Skip to content

chore(ci): add npm publish job to version-release workflow#6

Open
Atharva0506 wants to merge 1 commit into
AOSSIE-Org:mainfrom
Atharva0506:chore/add-npm-publish-ci
Open

chore(ci): add npm publish job to version-release workflow#6
Atharva0506 wants to merge 1 commit into
AOSSIE-Org:mainfrom
Atharva0506:chore/add-npm-publish-ci

Conversation

@Atharva0506

@Atharva0506 Atharva0506 commented Jul 13, 2026

Copy link
Copy Markdown
Member

Aligned with the AOSSIE npm package standard (IndexedDB-Import-Export):
The existing version-release.yml only creates tags and GitHub releases but does not publish the package to npm.

Addressed Issues:

Fixes #(issue number)

Screenshots/Recordings:

Additional Notes:

Aligned with the AOSSIE npm package standard used by IndexedDB-Import-Export:

  • Added maintainer verification step (checks write access before releasing)
  • Added auto-create fallback when no draft release exists
  • Added publish job that runs after successful release:
    • Installs dependencies, builds, runs tests, verifies package contents
    • Syncs version from VERSION file to package.json
    • Publishes to npm with --provenance for supply-chain attestation
    • Requires NPMJS_TOKEN secret and npm GitHub environment
  • Updated actions/checkout to v4, actions/github-script to v7

Note: The NPMJS_TOKEN secret and npm environment need to be configured in the repository settings by an org admin before the publish job will work.

Checklist

  • My code follows the project's code style and conventions
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings or errors
  • I have joined the Discord server and I will share a link to this PR with the project maintainers there
  • I have read the Contributing Guidelines

⚠️ AI Notice - Important!

We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact.

Summary by CodeRabbit

  • New Features

    • Release publishing can now be initiated manually.
    • New releases are created and published automatically when no draft release is available.
    • Successful releases are automatically published to the npm registry with provenance metadata.
  • Improvements

    • Release workflows now verify the initiating account has appropriate repository permissions.
    • Publishing includes automated build, test, package verification, and release status reporting.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@Atharva0506, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 43 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1ad5a40a-a20e-4ec9-b018-70e63d08d1c4

📥 Commits

Reviewing files that changed from the base of the PR and between aedde7f and 3594a80.

📒 Files selected for processing (1)
  • .github/workflows/version-release.yml

Walkthrough

The release workflow now supports manual execution, verifies actor permissions, automatically creates missing GitHub releases, and conditionally builds, verifies, and publishes the package to npm.

Changes

Release pipeline

Layer / File(s) Summary
Workflow entry and release outputs
.github/workflows/version-release.yml
Manual dispatch, permission validation, updated checkout wiring, and version/released job outputs are added.
GitHub release resolution
.github/workflows/version-release.yml
Draft releases continue to be published, while missing releases are created and published automatically.
Conditional npm publishing
.github/workflows/version-release.yml
The publish job is gated on release status, then installs, tests, packages, synchronizes the version, and publishes with provenance.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Poem

A rabbit hops through release night,
Checks the gate and finds it right.
Drafts may bloom or new ones grow,
Packages pack, then off they go!
npm gets a carrot bright.

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: adding an npm publish job to the version-release workflow.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added no-issue-linked PR is not linked to any issue ci-cd CI/CD pipeline changes configuration Configuration file changes github-actions GitHub Actions workflow changes size/M Medium PR (51-200 lines changed) repeat-contributor PR from an external contributor who already had PRs merged needs-review labels Jul 13, 2026
@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor
Messages
📖

⚠️ PR Template Check

These are non-blocking, but please fix:

  • Please replace the placeholder Fixes #(issue number) with the actual issue number (e.g. Fixes #42).

  • Some required checklist items are not completed:

  • My PR addresses a single issue

Generated by 🚫 dangerJS against 3594a80

@Atharva0506
Atharva0506 marked this pull request as ready for review July 13, 2026 13:41

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/version-release.yml:
- Line 25: Pin every action reference in .github/workflows/version-release.yml
to an immutable commit hash while retaining the current version tag as a
readability comment: update actions/checkout at lines 25 and 155,
actions/github-script at lines 31 and 85, and actions/setup-node at line 160.
- Around line 144-147: Add environment: npm to the publish job in the
version-release workflow so its environment-scoped NPMJS_TOKEN and protection
rules apply. Also verify the repository contains the package.json and
package-lock.json files needed by the publish job’s npm ci, npm run build, and
npm test steps.
- Line 9: Add a workflow-level concurrency group to the version release
workflow, using a stable release-specific key so runs triggered by rapid VERSION
changes are serialized. Configure the concurrency behavior to prevent
overlapping runs while preserving the existing tag-check and tag-creation steps.
- Around line 18-22: Add an explicit permissions block to the release job in
version-release.yml, granting contents: write. Place it at the job level so the
tag-push and GitHub release steps have the required permission without relying
on repository defaults.
- Around line 24-28: Configure authentication for the tag push in the
version-release workflow: either remove persist-credentials: false from the
actions/checkout step or explicitly configure the origin remote with
GITHUB_TOKEN before the git push step. Ensure the existing v$VERSION tag push
can authenticate successfully.
- Line 89: Move GitHub Actions expression expansion out of script bodies and
into environment blocks. At `.github/workflows/version-release.yml` lines 89-89,
update the release job script using `const version` to read
`process.env.VERSION` and define `VERSION` in that step’s `env`; at lines
179-179, update the publish sync step to use the environment-backed `VERSION`
value and define it in that step’s `env`, preserving the existing version
sources.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7c7f788d-8826-4181-a717-4ed49022fdd2

📥 Commits

Reviewing files that changed from the base of the PR and between b88e93d and aedde7f.

📒 Files selected for processing (1)
  • .github/workflows/version-release.yml
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • AOSSIE-Org/ThruBox-Server (manual)

Comment thread .github/workflows/version-release.yml
Comment thread .github/workflows/version-release.yml
Comment thread .github/workflows/version-release.yml Outdated
Comment thread .github/workflows/version-release.yml
Comment thread .github/workflows/version-release.yml Outdated
Comment thread .github/workflows/version-release.yml
Aligned with the AOSSIE npm package standard (IndexedDB-Import-Export):

- Added maintainer verification step (checks write access)
- Added auto-create fallback when no draft release exists
- Added 'publish' job that runs after successful release:
  - Installs deps, builds, tests, verifies package contents
  - Syncs version from VERSION file to package.json
  - Publishes to npm with --provenance for supply-chain attestation
  - Requires NPMJS_TOKEN secret and 'npm' environment
- Updated actions/checkout to v4, actions/github-script to v7
@Atharva0506
Atharva0506 force-pushed the chore/add-npm-publish-ci branch from aedde7f to 3594a80 Compare July 13, 2026 13:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci-cd CI/CD pipeline changes configuration Configuration file changes github-actions GitHub Actions workflow changes needs-review no-issue-linked PR is not linked to any issue repeat-contributor PR from an external contributor who already had PRs merged size/M Medium PR (51-200 lines changed)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant