Skip to content

NPM Publish Workflow#1460

Merged
minggangw merged 3 commits into
RobotWebTools:developfrom
minggangw:npm-publish-workflow
Apr 1, 2026
Merged

NPM Publish Workflow#1460
minggangw merged 3 commits into
RobotWebTools:developfrom
minggangw:npm-publish-workflow

Conversation

@minggangw

Copy link
Copy Markdown
Member

Automate npm publishing via GitHub Actions when a new tag is pushed. Prebuilt binaries for both x64 and arm64 are built in parallel, bundled into the tarball, and published to npm with SLSA provenance attestation using OIDC trusted publishing (no long-lived npm token required).

Changes

New: .github/workflows/npm-publish.yml — Triggers on tag push or manual workflow_dispatch (with dry-run option). Calls prebuild-linux-x64.yml and prebuild-linux-arm64.yml as reusable sub-workflows in parallel. After both complete, the publish job downloads all prebuilt .node artifacts, runs ./scripts/npm-pack.sh to create the tarball, and publishes via npm publish --provenance --access public. Security: fork protection (if: github.repository == 'RobotWebTools/rclnodejs'), concurrency guard, GitHub environment (npm-publish) for deployment protection, and id-token: write for OIDC trusted publishing.

Modified: .github/workflows/prebuild-linux-arm64.yml — Replaced push: tags: '*' trigger with workflow_call: so it can be invoked as a reusable workflow from npm-publish.yml. workflow_dispatch: retained for manual runs.

Modified: .github/workflows/prebuild-linux-x64.yml — Same change as arm64: replaced push: tags: with workflow_call:.

Fix: #1459

Copilot AI review requested due to automatic review settings April 1, 2026 02:23

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a GitHub Actions-based release pipeline to publish rclnodejs to npm on tag pushes, using reusable prebuild workflows to generate and bundle native binaries and publishing via npm OIDC/provenance (addressing #1459).

Changes:

  • Adds a new .github/workflows/npm-publish.yml workflow that runs on tag pushes, builds x64/arm64 prebuilds in parallel, packs, and publishes to npm.
  • Converts the existing Linux x64/arm64 prebuild workflows from push: tags triggers to reusable workflow_call workflows (keeping workflow_dispatch).

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File Description
.github/workflows/npm-publish.yml New tag-triggered orchestrator workflow for prebuild + pack + npm publish with OIDC provenance.
.github/workflows/prebuild-linux-x64.yml Changes trigger to workflow_call to support reuse by the publish workflow.
.github/workflows/prebuild-linux-arm64.yml Changes trigger to workflow_call to support reuse by the publish workflow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +13 to +15
permissions:
contents: read

Copilot AI Apr 1, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow sets permissions: contents: read at the workflow level, which removes the default actions permission. That will prevent the called prebuild workflows from uploading artifacts (actions/upload-artifact) and will also prevent this workflow from downloading them (actions/download-artifact) in the publish job. Grant actions: write (for prebuild artifact upload) and at least actions: read (for artifact download) via workflow-level or per-job permissions (remember called workflows can’t exceed the caller’s permissions).

Copilot uses AI. Check for mistakes.
Comment on lines +3 to +7
on:
push:
tags:
- '*'

Copilot AI Apr 1, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description says this workflow should also support manual workflow_dispatch with a dry-run option, but the workflow currently only triggers on push tags and always runs npm publish. Add a workflow_dispatch trigger with an input (e.g., dry_run) and gate the publish step/job accordingly.

Copilot uses AI. Check for mistakes.
Comment thread .github/workflows/npm-publish.yml Outdated
contents: read
id-token: write
steps:
- uses: actions/checkout@v5

Copilot AI Apr 1, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actions/checkout is pinned to @v5 here, while other workflows in this repo are using actions/checkout@v6 (e.g. .github/workflows/linux-x64-build-and-test.yml). Consider aligning to @v6 for consistency and to pick up the latest fixes/security updates.

Suggested change
- uses: actions/checkout@v5
- uses: actions/checkout@v6

Copilot uses AI. Check for mistakes.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +20 to +29
permissions:
contents: read

jobs:
prebuild-x64:
uses: ./.github/workflows/prebuild-linux-x64.yml

prebuild-arm64:
uses: ./.github/workflows/prebuild-linux-arm64.yml

Copilot AI Apr 1, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow sets top-level permissions: contents: read, which implicitly sets all other scopes to none. This will likely break artifact upload/download: the reusable prebuild workflows need actions: write to upload artifacts, and the publish job needs actions: read to download them. Consider granting actions permissions at the appropriate job level (least privilege) or at the workflow level so upload-artifact/download-artifact can function.

