Skip to content

ci: test npm trusted publishing on every push#2814

Open
findolor wants to merge 1 commit into
mainfrom
arda/test-npm-trusted-publishing
Open

ci: test npm trusted publishing on every push#2814
findolor wants to merge 1 commit into
mainfrom
arda/test-npm-trusted-publishing

Conversation

@findolor

@findolor findolor commented Jul 17, 2026

Copy link
Copy Markdown
Collaborator

Motivation

The npm package release workflow currently runs only after commits reach main, which makes the npm trusted-publisher configuration slow to diagnose. The latest release run received a GitHub OIDC token but npm rejected the exchange with OIDC token exchange error - package not found.

Both target packages already exist on npm at 0.0.1-alpha.238:

This is a temporary diagnostic change. Once trusted publishing succeeds, the trigger should be restored to main only.

Solution

  • Run the real npm release workflow on every pushed commit on every branch.
  • Preserve the generated release-commit guard so a successful release cannot trigger an infinite loop.
  • Keep the existing GitHub OIDC permission and workflow filename unchanged.
  • Remove Telegram status reporting while repeated diagnostic runs are expected.

The npm trusted publisher for each package should be configured for organization rainlanguage, repository raindex, and exact workflow filename npm-package-release.yml.

Checks

  • git diff --check
  • Parsed .github/workflows/npm-package-release.yml with Ruby YAML
  • Commit hooks passed, including no-consumer-prettier and yamlfmt
  • Pushing this branch triggered the real npm release workflow

Summary by CodeRabbit

  • Chores
    • Updated package release automation to run on all push events, while retaining safeguards against workflow-generated commits.
    • Removed automated CI failure and cancellation notifications sent to Telegram.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The npm package release workflow now triggers on all pushes, skips commits created by the workflow, and no longer forwards CI failure or cancellation status to Telegram.

Changes

Release workflow

Layer / File(s) Summary
Release trigger and status reporting
.github/workflows/npm-package-release.yml
The workflow runs on all pushes, the release job no longer requires the main branch, workflow-created commits remain skipped, and Telegram status forwarding was removed.

Estimated code review effort: 2 (Simple) | ~5 minutes

Possibly related PRs

Suggested reviewers: rouzwelt

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly captures the main change: running npm trusted publishing tests on every push.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch arda/test-npm-trusted-publishing

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/npm-package-release.yml:
- Around line 2-6: Restrict the workflow trigger or the release job condition in
the `release` job so it only runs from the intended protected branch and
preserves the existing commit-message loop prevention. Do not rely on the
`head_commit.message` check as the branch authorization boundary; ensure
arbitrary branch pushes cannot execute the privileged publishing path.
- Line 2: Restrict the workflow trigger in the top-level on configuration to
branch pushes only, replacing the unrestricted push trigger with an equivalent
branches filter that matches all branches. Ensure tag pushes do not start the
npm package release job, while normal branch pushes continue to trigger it.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ece921c7-0eb6-4e77-82de-9ea6810e15e9

📥 Commits

Reviewing files that changed from the base of the PR and between bb83031 and 8db9000.

📒 Files selected for processing (1)
  • .github/workflows/npm-package-release.yml

push:
branches:
- main
on: [push]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Map the workflow file structure first.
ast-grep outline .github/workflows/npm-package-release.yml --view expanded || true

echo
echo "=== File with line numbers (first 360 lines) ==="
nl -ba .github/workflows/npm-package-release.yml | sed -n '1,360p'

echo
echo "=== Search for push/tag filters and release-related steps in workflow files ==="
rg -n --no-heading 'on:|branches:|tags:|push:|release|npm package|Telegram|telegram|tag' .github/workflows -g '*.yml'

Repository: rainlanguage/raindex

Length of output: 304


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Workflow file with line numbers ==="
sed -n '1,360p' .github/workflows/npm-package-release.yml | cat -n

echo
echo "=== Relevant workflow trigger and release-step search ==="
rg -n --no-heading '^(on:|  push:|  branches:|  tags:|.*release|.*Telegram|.*telegram|.*tag)' .github/workflows/npm-package-release.yml

echo
echo "=== Other workflow files mentioning npm-package-release or similar release triggers ==="
rg -n --no-heading 'npm-package-release|on:\s*\[push\]|branches:|tags:' .github/workflows -g '*.yml'

Repository: rainlanguage/raindex

Length of output: 17325


Exclude tag pushes from .github/workflows/npm-package-release.yml:2. on: [push] also runs for tag pushes, and this job publishes before the later git push/release steps. On a detached tag ref, that can leave npm packages published without the matching commit/tag updates; use a branch-only push filter such as on: { push: { branches: ['**'] } }.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/npm-package-release.yml at line 2, Restrict the workflow
trigger in the top-level on configuration to branch pushes only, replacing the
unrestricted push trigger with an equivalent branches filter that matches all
branches. Ensure tag pushes do not start the npm package release job, while
normal branch pushes continue to trigger it.

Source: MCP tools

Comment on lines +2 to +6
on: [push]
jobs:
release:
# skip this job if the commit was created by this workflow (prevents infinite loop)
if: ${{ github.ref == 'refs/heads/main' && !startsWith(github.event.head_commit.message, 'NPM Package Release') }}
if: ${{ !startsWith(github.event.head_commit.message, 'NPM Package Release') }}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Map the workflow structure first.
ast-grep outline .github/workflows/npm-package-release.yml --view expanded || true

# Read the relevant top section and the release job permissions/guards.
sed -n '1,120p' .github/workflows/npm-package-release.yml

# Find references to branch/ref filters, permissions, and release-related push operations.
rg -n "refs/heads|refs/tags|permissions:|id-token: write|contents: write|NPM Package Release|push:" .github/workflows/npm-package-release.yml

Repository: rainlanguage/raindex

Length of output: 6371


Keep the release job off arbitrary branches. .github/workflows/npm-package-release.yml now runs on every push while still granting id-token: write, contents: write, secrets, and push access. The commit-message check is not a trust boundary, so anyone who can push a branch can execute the privileged publishing path.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/npm-package-release.yml around lines 2 - 6, Restrict the
workflow trigger or the release job condition in the `release` job so it only
runs from the intended protected branch and preserves the existing
commit-message loop prevention. Do not rely on the `head_commit.message` check
as the branch authorization boundary; ensure arbitrary branch pushes cannot
execute the privileged publishing path.

Source: MCP tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant