Conversation
There was a problem hiding this comment.
Pull request overview
Updates the project’s npm tooling dependencies and adjusts the GitHub Actions publish workflow, likely to support a newer publishing/auth approach while bumping the package version.
Changes:
- Bump package version to
3.1.13. - Update devDependencies (
@types/node,@typescript-eslint/*,globals) and refreshpackage-lock.jsonaccordingly. - Modify
.github/workflows/publish.ymlto use top-level OIDC permissions and simplify the publish step.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
package.json |
Version bump and devDependency updates. |
package-lock.json |
Lockfile refresh to match updated dependency versions. |
.github/workflows/publish.yml |
Workflow permissions/job adjustments and changes to npm publish invocation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - run: npm install -g npm@latest | ||
| - run: npm install | ||
| - run: npm run release | ||
| - run: npm publish --access public | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }} No newline at end of file | ||
| - run: npm publish No newline at end of file |
There was a problem hiding this comment.
npm publish now runs without any authentication step (no NODE_AUTH_TOKEN, npm login, or equivalent). Unless the repo/package is configured for npm Trusted Publishing via GitHub OIDC, this workflow will fail at publish time. Consider restoring token-based auth or adding the required Trusted Publishing/provenance configuration explicitly.
| - run: npm publish --access public | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NODE_AUTH_TOKEN }} No newline at end of file | ||
| - run: npm publish No newline at end of file |
There was a problem hiding this comment.
The package name is scoped (@next2d/...) and package.json does not set publishConfig.access. Dropping --access public makes the access level implicit; for scoped packages this can default to restricted on first publish and can lead to inconsistent behavior across environments. Consider adding publishConfig: { "access": "public" } or keeping npm publish --access public in the workflow.
No description provided.