feat: implement automated NPM publishing with GitHub Actions #2119
Conversation
🦋 Changeset detectedLatest commit: 78c3447 The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
There was a problem hiding this comment.
Pull Request Overview
This PR implements automated NPM publishing with GitHub Actions, replacing manual publishing with a secure CI/CD pipeline that integrates with changesets for version management.
- Adds automated test-and-publish workflow that runs tests/linting on all branches and publishes to NPM only on main branch merges
- Implements release workflow to automatically create Release PRs from develop to main when changesets are detected
- Adds security safeguards including prepublishOnly scripts to prevent manual publishing and minimal GitHub token permissions
Reviewed Changes
Copilot reviewed 5 out of 6 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/test-and-publish.yml | New workflow for CI/CD pipeline with testing, building, and NPM publishing |
| .github/workflows/release.yml | Updated release workflow with explicit security permissions |
| package.json | Added prepublishOnly script to prevent manual publishing |
| packages/react/package.json | Added prepublishOnly script to prevent manual publishing |
| .changeset/lucky-sheep-trade.md | Changeset documenting the automated NPM publishing feature |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| - name: Configure npm for public publishing | ||
| run: | | ||
| echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > ~/.npmrc | ||
| echo "@ag.ds-next:registry=https://registry.npmjs.org" >> ~/.npmrc | ||
| echo "access=public" >> ~/.npmrc | ||
| env: | ||
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
|
|
There was a problem hiding this comment.
The NPM configuration writes the auth token to ~/.npmrc in plain text. Consider using the NODE_AUTH_TOKEN environment variable with actions/setup-node's built-in registry authentication instead, which is more secure and already configured on line 81.
| - name: Configure npm for public publishing | |
| run: | | |
| echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > ~/.npmrc | |
| echo "@ag.ds-next:registry=https://registry.npmjs.org" >> ~/.npmrc | |
| echo "access=public" >> ~/.npmrc | |
| env: | |
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
| # Removed insecure step that writes auth token to ~/.npmrc. | |
| # If you need to set registry or access for scoped packages, add a step like: | |
| # - name: Configure npm registry and access | |
| # run: | | |
| # echo "@ag.ds-next:registry=https://registry.npmjs.org" >> ~/.npmrc | |
| # echo "access=public" >> ~/.npmrc |
Copilot uses AI. Check for mistakes.
| echo "Publishing packages to NPM registry..." | ||
| yarn publish-changed | ||
| env: | ||
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} |
There was a problem hiding this comment.
Both NPM_TOKEN and NODE_AUTH_TOKEN are set to the same secret value, which creates redundancy. Since NODE_AUTH_TOKEN is the standard environment variable used by actions/setup-node for NPM authentication, you can remove NPM_TOKEN and rely solely on NODE_AUTH_TOKEN.
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} |
Copilot uses AI. Check for mistakes.
|
|
1 participant
New GitHub Actions Workflows
Test and Publish Workflow (test-and-publish.yml)
Release Workflow (release.yml)
Security Enhancements
Configuration Updates
Setup Requirements
Before merging, ensure: