NPM Publish Workflow#1460
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions-based release pipeline to publish rclnodejs to npm on tag pushes, using reusable prebuild workflows to generate and bundle native binaries and publishing via npm OIDC/provenance (addressing #1459).
Changes:
- Adds a new
.github/workflows/npm-publish.ymlworkflow that runs on tag pushes, builds x64/arm64 prebuilds in parallel, packs, and publishes to npm. - Converts the existing Linux x64/arm64 prebuild workflows from
push: tagstriggers to reusableworkflow_callworkflows (keepingworkflow_dispatch).
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/npm-publish.yml | New tag-triggered orchestrator workflow for prebuild + pack + npm publish with OIDC provenance. |
| .github/workflows/prebuild-linux-x64.yml | Changes trigger to workflow_call to support reuse by the publish workflow. |
| .github/workflows/prebuild-linux-arm64.yml | Changes trigger to workflow_call to support reuse by the publish workflow. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| contents: read | ||
|
|
There was a problem hiding this comment.
The workflow sets permissions: contents: read at the workflow level, which removes the default actions permission. That will prevent the called prebuild workflows from uploading artifacts (actions/upload-artifact) and will also prevent this workflow from downloading them (actions/download-artifact) in the publish job. Grant actions: write (for prebuild artifact upload) and at least actions: read (for artifact download) via workflow-level or per-job permissions (remember called workflows can’t exceed the caller’s permissions).
| on: | ||
| push: | ||
| tags: | ||
| - '*' | ||
|
|
There was a problem hiding this comment.
PR description says this workflow should also support manual workflow_dispatch with a dry-run option, but the workflow currently only triggers on push tags and always runs npm publish. Add a workflow_dispatch trigger with an input (e.g., dry_run) and gate the publish step/job accordingly.
| contents: read | ||
| id-token: write | ||
| steps: | ||
| - uses: actions/checkout@v5 |
There was a problem hiding this comment.
actions/checkout is pinned to @v5 here, while other workflows in this repo are using actions/checkout@v6 (e.g. .github/workflows/linux-x64-build-and-test.yml). Consider aligning to @v6 for consistency and to pick up the latest fixes/security updates.
| - uses: actions/checkout@v5 | |
| - uses: actions/checkout@v6 |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| prebuild-x64: | ||
| uses: ./.github/workflows/prebuild-linux-x64.yml | ||
|
|
||
| prebuild-arm64: | ||
| uses: ./.github/workflows/prebuild-linux-arm64.yml | ||
|
|
There was a problem hiding this comment.
The workflow sets top-level permissions: contents: read, which implicitly sets all other scopes to none. This will likely break artifact upload/download: the reusable prebuild workflows need actions: write to upload artifacts, and the publish job needs actions: read to download them. Consider granting actions permissions at the appropriate job level (least privilege) or at the workflow level so upload-artifact/download-artifact can function.
| prebuild-x64: | ||
| uses: ./.github/workflows/prebuild-linux-x64.yml | ||
|
|
||
| prebuild-arm64: | ||
| uses: ./.github/workflows/prebuild-linux-arm64.yml | ||
|
|
||
| publish: | ||
| needs: [prebuild-x64, prebuild-arm64] | ||
| # Only publish from the official repository, not forks | ||
| if: github.repository == 'RobotWebTools/rclnodejs' | ||
| runs-on: ubuntu-latest |
There was a problem hiding this comment.
The PR description mentions fork protection, but only the publish job is guarded with if: github.repository == 'RobotWebTools/rclnodejs'. As written, prebuild-x64 and prebuild-arm64 will still run on forks (and on any tag push), consuming CI resources. If the intent is to fully protect the workflow, apply the same if: to the prebuild jobs (or gate them via a single reusable “publish” workflow that includes the prebuilds).
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (2)
.github/workflows/prebuild-linux-x64.yml:66
- This workflow pins
actions/upload-artifact@v7, but that major version is not known to exist in the set of stableactions/upload-artifactreleases. If the tag is invalid, artifact upload will fail and the publish workflow won’t be able to bundle binaries. Please verify the available major versions (or pin to a known valid major / commit SHA).
