Dev#164
Conversation
…mantic-release` npm plugin with `verifyConditions: false`.
Jorgedanisc
There was a problem hiding this comment.
Pull request overview
This PR modifies the ducjs package release configuration and workflow. The changes involve removing the explicit npmPublish setting from the semantic-release npm plugin configuration while adding verifyConditions: false, and enhancing the release workflow with Node.js setup and npm audit signatures verification.
Key Changes:
- Modified @semantic-release/npm plugin configuration by removing explicit
npmPublishsetting and disablingverifyConditions - Added Node.js setup step and npm security audit to the release workflow
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| packages/ducjs/release.config.cjs | Removes npmPublish: true and adds verifyConditions: false to @semantic-release/npm configuration |
| .github/workflows/release-ducjs.yml | Adds Node.js setup step and npm audit signatures verification before release |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| npmPublish: true, | ||
| provenance: true, // Required for OIDC | ||
| provenance: true, | ||
| verifyConditions: false |
There was a problem hiding this comment.
The npmPublish: true property has been removed, which may prevent the package from being published to npm. Other packages in the repository (ducsvg, ducpdf) retain this property in their @semantic-release/npm configurations. While npmPublish defaults to true, it's better to be explicit, especially since this was intentionally configured before. Additionally, verifyConditions: false disables important pre-release checks that verify npm authentication and package validity. This could allow releases to proceed even when they will ultimately fail during publishing.
| verifyConditions: false | |
| npmPublish: true, |
| @@ -49,7 +53,8 @@ jobs: | |||
| current-branch: ${{ github.ref_name }} | |||
| package-name: ducjs | |||
|
|
|||
There was a problem hiding this comment.
The npm audit signatures command requires Node.js and npm to be installed. While the Node.js setup step was added at line 33, other release workflows in the repository (release-ducsvg.yml, release-ducpdf.yml) do not include this audit step. Consider adding this security check to all package release workflows for consistency, or document why ducjs requires this additional verification step while other packages do not.
| # Note: The following audit step is included only in the ducjs release workflow. | |
| # If this is intentional (e.g., ducjs has unique security requirements), please ensure this is documented here. | |
| # Otherwise, consider adding this step to other release workflows for consistency. |
|
🎉 This PR is included in version 2.2.2 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 3.1.2 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 3.1.2 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 2.3.1 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 2.1.1 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
No description provided.