Update config.yml

[chetanbothra]

Description

Types of changes

What types of changes does your code introduce?

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation Update
• Code style update (formatting, renaming)
• Refactoring (no functional changes, no api changes)
• Build related changes
• Other (please describe):

Further comments (optional)

Summary by CodeRabbit

• Chores
  • Implemented new automated publishing workflow for npm packages and GitHub releases
  • Enhanced notification formatting for test results
  • Corrected naming consistency in build pipeline
  • Updated branch filtering for deployment processes

[github-actions]

Yooo! You forgot to bump the version in package.json!

[coderabbitai]

Walkthrough

This PR updates the CircleCI configuration to fix a typo in the build job name, enhance Slack notification formatting for E2E test results, and introduce two new publishing jobs (npm package and GitHub release) with updated workflow orchestration and branch filtering.

Changes

Cohort / File(s)	Summary
Naming and notification fixes \.circleci/config\.yml	Fixed typo: "Etherpot" → "Etherspot" in build job name; expanded Slack/notification output formatting for E2E test failures and successes with adjusted indentation and message content
New publish workflow jobs \.circleci/config\.yml	Added publish-npm-package job (builds, authenticates, publishes to npm, and announces completion) and publish-github-release job (creates GitHub release via ghr); both jobs added to install-and-publish workflow
Workflow orchestration updates \.circleci/config\.yml	Updated install-and-publish workflow: moved branch filters from e2e-modular to master for install and e2e-tests jobs; added new publish jobs with proper dependency relationships via requires clauses

Sequence Diagram

sequenceDiagram
    autonumber
    participant CI as CircleCI Pipeline
    participant Install as install
    participant E2E as e2e-tests
    participant Publish as publish-npm-package
    participant Release as publish-github-release
    
    CI->>Install: Run on master branch
    Install-->>E2E: Trigger after install
    E2E->>E2E: Run E2E tests<br/>(with enhanced notifications)
    E2E-->>Publish: Trigger on success
    Publish->>Publish: Authenticate to npm<br/>Publish package<br/>Announce completion
    Publish-->>Release: Trigger after publish
    Release->>Release: Create GitHub release<br/>via ghr
    Release-->>CI: Workflow complete

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

The single-file configuration change involves coordinated updates to job definitions, workflow dependencies, and branch filtering logic. While formatting and naming fixes are straightforward, the new npm and GitHub release jobs require careful verification of authentication setup, publish steps, and workflow dependency chains.

Possibly related PRs

• Update config.yml #72: Modifies the same .circleci/config.yml file and touches the install-and-publish workflow with publish job definitions and branch filtering changes.

Poem

🐰 A hop through CI/CD delight,
Etherspots now spelled just right!
Npm packages fly with grace,
GitHub releases find their place,
Notifications sing so bright! 📦✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The pull request description is largely unfilled, containing only placeholder hyphens in each section. The Description field has no detailed explanation of changes, the Types of changes checkboxes are all unchecked, and the Further comments section is empty. The description provides no substantive information about the CircleCI workflow additions, naming fixes, or any other changes present in the changeset, making it difficult for reviewers to understand the intent and scope of the modifications.	Fill out the description template completely by providing a clear summary of the changes in the Description section, selecting the appropriate type of change (Build related changes appears most relevant here), and adding any additional context or comments that would help reviewers understand the motivation and impact of the workflow updates. This will ensure the pull request has adequate documentation for review and future reference.
Title Check	❓ Inconclusive	The title "Update config.yml" is vague and generic, providing no meaningful information about what the changeset accomplishes. While it technically refers to the file being modified, it does not convey the substantive changes present in the pull request, such as adding new npm and GitHub release publish jobs, fixing naming conventions (Etherpot → Etherspot), or reorganizing workflow dependencies. A teammate scanning the repository history would not understand the primary changes from this title alone.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch e2e-to-master

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.circleci/config.yml (1)

167-215: Consider adding error handling and notifications to publish jobs.

