Skip to content
Merged

Dev #164

Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion .github/workflows/release-ducjs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,10 @@ jobs:
run: |
git config user.name "GitHub Action"
git config user.email "action@github.com"
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "lts/*"
- name: Setup Bun
uses: oven-sh/setup-bun@v2
with:
Expand All @@ -49,7 +53,8 @@ jobs:
current-branch: ${{ github.ref_name }}
package-name: ducjs

Copilot AI Dec 14, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The npm audit signatures command requires Node.js and npm to be installed. While the Node.js setup step was added at line 33, other release workflows in the repository (release-ducsvg.yml, release-ducpdf.yml) do not include this audit step. Consider adding this security check to all package release workflows for consistency, or document why ducjs requires this additional verification step while other packages do not.

Suggested change
# Note: The following audit step is included only in the ducjs release workflow.
# If this is intentional (e.g., ducjs has unique security requirements), please ensure this is documented here.
# Otherwise, consider adding this step to other release workflows for consistency.

Copilot uses AI. Check for mistakes.

- name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
run: npm audit signatures
- name: Release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down
4 changes: 2 additions & 2 deletions packages/ducjs/release.config.cjs
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ module.exports = {
[
"@semantic-release/npm",
{
npmPublish: true,
provenance: true, // Required for OIDC
provenance: true,
verifyConditions: false

Copilot AI Dec 14, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The npmPublish: true property has been removed, which may prevent the package from being published to npm. Other packages in the repository (ducsvg, ducpdf) retain this property in their @semantic-release/npm configurations. While npmPublish defaults to true, it's better to be explicit, especially since this was intentionally configured before. Additionally, verifyConditions: false disables important pre-release checks that verify npm authentication and package validity. This could allow releases to proceed even when they will ultimately fail during publishing.

Suggested change
verifyConditions: false
npmPublish: true,

Copilot uses AI. Check for mistakes.
},
],
"@semantic-release/github",
Expand Down