fix(ci): use npm trusted publishing in release workflow#38
Conversation
commit: |
There was a problem hiding this comment.
Pull request overview
Updates the release pipeline to publish to npm using Trusted Publishing (OIDC) instead of an npm token, alongside some dependency/tooling refreshes.
Changes:
- Switch release workflow publish step from
pnpm publish(withNODE_AUTH_TOKEN) tonpm publishwith provenance + OIDC. - Update dependencies/devDependencies and refresh
pnpm-lock.yaml; update Biome schema reference. - Minor refactors/formatting in a test and a small TS optional-chaining simplification.
Reviewed changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/release-please.yml |
Publishes via npm publish --provenance with id-token: write for Trusted Publishing |
package.json |
Dependency/devDependency bumps; updates simple-git-hooks commands |
pnpm-lock.yaml |
Lockfile updates reflecting dependency bumps (including new engine constraints) |
biome.json |
Updates $schema URL to Biome 2.4.11 |
src/commands/sync.ts |
Small null-check simplification using optional chaining |
tests/targets.test.js |
Test formatting/structure change (same behavior) |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "jiti": "^2.6.1", | ||
| "lint-staged": "^16.4.0", | ||
| "simple-git-hooks": "^2.13.1", | ||
| "size-limit": "^12.0.0", | ||
| "size-limit": "^12.0.1", |
There was a problem hiding this comment.
size-limit was bumped to ^12.0.1, which (per the lockfile) now requires Node ^20 || ^22 || >=24. The repo’s CI still runs pnpm size and pnpm build on Node 18, so this update is likely to break those jobs. Either pin size-limit/@size-limit/file back to a Node-18-compatible release, or raise the project’s supported Node version and update CI accordingly.
| size-limit@12.0.1: | ||
| resolution: {integrity: sha512-vuFj+6lDOoBJQu6OLhcMQv7jnbXjuoEn4WsQHlSLOV/8EFfOka/tfjtLQ/rZig5Gagi3R0GnU/0kd4EY/y2etg==} | ||
| engines: {node: ^20.0.0 || ^22.0.0 || >=24.0.0} | ||
| hasBin: true |
There was a problem hiding this comment.
The lockfile shows size-limit@12.0.1 declares engines.node: ^20.0.0 || ^22.0.0 || >=24.0.0. Since CI still executes pnpm size under Node 18, this dependency upgrade will cause runtime/engine failures unless Node 18 support is dropped or the dependency is pinned to a compatible version.
| rollup-plugin-dts@6.4.1: | ||
| resolution: {integrity: sha512-l//F3Zf7ID5GoOfLfD8kroBjQKEKpy1qfhtAdnpibFZMffPaylrg1CoDC2vGkPeTeyxUe4bVFCln2EFuL7IGGg==} | ||
| engines: {node: '>=20'} |
There was a problem hiding this comment.
rollup-plugin-dts is updated to 6.4.1 and declares engines.node: >=20. This is pulled in by the build toolchain (via unbuild) and the repo currently runs pnpm build on Node 18 in CI, so builds may start failing. Consider pinning rollup-plugin-dts/unbuild to a Node-18-compatible version or bumping the project’s minimum Node version.
| "devDependencies": { | ||
| "@biomejs/biome": "^2.3.14", | ||
| "@size-limit/file": "^12.0.0", | ||
| "@types/node": "^25.2.0", | ||
| "bumpp": "^10.3.2", | ||
| "@biomejs/biome": "^2.4.11", | ||
| "@size-limit/file": "^12.0.1", | ||
| "@types/node": "^25.6.0", | ||
| "bumpp": "^11.0.1", |
There was a problem hiding this comment.
This PR is described as a release workflow change, but it also upgrades multiple dependencies (e.g. @biomejs/biome, @types/node, bumpp, etc.) and adjusts local git hooks. If those are not required for the trusted publishing switch, consider splitting them into a separate PR to reduce release/publish risk.
Summary