Merge pull request #91 from Ontos-AI/fix/wangbinqi/node-release-trusted-publishing

suguanYang · web-flow · commit eaf50d3533ec · 2026-06-02T12:20:20.000+08:00
Fix npm trusted publishing release runner
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -40,7 +40,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v6
         with:
-          node-version: 22.12.0
+          node-version: 22.14.0
           cache: npm
           cache-dependency-path: package-lock.json
           registry-url: https://registry.npmjs.org
@@ -97,7 +97,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v6
         with:
-          node-version: 22.12.0
+          node-version: 22.14.0
           cache: npm
           cache-dependency-path: package-lock.json
           registry-url: https://registry.npmjs.org
diff --git a/scripts/publish-release.mjs b/scripts/publish-release.mjs
@@ -10,8 +10,7 @@ if (version.includes('-')) {
 }
 
 if (!releaseUtils.hasPublishedVersion(packageName, version)) {
-  // npm provenance is disabled while this repository is private.
-  // Re-enable `--provenance` when the source repository becomes public.
+  // Keep the publish command plain so npm can use trusted publishing when configured.
   releaseUtils.runCommand('npm', ['publish', '--access', 'public']);
 } else {
   console.log(`${packageName}@${version} is already on npm, skipping npm publish`);
diff --git a/scripts/require-changeset.mjs b/scripts/require-changeset.mjs
@@ -2,23 +2,36 @@ import { execFileSync } from 'node:child_process';
 
 const baseRef = process.argv[2] ?? 'origin/main';
 
-const output = execFileSync(
-  'git',
-  ['diff', '--name-only', '--diff-filter=ACMR', `${baseRef}...HEAD`, '--', '.changeset'],
-  {
-    encoding: 'utf8',
-  },
-);
-
-const changesetFiles = output
+const changedFilesOutput = execFileSync('git', [
+  'diff',
+  '--name-only',
+  '--diff-filter=ACMR',
+  `${baseRef}...HEAD`,
+], {
+  encoding: 'utf8',
+});
+
+const changedFiles = changedFilesOutput
   .split('\n')
   .map((line) => line.trim())
-  .filter(Boolean)
+  .filter(Boolean);
+
+const changesetFiles = changedFiles
   .filter((file) => file.startsWith('.changeset/'))
   .filter((file) => file.endsWith('.md'))
   .filter((file) => !file.endsWith('README.md'));
 
 if (changesetFiles.length === 0) {
+  const changedPackageFiles = changedFiles
+    .filter((file) => !file.startsWith('.changeset/'))
+    .filter((file) => !file.startsWith('.github/'))
+    .filter((file) => !file.startsWith('scripts/'));
+
+  if (changedPackageFiles.length === 0) {
+    console.log('No package-facing files changed; skipping changeset requirement.');
+    process.exit(0);
+  }
+
   throw new Error(`Expected at least one changeset file in .changeset/ relative to ${baseRef}.`);
 }
 

Original file line number	Diff line number	Diff line change
`@@ -10,8 +10,7 @@ if (version.includes('-')) {`
`10`	`10`	`}`
`11`	`11`
`12`	`12`	`if (!releaseUtils.hasPublishedVersion(packageName, version)) {`
`13`		`- // npm provenance is disabled while this repository is private.`
`14`		- // Re-enable `--provenance` when the source repository becomes public.
	`13`	`+ // Keep the publish command plain so npm can use trusted publishing when configured.`
`15`	`14`	`releaseUtils.runCommand('npm', ['publish', '--access', 'public']);`
`16`	`15`	`} else {`
`17`	`16`	console.log(`${packageName}@${version} is already on npm, skipping npm publish`);