Skip to content

ci: move npm publish to GHA for trusted publishing with provenance#7061

Draft
serhalp wants to merge 5 commits into
mainfrom
claude/slack-session-78quP
Draft

ci: move npm publish to GHA for trusted publishing with provenance#7061
serhalp wants to merge 5 commits into
mainfrom
claude/slack-session-78quP

Conversation

@serhalp
Copy link
Copy Markdown
Member

@serhalp serhalp commented May 13, 2026

Summary

  • Move release.yml workflow (stable releases) from CircleCI to GitHub ACtions
  • Update pre-release.yml (already on GHA) to use OIDC permissions and --provenance flag

@claude
ci: move npm publish to GHA for trusted publishing
1d95492 
- Add release.yml workflow using release-please-action for stable releases
- Update pre-release.yml with OIDC permissions and --provenance flag
- Remove release-please job from CircleCI (update-lockfile stays)

https://claude.ai/code/session_011HCWQbTc6LTeMxgdwTH2R6
@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented May 13, 2026
edited
Loading

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 990eee6d-8505-4216-b211-d86f9aaf0a93

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch claude/slack-session-78quP

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

serhalp
serhalp commented May 13, 2026
View reviewed changes
Comment thread .github/workflows/release.yml Outdated
serhalp and others added 2 commits May 13, 2026 12:06
@serhalp
Apply suggestion from @serhalp
14e06f3
@claude
fix: remove NPM_TOKEN to use OIDC for trusted publishing
10567dd 
With id-token: write permission and trusted publishing configured
on npmjs.com, npm uses the short-lived OIDC token automatically.
NODE_AUTH_TOKEN was bypassing OIDC and using the long-lived token.

https://claude.ai/code/session_01NmU7gnap9unNWgcsUyN3J7
pieh
pieh reviewed May 14, 2026
View reviewed changes
Comment thread .github/workflows/release.yml

publish:
needs: release-please
if: ${{ needs.release-please.outputs.releases_created == 'true' }}
Copy link
Copy Markdown
Contributor

@pieh pieh May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

on npm publishing flakes when release-please run determine that release was created, but actual publish fails (i.e. some network or npm registry issues) this would mean there is no way to "retry" to actually publish to npm, so this is a change from the way CircleCi workflow works

pieh
pieh reviewed May 14, 2026
View reviewed changes
Comment thread .github/workflows/release.yml
Comment on lines +39 to +41
run: npx lerna publish from-package --yes --no-private
env:
NPM_CONFIG_PROVENANCE: true
Copy link
Copy Markdown
Contributor

@pieh pieh May 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://lerna.js.org/docs/recipes/oidc-trusted-publishing - not sure of details, but they say lerna 9 added support, but we use

build/package.json

Line 60 in 0f6098d

"lerna": "^8.2.2",

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pieh pieh pieh left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@serhalp @pieh @claude