enable trusted publishing for npm#927
Conversation
✅ Deploy Preview for livecodes ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Deploying livecodes with
|
| Latest commit: |
33f0118
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://9ef3f11d.livecodes.pages.dev |
| Branch Preview URL: | https://oidc.livecodes.pages.dev |
|
Size Change: +107 B (+0.01%) Total Size: 1.01 MB ℹ️ View Unchanged
|
WalkthroughGitHub Actions workflows are updated to use Node.js 24.x instead of 18.x across all pipelines. YAML string quoting is standardized to double quotes for consistency. The release workflow adds GitHub token permissions, npm version 11.6.4 installation, and switches from token-based to OIDC-based npm authentication. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes
Pre-merge checks and finishing touches✅ Passed checks (3 passed)
✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (1)
.github/workflows/release.yml (1)
46-48: Comment-code alignment: npm version 11.6.4 vs. comment mention of 11.5.1.Line 46 states "Ensure npm 11.5.1 or later", but line 48 installs 11.6.4. This is safe (11.6.4 > 11.5.1), but update the comment to match the actual installed version for clarity.
- # Ensure npm 11.5.1 or later is installed (for OIDC) + # Ensure npm 11.6.4 or later is installed (for OIDC) - name: Update npm run: npm install -g npm@11.6.4
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (7)
.github/workflows/CI-build.yml(2 hunks).github/workflows/CI-e2e.yml(2 hunks).github/workflows/deploy.yml(2 hunks).github/workflows/i18n-update-pull.yml(2 hunks).github/workflows/i18n-update-push.yml(3 hunks).github/workflows/i18n-update-scheduled.yml(3 hunks).github/workflows/release.yml(3 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (13)
- GitHub Check: Codacy Static Code Analysis
- GitHub Check: Redirect rules - livecodes
- GitHub Check: Header rules - livecodes
- GitHub Check: Pages changed - livecodes
- GitHub Check: tests (24.x, 4)
- GitHub Check: tests (24.x, 2)
- GitHub Check: tests (24.x, 5)
- GitHub Check: tests (24.x, 1)
- GitHub Check: tests (24.x, 3)
- GitHub Check: build (24.x)
- GitHub Check: build
- GitHub Check: build (24.x)
- GitHub Check: Cloudflare Pages
🔇 Additional comments (8)
.github/workflows/CI-build.yml (1)
10-10: Verify Node.js 24.x compatibility across the codebase.Node.js 24 has entered Long-Term Support (LTS) and will continue receiving maintenance through April 2028, so the version bump is production-appropriate. However, the jump from 18.x to 24.x is significant. Ensure all dependencies and custom code are compatible with Node 24 breaking changes (e.g., child_process.spawn() and execFile() now disallow string arguments and enforce explicit array-based argument passing to prevent shell injection).
Run your full test suite against Node 24.x to confirm compatibility before merging. Consider also testing locally or creating a separate CI run to validate against Node 24 if not already covered.
Also applies to: 12-12, 21-22
.github/workflows/deploy.yml (1)
10-10: Node.js 24.x compatibility—same as CI-build.yml.Same verification required as flagged in CI-build.yml.
Also applies to: 16-16, 34-35
.github/workflows/i18n-update-pull.yml (1)
10-10: Node.js 24.x compatibility—applies to all workflows.Same compatibility verification applies as flagged in CI-build.yml.
Also applies to: 94-95
.github/workflows/CI-e2e.yml (1)
11-11: Node.js 24.x compatibility—applies to all workflows.Also applies to: 14-14, 23-24
.github/workflows/i18n-update-push.yml (1)
10-10: Node.js 24.x compatibility + comment formatting.Node.js compatibility verification applies (see CI-build.yml). Line 139 appears to be a minor markdown formatting change in the workflow comment—confirm this is intentional and renders correctly.
Also applies to: 94-95, 139-139
.github/workflows/i18n-update-scheduled.yml (1)
8-8: Node.js 24.x compatibility—applies to all workflows.Also applies to: 19-19, 58-59
.github/workflows/release.yml (2)
9-11: OIDC permissions configured correctly.The critical requirement is the id-token: write permission, which allows GitHub Actions to generate OIDC tokens. The permissions block correctly includes both
id-token: write(for OIDC) andcontents: write(for creating releases).
103-103: Verify OIDC setup is configured on npm registry before merge.Trusted publishing allows you to publish npm packages directly from your CI/CD workflows using OpenID Connect (OIDC) authentication, eliminating the need for long-lived npm tokens. The workflow now relies entirely on OIDC (no NPM_TOKEN fallback). Ensure both SDK packages are properly configured with trusted publishers on npmjs.com.
If npm registry OIDC configuration doesn't match the workflow context, the OIDC token will be rejected. Verify organization name, repository name, workflow file name, and environment name exactly match the npm package settings.
Before merging, confirm:
- The
livecodesandlivecodesSDK packages have trusted publisher OIDC configured on npmjs.com- The GitHub organization name, repository name, and workflow path (
release.yml) exactly match the OIDC config- Test publishing on a dry-run or canary package to verify the setup works (if possible without publishing to production)
|
1 participant
see:
Summary by CodeRabbit
✏️ Tip: You can customize this high-level summary in your review settings.