Skip to content
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 66 additions & 0 deletions .github/workflows/npm-publish.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
name: NPM Publish

on:
push:
tags:
- '*'

Comment on lines +3 to +14

Copilot AI Apr 1, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR description says this workflow should also support manual workflow_dispatch with a dry-run option, but the workflow currently only triggers on push tags and always runs npm publish. Add a workflow_dispatch trigger with an input (e.g., dry_run) and gate the publish step/job accordingly.

Copilot uses AI. Check for mistakes.
# Ensure only one publish runs at a time
concurrency:
group: npm-publish
cancel-in-progress: false

permissions:
contents: read

Comment on lines +20 to +22

Copilot AI Apr 1, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow sets permissions: contents: read at the workflow level, which removes the default actions permission. That will prevent the called prebuild workflows from uploading artifacts (actions/upload-artifact) and will also prevent this workflow from downloading them (actions/download-artifact) in the publish job. Grant actions: write (for prebuild artifact upload) and at least actions: read (for artifact download) via workflow-level or per-job permissions (remember called workflows can’t exceed the caller’s permissions).

Copilot uses AI. Check for mistakes.
jobs:
prebuild-x64:
uses: ./.github/workflows/prebuild-linux-x64.yml

prebuild-arm64:
uses: ./.github/workflows/prebuild-linux-arm64.yml

Comment on lines +20 to +31

Copilot AI Apr 1, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow sets top-level permissions: contents: read, which implicitly sets all other scopes to none. This will likely break artifact upload/download: the reusable prebuild workflows need actions: write to upload artifacts, and the publish job needs actions: read to download them. Consider granting actions permissions at the appropriate job level (least privilege) or at the workflow level so upload-artifact/download-artifact can function.

Copilot uses AI. Check for mistakes.
Comment on lines +20 to +31

Copilot AI Apr 1, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

permissions is set to contents: read at the workflow level, which restricts the GITHUB_TOKEN for all jobs (including the reusable prebuild jobs). Uploading artifacts typically requires actions: write, and downloading artifacts typically requires actions: read; with the current permissions the upload-artifact/download-artifact steps are likely to fail with "Resource not accessible by integration". Consider granting actions: write to the prebuild-* jobs and actions: read to the publish job (or set an appropriate workflow-level permission set).

Copilot uses AI. Check for mistakes.
publish:
needs: [prebuild-x64, prebuild-arm64]
# Only publish from the official repository, not forks
if: github.repository == 'RobotWebTools/rclnodejs'
runs-on: ubuntu-latest
Comment on lines +24 to +34

Copilot AI Apr 1, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description mentions fork protection, but only the publish job is guarded with if: github.repository == 'RobotWebTools/rclnodejs'. As written, prebuild-x64 and prebuild-arm64 will still run on forks (and on any tag push), consuming CI resources. If the intent is to fully protect the workflow, apply the same if: to the prebuild jobs (or gate them via a single reusable “publish” workflow that includes the prebuilds).

Copilot uses AI. Check for mistakes.
environment: npm-publish
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v5

Copilot AI Apr 1, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

actions/checkout is pinned to @v5 here, while other workflows in this repo are using actions/checkout@v6 (e.g. .github/workflows/linux-x64-build-and-test.yml). Consider aligning to @v6 for consistency and to pick up the latest fixes/security updates.

Suggested change
- uses: actions/checkout@v5
- uses: actions/checkout@v6

Copilot uses AI. Check for mistakes.

- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: 24.x
registry-url: 'https://registry.npmjs.org'

- name: Download x64 prebuilds
uses: actions/download-artifact@v4
with:
pattern: prebuilt-linux-x64-*
path: prebuilds/linux-x64
merge-multiple: true

- name: Download arm64 prebuilds
uses: actions/download-artifact@v4
with:
pattern: prebuilt-linux-arm64-*
path: prebuilds/linux-arm64
merge-multiple: true

- name: List prebuilds
run: |
echo "=== x64 prebuilds ==="
ls -la prebuilds/linux-x64/
echo "=== arm64 prebuilds ==="
ls -la prebuilds/linux-arm64/

- name: Pack
run: ./scripts/npm-pack.sh

- name: Publish
run: npm publish --provenance --access public ./dist/rclnodejs-*.tgz
4 changes: 1 addition & 3 deletions .github/workflows/prebuild-linux-arm64.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@ name: Prebuild Linux ARM64

on:
workflow_dispatch:
push:
tags:
- '*'
workflow_call:

jobs:
prebuild:
Expand Down
4 changes: 1 addition & 3 deletions .github/workflows/prebuild-linux-x64.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,7 @@ name: Prebuild Linux x64

on:
workflow_dispatch:
push:
tags:
- '*'
workflow_call:

jobs:
prebuild:
Expand Down
Loading