Skip to content

fix: update release pipeline Node.js version to 24.x and enable provenance for npm publish#31

Merged
Eoic merged 1 commit intomasterfrom
feat/npm-trusted-publishing
Feb 22, 2026
Merged

fix: update release pipeline Node.js version to 24.x and enable provenance for npm publish#31
Eoic merged 1 commit intomasterfrom
feat/npm-trusted-publishing

Conversation

@Eoic
Copy link
Owner

@Eoic Eoic commented Feb 22, 2026

No description provided.

Copilot AI review requested due to automatic review settings February 22, 2026 14:53
@Eoic Eoic merged commit 1f1491f into master Feb 22, 2026
6 checks passed
@codecov
Copy link

codecov bot commented Feb 22, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.57%. Comparing base (1d6833f) to head (f50ede5).
⚠️ Report is 5 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master      #31      +/-   ##
==========================================
- Coverage   86.66%   86.57%   -0.09%     
==========================================
  Files          20       20              
  Lines        1177     1177              
  Branches      188      199      +11     
==========================================
- Hits         1020     1019       -1     
- Misses        157      158       +1
Flag Coverage Δ
unittests 86.57% <ø> (-0.09%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Copilot AI reviewed Feb 22, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the release pipeline to use Node.js 24.x (upgraded from 22.x) and enables npm provenance for published packages. Provenance creates cryptographically signed attestations that link the published npm package to its source repository and build, enhancing supply chain security. The workflow already has the necessary id-token: write permission required for provenance generation.

Changes:

  • Upgraded Node.js version from 22.x to 24.x in the release workflow
  • Added --provenance flag to both stable and pre-release npm publish commands

.github/workflows/release.yml
Comment on lines 159 to 167
- name: Publish to NPM
run: |
if [ "${{ github.event.inputs.pre_release }}" == "true" ]; then
echo "Publishing pre-release with beta tag"
npm publish --tag beta
npm publish --provenance --tag beta
else
echo "Publishing stable release"
npm publish
npm publish --provenance
fi
Copy link

Copilot AI Feb 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The npm publish command requires authentication via NODE_AUTH_TOKEN environment variable. The workflow sets registry-url at line 41 but does not provide NODE_AUTH_TOKEN in the "Publish to NPM" step's environment. Without this, npm publish will fail with an authentication error.

Add the NODE_AUTH_TOKEN environment variable to the publish step using secrets.NPM_TOKEN, similar to how other workflows typically configure npm authentication with actions/setup-node@v4.

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Eoic