ci(release): use npm trusted publishing#67
Conversation
|
Warning Review limit reached
More reviews will be available in 53 minutes and 29 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. 📝 WalkthroughWalkthroughThe release workflow now validates only ChangesRelease publishing credentials
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the CONTRIBUTING.md documentation to reflect the transition from using a long-lived NPM_TOKEN repository secret to using npm Trusted Publishing with GitHub Actions OIDC. The feedback points out a minor inaccuracy in the step-by-step instructions for configuring the trusted publisher on npmjs.com, suggesting a correction to match the actual npm user interface.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| 9. Allow the `npm publish` action. | ||
| 10. Save the trusted publisher configuration. |
There was a problem hiding this comment.
In the npm Trusted Publisher setup UI, there is no option or step to "Allow the npm publish action". After filling in the workflow details, the user simply clicks the "Add publisher" button to save the configuration. Combining these steps makes the instructions more accurate to the actual npm interface.
| 9. Allow the `npm publish` action. | |
| 10. Save the trusted publisher configuration. | |
| 9. Click Add publisher to save the configuration. |
There was a problem hiding this comment.
Pull request overview
This PR updates the release process for the tapd CLI to publish the @go-tapd/tapd npm wrapper via npm Trusted Publishing (GitHub Actions OIDC), removing reliance on a long-lived npm token secret.
Changes:
- Updates the release workflow to stop using
NPM_TOKEN/NODE_AUTH_TOKENfornpm publish. - Adjusts the workflow’s Node setup configuration for the npm publish step.
- Revises release maintenance documentation to describe npm Trusted Publishing setup and removes npm token secret guidance.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| CONTRIBUTING.md | Updates release credential documentation to replace NPM_TOKEN instructions with npm Trusted Publishing setup steps. |
| .github/workflows/release.yml | Removes npm token checks/auth env usage and updates the npm publish step to rely on OIDC-based publishing. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| run: | | ||
| node scripts/set-version.js "$GITHUB_REF_NAME" | ||
| npm publish --access public --provenance | ||
| npm publish --access public |
| ### Rotate Expired Tokens | ||
|
|
||
| When a token is close to expiration: | ||
| When `TAP_GITHUB_TOKEN` is close to expiration: |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
CONTRIBUTING.md (1)
83-116: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winAdd an explicit trusted-publisher verification step.
Lines 85-116 only verify
TAP_GITHUB_TOKENand local npm metadata, and Lines 114-116 already note that this still does not validate the OIDC binding. Add a manual check that the npm package settings still point togo-tapd/cliandrelease.yml; otherwise maintainers can finish every documented verification step and still hit a failed release.Suggested addition
### Verify Release Configuration @@ Expected results: @@ - `npm publish --access public --dry-run` prints the package contents and ends with `+ `@go-tapd/tapd`@...`. + +Manual check: + +- Re-open the npm package settings and confirm the trusted publisher entry still + targets `go-tapd/cli` and workflow `release.yml`.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@CONTRIBUTING.md` around lines 83 - 116, Add an explicit trusted-publisher verification step in the release verification section, since the current checks in CONTRIBUTING.md only cover the GitHub secret and local npm metadata and still miss the OIDC binding. Update the release checklist near the existing npm validation steps to tell maintainers to manually confirm the npm package settings still reference go-tapd/cli and release.yml, using the same Verify Release Configuration section so it is exercised before release workflows run.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release.yml:
- Around line 67-69: The release workflow’s npm publish step is missing
provenance even though it already has GitHub OIDC enabled. Update the publish
command in the release job to restore the provenance flag on the npm publish
invocation, and verify the change in the workflow section that runs set-version
and publishes the package.
---
Nitpick comments:
In `@CONTRIBUTING.md`:
- Around line 83-116: Add an explicit trusted-publisher verification step in the
release verification section, since the current checks in CONTRIBUTING.md only
cover the GitHub secret and local npm metadata and still miss the OIDC binding.
Update the release checklist near the existing npm validation steps to tell
maintainers to manually confirm the npm package settings still reference
go-tapd/cli and release.yml, using the same Verify Release Configuration section
so it is exercised before release workflows run.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: cd65cc50-83ef-4514-9401-9b49f7e9322b
📒 Files selected for processing (2)
.github/workflows/release.ymlCONTRIBUTING.md
| run: | | ||
| node scripts/set-version.js "$GITHUB_REF_NAME" | ||
| npm publish --access public --provenance | ||
| npm publish --access public |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the release workflow around the referenced lines
git ls-files .github/workflows/release.yml
echo '---'
cat -n .github/workflows/release.yml | sed -n '1,160p'
echo '--- search provenance usage ---'
rg -n --hidden --glob '.github/workflows/*.yml' --glob '.github/workflows/*.yaml' 'provenance|npm publish|id-token|permissions:' .github/workflowsRepository: go-tapd/cli
Length of output: 2532
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Find any repo docs/config mentioning npm provenance or trusted publishing
rg -n --hidden 'provenance|trusted publishing|trusted-publishing|OIDC|id-token|npm publish' .Repository: go-tapd/cli
Length of output: 1076
Restore --provenance on npm publish. .github/workflows/release.yml:69 already uses GitHub OIDC (id-token: write), so dropping --provenance stops emitting provenance for released packages.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/release.yml around lines 67 - 69, The release workflow’s
npm publish step is missing provenance even though it already has GitHub OIDC
enabled. Update the publish command in the release job to restore the provenance
flag on the npm publish invocation, and verify the change in the workflow
section that runs set-version and publishes the package.
Summary
Move npm package publishing from a long-lived npm token to npm Trusted Publishing through GitHub Actions OIDC.
Changes
NODE_AUTH_TOKEN, relying on the workflowid-token: writepermissionMotivation
Testing
.github/workflows/release.ymlas YAMLgit diff --checknpm pack --dry-runNotes
go-tapd/cliusing workflowrelease.ymlbefore the next tag release.Summary by CodeRabbit
Bug Fixes
Documentation