The new publish-npm-package and publish-github-release jobs lack error handling or post-publish notifications. Consider:

1. Add when: on_success or when: on_fail guards if you want these jobs to fail gracefully or retry under certain conditions.
2. Add a notification step (Slack, email, etc.) after successful publish to confirm the release is live.
3. Ensure that if publish-npm-package fails, publish-github-release does not proceed (the requires dependency should handle this, but log the failure clearly).

This will improve observability and catch publishing failures early.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4cf4ff3 and 3ed6bc7.

📒 Files selected for processing (1)

• .circleci/config.yml (5 hunks)

🔇 Additional comments (4)

.circleci/config.yml (4)

65-65: ✅ Good catch on the typo fix.

Correcting "Build Etherpot" → "Build Etherspot" improves consistency and clarity throughout the config.

---

131-162: Slack notification formatting is well-structured.

The expanded Slack message for both success and failure cases provides comprehensive test summary details (suites, passes, pending, failures, timing, and direct links to reports and jobs). This is valuable for quick diagnostics.

---

220-247: Confirm branch filter change is intentional.

The branch filters for install and e2e-tests have been changed from e2e-modular to master. This is a significant behavioral change—these jobs will now only run on the master branch. Given the PR title mentions e2e-to-master, this appears intentional, but please confirm:

1. The publishing workflow should now run only on master (presumably for production releases).
2. You no longer want E2E tests running on the e2e-modular branch in this workflow.

Additionally, the workflow orchestration looks sound: install → testnet-e2e-tests → publish-npm-package → publish-github-release, with proper requires dependencies.

---

167-203: All verification checks passed; no issues found.

The .circleci/announcePublish.sh script exists and is properly configured:

• ✅ Script exists at .circleci/announcePublish.sh and is tracked in the repository
• ✅ The chmod +x command at line 202 makes the script executable before running
• ✅ The script correctly accepts and uses both arguments: applicationName ($1) and package version ($2)
• ✅ The version is properly extracted via $(node -e "console.log(require('./package.json').version)") and passed as the second argument
• ✅ The script has proper error handling and valid Slack webhook integration logic

The bun publish --access public command is also valid—Bun supports npm-compatible publishing commands.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify Docker image provenance and ghr version stability.

The publish-github-release job uses the Docker image ardd97/ghr, which is not an official repository image. While it may be legitimate, consider:

1. Verify the image is actively maintained and trustworthy.
2. Pin to a specific image tag/digest rather than relying on latest (implicit), to ensure reproducible builds and prevent supply-chain surprises if the image is updated.
3. The ghr tool is invoked without an explicit version check. If the image doesn't specify a pinned version, future runs may pick up breaking changes.

For better security and stability, consider using an official GitHub Actions container or pinning the image to a specific digest.

---

🏁 Script executed:

#!/bin/bash
# Verify the image exists and check its latest tag info

# Check if the image is publicly available
docker pull ardd97/ghr:latest 2>&1 | head -5

# Attempt to determine the current tag and when it was last updated
curl -s https://hub.docker.com/v2/repositories/ardd97/ghr/tags | jq -r '.results[] | "\(.name) (updated: \(.last_updated))"' | head -10

Length of output: 90

---

Replace unmaintained Docker image with current, pinned version.

The primary ghr tool is actively maintained (latest v0.17.0, Oct 2024), but the ardd97/ghr image itself is unmaintained since June 2021—over 3 years ago. The implicit latest tag pulls a stale container with outdated dependencies and potential security vulnerabilities.

Recommendations:

1. Use cibuilds/github instead, a lighter, maintained CircleCI convenience image with ghr pre-installed and pin to a specific version digest
2. Alternatively, replace the Docker image step with direct Go installation in the run command to fetch the latest ghr binary
3. Pin both the image tag and ghr version to ensure reproducible, secure builds

🤖 Prompt for AI Agents

In .circleci/config.yml around lines 205 to 215 the job uses the unmaintained
ardd97/ghr Docker image (implicit latest) which is stale and insecure; replace
it with a maintained, pinned image (for example use cibuilds/github with a
specific digest or tagged version) or convert the step to a run step that
installs a specific ghr release (pin the ghr version) at runtime; ensure you
update the docker: image field to the chosen pinned image or add the
installation commands in the publish step, and document the pinned ghr version
so builds remain reproducible.