Copilot uses AI. Check for mistakes.
Comment on lines +24 to +34
prebuild-x64:
uses: ./.github/workflows/prebuild-linux-x64.yml

prebuild-arm64:
uses: ./.github/workflows/prebuild-linux-arm64.yml

publish:
needs: [prebuild-x64, prebuild-arm64]
# Only publish from the official repository, not forks
if: github.repository == 'RobotWebTools/rclnodejs'
runs-on: ubuntu-latest

Copilot AI Apr 1, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description mentions fork protection, but only the publish job is guarded with if: github.repository == 'RobotWebTools/rclnodejs'. As written, prebuild-x64 and prebuild-arm64 will still run on forks (and on any tag push), consuming CI resources. If the intent is to fully protect the workflow, apply the same if: to the prebuild jobs (or gate them via a single reusable “publish” workflow that includes the prebuilds).

Copilot uses AI. Check for mistakes.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (2)

.github/workflows/prebuild-linux-x64.yml:66

  • This workflow pins actions/upload-artifact@v7, but that major version is not known to exist in the set of stable actions/upload-artifact releases. If the tag is invalid, artifact upload will fail and the publish workflow won’t be able to bundle binaries. Please verify the available major versions (or pin to a known valid major / commit SHA).

    - name: Upload prebuilt binary
      uses: actions/upload-artifact@v7
      with:
        name: prebuilt-linux-x64-node${{ matrix.node-version }}-${{ matrix.ubuntu_codename }}-${{ matrix.ros_distribution }}
        path: prebuilds/linux-x64/*.node
        if-no-files-found: error

.github/workflows/prebuild-linux-arm64.yml:66

  • This workflow pins actions/upload-artifact@v7, but that major version is not known to exist in the set of stable actions/upload-artifact releases. If the tag is invalid, artifact upload will fail and downstream publish jobs won’t be able to bundle binaries. Please verify the available major versions (or pin to a known valid major / commit SHA).

    - name: Upload prebuilt binary
      uses: actions/upload-artifact@v7
      with:
        name: prebuilt-linux-arm64-node${{ matrix.node-version }}-${{ matrix.ubuntu_codename }}-${{ matrix.ros_distribution }}
        path: prebuilds/linux-arm64/*.node
        if-no-files-found: error

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +20 to +31
permissions:
contents: read

jobs:
prebuild-x64:
if: github.repository == 'RobotWebTools/rclnodejs'
uses: ./.github/workflows/prebuild-linux-x64.yml

prebuild-arm64:
if: github.repository == 'RobotWebTools/rclnodejs'
uses: ./.github/workflows/prebuild-linux-arm64.yml

Copilot AI Apr 1, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

permissions is set to contents: read at the workflow level, which restricts the GITHUB_TOKEN for all jobs (including the reusable prebuild jobs). Uploading artifacts typically requires actions: write, and downloading artifacts typically requires actions: read; with the current permissions the upload-artifact/download-artifact steps are likely to fail with "Resource not accessible by integration". Consider granting actions: write to the prebuild-* jobs and actions: read to the publish job (or set an appropriate workflow-level permission set).

Copilot uses AI. Check for mistakes.
@minggangw minggangw merged commit f27c249 into RobotWebTools:develop Apr 1, 2026
17 of 19 checks passed
minggangw added a commit that referenced this pull request Apr 1, 2026
Automate npm publishing via GitHub Actions when a new tag is pushed. Prebuilt binaries for both x64 and arm64 are built in parallel, bundled into the tarball, and published to npm with SLSA provenance attestation using OIDC trusted publishing (no long-lived npm token required).

### Changes

**New: `.github/workflows/npm-publish.yml`** — Triggers on tag push or manual `workflow_dispatch` (with dry-run option). Calls `prebuild-linux-x64.yml` and `prebuild-linux-arm64.yml` as reusable sub-workflows in parallel. After both complete, the `publish` job downloads all prebuilt `.node` artifacts, runs `./scripts/npm-pack.sh` to create the tarball, and publishes via `npm publish --provenance --access public`. Security: fork protection (`if: github.repository == 'RobotWebTools/rclnodejs'`), concurrency guard, GitHub environment (`npm-publish`) for deployment protection, and `id-token: write` for OIDC trusted publishing.

**Modified: `.github/workflows/prebuild-linux-arm64.yml`** — Replaced `push: tags: '*'` trigger with `workflow_call:` so it can be invoked as a reusable workflow from `npm-publish.yml`. `workflow_dispatch:` retained for manual runs.

**Modified: `.github/workflows/prebuild-linux-x64.yml`** — Same change as arm64: replaced `push: tags:` with `workflow_call:`.

Fix: #1459
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Enable npm publishing via GitHub Actions

2 participants