ci: npm trusted publishing#994
Conversation
There was a problem hiding this comment.
Pull request overview
Updates the release automation to use npm Trusted Publishing (OIDC/provenance) by separating “version/tag” from “npm publish”, consolidating the prior release/prerelease workflows into a single workflow, and disabling semantic-release’s direct npm publishing.
Changes:
- Disable
@semantic-release/npmpublishing (npmPublish: false) so semantic-release only versions/tags (and updates repo files where configured). - Replace the old
release.yml/prerelease.ymlworkflows with a singlepublish.ymlworkflow that runs semantic-release on branch pushes andnpm publish --provenanceon tag pushes. - Adjust workflow permissions to allow OIDC token minting and repository writes for semantic-release tag/commit pushes.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
.releaserc.cjs |
Disables npm publishing via semantic-release in preparation for OIDC/provenance publishing. |
.github/workflows/release.yml |
Removes legacy release workflow (release-branch semantic-release + npm token publish). |
.github/workflows/publish.yml |
Introduces consolidated “Release” workflow handling branch version/tag and tag-based provenance publishing. |
.github/workflows/prerelease.yml |
Removes legacy prerelease workflow (master semantic-release + npm token publish). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - name: Checkout | ||
| uses: actions/checkout@v6 | ||
| with: | ||
| fetch-depth: 0 |
There was a problem hiding this comment.
I wouldn't worry about aligning to v4, but we should update to use the latest v6 version SHA instead.
| - name: Setup Node.js | ||
| uses: actions/setup-node@v6 | ||
| with: | ||
| node-version: '24' | ||
| registry-url: 'https://registry.npmjs.org' | ||
| package-manager-cache: false # never use caching in release builds | ||
| - run: npm ci | ||
| - run: npm run build --if-present | ||
| - run: npm test | ||
| - run: npm publish # Or: npm stage publish | ||
| cache: yarn | ||
|
|
There was a problem hiding this comment.
Again, don't worry about using v4, but please use a full v6 SHA.
| - name: Version & Tag | ||
| if: github.ref_type == 'branch' | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | ||
| BRANCH_NAME: ${{ github.ref_name }} | ||
| run: yarn run semantic-release |
| - name: Publish | ||
| if: github.ref_type == 'tag' | ||
| run: npm publish --provenance |
| - name: Rebase master | ||
| if: github.ref_name == 'release' && github.ref_type == 'branch' | ||
| run: | | ||
| git checkout master && | ||
| git rebase release && | ||
| git push origin master |
erictaylor
left a comment
erictaylor
left a comment
There was a problem hiding this comment.
Thanks for moving this toward a single OIDC/provenance publishing workflow. I think this is the right direction, but this version does not yet preserve the existing publishing behavior.
The main blocker is the new tag-push npm publish --provenance path. With @semantic-release/npm set to npmPublish: false, semantic-release no longer publishes to npm. On the release branch this is mostly okay because the config still includes @semantic-release/git, so the version bump is committed before the tag is pushed and the tag workflow can publish the stable package as latest.
The master prerelease path is broken, though. The master branch config does not include @semantic-release/git, so semantic-release can compute/tag an alpha release while the tagged commit still has the old package.json version. The later tag workflow then checks out that tag and runs plain npm publish --provenance, which can publish the wrong package version or fail because that old version already exists.
Plain npm publish --provenance also loses semantic-release's channel handling. Previously, master prereleases like x.y.z-alpha.n were published to the prerelease channel/dist-tag, not to latest. The new workflow needs to preserve that distinction, for example by validating the tag against package.json and publishing prerelease tags with the appropriate non-latest npm tag while keeping stable release tags on latest.
I agree with the existing comments about hardening the action references, but I would keep the v6 actions and pin them to full commit SHAs rather than downgrading to v4. actions/checkout@v6 and actions/setup-node@v6 both exist; the important thing for this release workflow is using immutable full SHAs.
I do not think the github.ref_type comments are blockers. github.ref_type is available in the GitHub context and should be usable here to distinguish branch and tag refs on push events.
Requesting changes until the prerelease version/tag consistency and prerelease dist-tag behavior are preserved in the consolidated OIDC workflow.
erictaylor
left a comment
erictaylor
left a comment
There was a problem hiding this comment.
The current implementation still does not preserve the existing release behavior.
The main blocker is that the workflow relies on semantic-release creating a tag from a branch push, then expects the same workflow to run again on the pushed v* tag and publish to npm. Because semantic-release is using GITHUB_TOKEN, GitHub will not trigger a normal push workflow from that tag push. So automated master and release runs can version/tag successfully but never reach the Publish step.
GitHub documents this behavior here: https://docs.github.com/en/actions/how-tos/write-workflows/choose-when-workflows-run/trigger-a-workflow#triggering-a-workflow-from-a-workflow
Please also correct these behavior changes so the consolidated workflow preserves the previous publishing expectations:
- Prerelease dist-tag behavior changed. The new publish script derives
alphafrom versions likex.y.z-alpha.n, but semantic-release's previous channel behavior for the configuredmasterprerelease branch would publish to the branch channel unless explicitly configured otherwise. If consumers expect@avalabs/avalanchejs@master, publishing as@alphachanges the install path. @semantic-release/gitnow runs onmaster, so alpha prerelease version bumps will be committed back tomaster. Previously, themasterprerelease flow updatedpackage.jsonin the release workspace for publishing but did not persist prerelease version commits to the branch.
No description provided.