on npm at
0.0.1-alpha.238:@rainlanguage/raindex@rainlanguage/ui-componentsThis is a temporary diagnostic change. Once trusted publishing succeeds, the trigger should be restored to
mainonly.Solution
The npm trusted publisher for each package should be configured for organization
rainlanguage, repositoryraindex, and exact workflow filenamenpm-package-release.yml.Checks
git diff --check.github/workflows/npm-package-release.ymlwith Ruby YAMLno-consumer-prettierandyamlfmtSummary by CodeRabbit