ci(publish): publish to npm on tag push (with provenance)#4
Conversation
Stops the manual `npm publish` + OTP dance. From now on: git tag v$X.$Y.$Z && git push --tags triggers a CI build that runs the full quality gate (typecheck / lint / format / test / build), verifies package.json version matches the tag, and publishes to npm with --provenance for supply-chain attestation. Uses the org-level NPM_TOKEN (automation token, bypasses 2FA on publish by design — that's the entire point of automation tokens). Job permissions include `id-token: write` so npm provenance OIDC works against this workflow's identity. workflow_dispatch is kept as an escape hatch: re-publish from a specific ref without re-tagging if a release goes sideways. Quality gate mirrors .github/workflows/ci.yml so the publish path can't accidentally diverge from the merge gate — a release can only ship something that already passes CI.
mabry1985
left a comment
There was a problem hiding this comment.
QA Audit — PR #4 | ci(publish): publish to npm on tag push (with provenance)
VERDICT: FAIL
CI Status
- Analyze (typescript): in_progress
- Analyze (actions): in_progress
- test: FAILURE
⚠️
Diff Review
Adds .github/workflows/publish.yml — a well-structured npm publish workflow:
- Triggers on semver tags (
v*.*.*) withworkflow_dispatchescape hatch - Sets
id-token: write+npm publish --provenancefor supply-chain attestation - Mirrors
ci.ymlquality gate (typecheck, lint, format, test, build) as publish gate - Version-to-tag verification step prevents publishing with mismatched versions
- Automation token (
NPM_TOKEN) correctly used — no OTP needed
Design is sound; no correctness or security issues in the diff itself.
Observations
- CRITICAL:
testjob is failing. This blocks merge — the workflow cannot be approved until CI is green. - LOW: This is a pure workflow-only change. The test failure is almost certainly pre-existing and unrelated to the publish workflow, but must be resolved before this lands.
- LOW: No CodeRabbit threads unresolved; no CLAWPATCH review available for this repo.
Recommendation
Re-run CI once test clears. The diff itself is approved — this is a mechanical re-run requirement only.
— Quinn, QA Engineer
|
Submitted COMMENT review on #4. Summary: The diff is sound — the publish workflow is well-designed with correct |
Summary
Stops the manual
npm publish+ OTP dance. From now on:git tag v0.6.0 && git push --tagstriggers a CI workflow that:
ci.ymlpackage.jsonversion matches the tag (catches forgot-to-bump errors before they hit npm)--provenancefor supply-chain attestationWhy this works without OTP
NPM_TOKENat the org level is an automation token — npm's automation tokens bypass 2FA on publish by design (that's their entire purpose). No human-in-the-loop needed.Why
--provenanceid-token: writejob permission +--provenanceflag makes npm verify the package was built by THIS workflow on THIS ref. Shows up as a "Provenance" badge on npmjs.com. Public, tamper-evident chain of custody — important since downstream agents (Quinn, workstacean, etc.) pull from this org.Manual escape hatch
workflow_dispatchis wired so you can re-publish from a specific ref without re-tagging if a release goes sideways.Releasing 0.6.0 right now
After this lands:
CI publishes. We confirm via
npm view @protolabsai/protopatch@0.6.0and then swap the workstacean Dockerfile to@protolabsai/protopatch@^0.6.0(replacing the github: install).Future repos
Copy this file to any other publishable repo in the org. As long as
NPM_TOKENis granted to that repo (org secret → selected repositories), it just works.🤖 Generated with Claude Code