- name: Upload prebuilt binary
uses: actions/upload-artifact@v7
with:
name: prebuilt-linux-x64-node${{ matrix.node-version }}-${{ matrix.ubuntu_codename }}-${{ matrix.ros_distribution }}
path: prebuilds/linux-x64/*.node
if-no-files-found: error
.github/workflows/prebuild-linux-arm64.yml:66
- This workflow pins
actions/upload-artifact@v7, but that major version is not known to exist in the set of stableactions/upload-artifactreleases. If the tag is invalid, artifact upload will fail and downstream publish jobs won’t be able to bundle binaries. Please verify the available major versions (or pin to a known valid major / commit SHA).
- name: Upload prebuilt binary
uses: actions/upload-artifact@v7
with:
name: prebuilt-linux-arm64-node${{ matrix.node-version }}-${{ matrix.ubuntu_codename }}-${{ matrix.ros_distribution }}
path: prebuilds/linux-arm64/*.node
if-no-files-found: error
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| permissions: | ||
| contents: read | ||
|
|
||
| jobs: | ||
| prebuild-x64: | ||
| if: github.repository == 'RobotWebTools/rclnodejs' | ||
| uses: ./.github/workflows/prebuild-linux-x64.yml | ||
|
|
||
| prebuild-arm64: | ||
| if: github.repository == 'RobotWebTools/rclnodejs' | ||
| uses: ./.github/workflows/prebuild-linux-arm64.yml | ||
|
|
There was a problem hiding this comment.
permissions is set to contents: read at the workflow level, which restricts the GITHUB_TOKEN for all jobs (including the reusable prebuild jobs). Uploading artifacts typically requires actions: write, and downloading artifacts typically requires actions: read; with the current permissions the upload-artifact/download-artifact steps are likely to fail with "Resource not accessible by integration". Consider granting actions: write to the prebuild-* jobs and actions: read to the publish job (or set an appropriate workflow-level permission set).
Automate npm publishing via GitHub Actions when a new tag is pushed. Prebuilt binaries for both x64 and arm64 are built in parallel, bundled into the tarball, and published to npm with SLSA provenance attestation using OIDC trusted publishing (no long-lived npm token required). ### Changes **New: `.github/workflows/npm-publish.yml`** — Triggers on tag push or manual `workflow_dispatch` (with dry-run option). Calls `prebuild-linux-x64.yml` and `prebuild-linux-arm64.yml` as reusable sub-workflows in parallel. After both complete, the `publish` job downloads all prebuilt `.node` artifacts, runs `./scripts/npm-pack.sh` to create the tarball, and publishes via `npm publish --provenance --access public`. Security: fork protection (`if: github.repository == 'RobotWebTools/rclnodejs'`), concurrency guard, GitHub environment (`npm-publish`) for deployment protection, and `id-token: write` for OIDC trusted publishing. **Modified: `.github/workflows/prebuild-linux-arm64.yml`** — Replaced `push: tags: '*'` trigger with `workflow_call:` so it can be invoked as a reusable workflow from `npm-publish.yml`. `workflow_dispatch:` retained for manual runs. **Modified: `.github/workflows/prebuild-linux-x64.yml`** — Same change as arm64: replaced `push: tags:` with `workflow_call:`. Fix: #1459
Automate npm publishing via GitHub Actions when a new tag is pushed. Prebuilt binaries for both x64 and arm64 are built in parallel, bundled into the tarball, and published to npm with SLSA provenance attestation using OIDC trusted publishing (no long-lived npm token required).
Changes
New:
.github/workflows/npm-publish.yml— Triggers on tag push or manualworkflow_dispatch(with dry-run option). Callsprebuild-linux-x64.ymlandprebuild-linux-arm64.ymlas reusable sub-workflows in parallel. After both complete, thepublishjob downloads all prebuilt.nodeartifacts, runs./scripts/npm-pack.shto create the tarball, and publishes vianpm publish --provenance --access public. Security: fork protection (if: github.repository == 'RobotWebTools/rclnodejs'), concurrency guard, GitHub environment (npm-publish) for deployment protection, andid-token: writefor OIDC trusted publishing.Modified:
.github/workflows/prebuild-linux-arm64.yml— Replacedpush: tags: '*'trigger withworkflow_call:so it can be invoked as a reusable workflow fromnpm-publish.yml.workflow_dispatch:retained for manual runs.Modified:
.github/workflows/prebuild-linux-x64.yml— Same change as arm64: replacedpush: tags:withworkflow_call:.Fix: #1459