Setup workflows

[siva-spotdraft]

Summary by CodeRabbit

• Chores
  • Renamed the published package to @spotdraft/liquidjs—update installation/imports accordingly.
  • Added a master workflow to build and publish on master pushes using Node.js 20 and Google Artifact Registry; includes auth, dependency install, and publish steps.
  • Added a PR workflow to run builds and a dry-run publish (using Node.js 24) for pull request validation.

[coderabbitai]

Walkthrough

Adds two GitHub Actions workflows: one that publishes on pushes to master and one that runs a PR dry-run; and renames the published package from liquidjs to @spotdraft/liquidjs. No source code or API changes.

Changes

Cohort / File(s)	Summary
CI workflow: publish on master .github/workflows/master.yaml	New workflow triggered on pushes to master: checks out code; sets up Node.js v20; authenticates to GCP via Workload Identity and a service account; configures gcloud project; obtains Artifact Registry npm token; runs npm install and npm publish.
CI workflow: PR dry-run .github/workflows/pr.yaml	New PR workflow triggered on PR events against master: checks out code; sets Node.js v24; sets permissions (contents read, id-token write, packages write); authenticates to GCP via Workload Identity; configures gcloud and npm registry token; runs npm install and a dry-run npm publish.
Package metadata rename package.json	Updated package name from liquidjs to @spotdraft/liquidjs. No other metadata, version, scripts, dependencies, or public API changes.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer
    participant GH as GitHub Actions
    participant GCP as Google Cloud (Workload Identity)
    participant AR as Artifact Registry (npm)

    Dev->>GH: Push to master
    activate GH
    GH->>GH: actions/checkout\nsetup-node@v20
    GH->>GCP: Authenticate (workload identity)\nAssume service account
    GCP-->>GH: Access token
    GH->>AR: Configure npm auth (token)
    GH->>GH: npm install
    GH->>AR: npm publish
    AR-->>GH: Publish result
    deactivate GH

Loading

sequenceDiagram
    autonumber
    participant Dev as Developer
    participant GH as GitHub Actions (PR workflow)
    participant GCP as Google Cloud (Workload Identity)
    participant AR as Artifact Registry (npm)

    Dev->>GH: Open/sync/reopen PR -> target master
    activate GH
    GH->>GH: actions/checkout\nsetup-node@v24
    GH->>GCP: Authenticate (workload identity)\nAssume service account
    GCP-->>GH: Access token
    GH->>AR: Configure npm auth (token)
    GH->>GH: npm install
    GH->>AR: npm publish (dry-run)
    AR-->>GH: Dry-run result
    deactivate GH

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

I thump my paws—release day cheer!
A master push, the clouds draw near.
Tokens twirl, the registry sings,
Our name now scoped with brighter rings.
Hop hop—package launched with glee! 🐇🚀

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title “Setup workflows” succinctly captures the primary purpose of this changeset, which is to add and configure GitHub Actions workflows, making it clear and directly related to the main modifications in the pull request.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch setup-workflows

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

package.json (1)

2-2: Add publishConfig to lock the publish target.

Right now a developer running npm publish locally would fall back to the default registry if their .npmrc isn’t primed, risking an accidental push to npmjs. Add a publishConfig.registry pointing at Artifact Registry so every publish path stays scoped correctly.(docs.github.com)

   "name": "@spotdraft/liquidjs",
   "version": "3.1.0",
   ...
   "postversion": "git push && git push --tags"
-  }
+  },
+  "publishConfig": {
+    "registry": "https://asia-south1-npm.pkg.dev/spotdraft-qa/npm/"
+  }

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9ce1515 and f03ecfb.

📒 Files selected for processing (2)

• .github/workflows/master.yaml (1 hunks)
• package.json (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/master.yaml

8-8: label "ubicloud-standard-2" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add always-auth=true so npm actually sends the token.

Artifact Registry’s own guidance keeps an always-auth=true entry alongside the _authToken. Without it, npm can skip attaching the token on preliminary GET/HEAD requests when publishing, which leads to intermittent 401s during npm publish. Please add the flag when building .npmrc.(cloud.google.com)

           TOKEN=$(gcloud auth print-access-token)
           rm -rf .npmrc
-          echo -e "\n//asia-south1-npm.pkg.dev/spotdraft-qa/npm/:_authToken=\"$TOKEN\"" >> .npmrc
+          echo -e "\n//asia-south1-npm.pkg.dev/spotdraft-qa/npm/:always-auth=true" >> .npmrc
+          echo "//asia-south1-npm.pkg.dev/spotdraft-qa/npm/:_authToken=\"$TOKEN\"" >> .npmrc
           echo "@spotdraft:registry=https://asia-south1-npm.pkg.dev/spotdraft-qa/npm/" >> .npmrc

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Configure NPM to use Artifact Registry
	run: |
	TOKEN=$(gcloud auth print-access-token)
	rm -rf .npmrc
	echo -e "\n//asia-south1-npm.pkg.dev/spotdraft-qa/npm/:_authToken=\"$TOKEN\"" >> .npmrc
	echo "@spotdraft:registry=https://asia-south1-npm.pkg.dev/spotdraft-qa/npm/" >> .npmrc
	- name: Configure NPM to use Artifact Registry
	run: |
	TOKEN=$(gcloud auth print-access-token)
	rm -rf .npmrc
	echo -e "\n//asia-south1-npm.pkg.dev/spotdraft-qa/npm/:always-auth=true" >> .npmrc
	echo "//asia-south1-npm.pkg.dev/spotdraft-qa/npm/:_authToken=\"$TOKEN\"" >> .npmrc
	echo "@spotdraft:registry=https://asia-south1-npm.pkg.dev/spotdraft-qa/npm/" >> .npmrc

🤖 Prompt for AI Agents

In .github/workflows/master.yaml around lines 35 to 40, the workflow writes an
.npmrc with the _authToken and registry but omits the always-auth flag; update
the script that builds .npmrc to append an always-auth=true entry (for the
registry in question) immediately after writing the _authToken so npm will
always send the token and avoid intermittent 401s during publish.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f03ecfb and ec25196.

📒 Files selected for processing (1)

• .github/workflows/pr.yaml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/pr.yaml

8-8: label "ubicloud-standard-2" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Fix _authToken quoting to avoid authentication failure.

.npmrc keeps the double quotes you echo around ${TOKEN}, so npm sends Bearer "token" and Artifact Registry rejects the publish (dry-run or real). Drop the quotes and write the file in one shot.

-          TOKEN=$(gcloud auth print-access-token)
-          rm -rf .npmrc
-          echo -e "\n//asia-south1-npm.pkg.dev/spotdraft-qa/npm/:_authToken=\"$TOKEN\"" >> .npmrc
-          echo "@spotdraft:registry=https://asia-south1-npm.pkg.dev/spotdraft-qa/npm/" >> .npmrc
+          TOKEN="$(gcloud auth print-access-token)"
+          cat <<'EOF' > .npmrc
+//asia-south1-npm.pkg.dev/spotdraft-qa/npm/:_authToken=${TOKEN}
+@spotdraft:registry=https://asia-south1-npm.pkg.dev/spotdraft-qa/npm/
+EOF

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents

In .github/workflows/pr.yaml around lines 37 to 40, the current echo adds
literal double quotes around the auth token and appends each line separately;
change it to write the .npmrc in a single write operation and remove the
surrounding quotes so the _authToken is written as ...:_authToken=<TOKEN> (no
quotes). Ensure the command writes both registry lines to .npmrc atomically
(overwrite, not append) and that the token is inserted raw so npm sends Bearer
<token> without embedded quotes.