Skip to content

Dev#168

Merged
jorgedanisc merged 2 commits into
mainfrom
dev
Dec 14, 2025
Merged

Dev#168
jorgedanisc merged 2 commits into
mainfrom
dev

Conversation

@jorgedanisc

Copy link
Copy Markdown
Contributor

No description provided.

@jorgedanisc jorgedanisc self-assigned this Dec 14, 2025
Copilot AI review requested due to automatic review settings December 14, 2025 01:43

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR modifies the release configuration for ducsvg and ducpdf packages, removing the @semantic-release/npm plugin and updating the corresponding GitHub Actions workflows to include Node.js setup, npm update, and security verification steps.

Key changes:

  • Removes @semantic-release/npm plugin from release configurations while keeping npm publish in @semantic-release/exec
  • Adds Node.js setup, npm 11.5.1+ update, and npm audit signatures steps to release workflows
  • Minor formatting changes to workflow step names

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File Description
packages/ducsvg/release.config.cjs Removes @semantic-release/npm plugin configuration with provenance settings
packages/ducpdf/release.config.cjs Removes @semantic-release/npm plugin configuration with provenance settings
.github/workflows/release-ducsvg.yml Adds Node.js setup, npm update, and npm audit signatures steps; includes extra blank lines
.github/workflows/release-ducpdf.yml Adds Node.js setup, npm update, and npm audit signatures steps; includes extra blank lines; renames release step

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

"@semantic-release/exec",
{
prepareCmd: "node ../../scripts/semrel-set-version.js packages/ducsvg ${nextRelease.version}",
publishCmd: "npm publish",

Copilot AI Dec 14, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The publishCmd uses plain "npm publish" without the --provenance flag. This removes the OIDC-based provenance attestation that was previously configured via the @semantic-release/npm plugin. Provenance attestations are important for supply chain security as they provide verifiable information about how the package was built and published. Even though the workflow has id-token: write permission and npm 11.5.1+ is installed, the --provenance flag must be explicitly passed to npm publish for provenance to be generated. Consider either keeping the @semantic-release/npm plugin with provenance: true or changing this to "npm publish --provenance".

Suggested change
publishCmd: "npm publish",
publishCmd: "npm publish --provenance",

Copilot uses AI. Check for mistakes.
"@semantic-release/exec",
{
prepareCmd: "node ../../scripts/semrel-set-version.js packages/ducpdf ${nextRelease.version}",
publishCmd: "npm publish",

Copilot AI Dec 14, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The publishCmd uses plain "npm publish" without the --provenance flag. This removes the OIDC-based provenance attestation that was previously configured via the @semantic-release/npm plugin. Provenance attestations are important for supply chain security as they provide verifiable information about how the package was built and published. Even though the workflow has id-token: write permission and npm 11.5.1+ is installed, the --provenance flag must be explicitly passed to npm publish for provenance to be generated. Consider either keeping the @semantic-release/npm plugin with provenance: true or changing this to "npm publish --provenance".

Suggested change
publishCmd: "npm publish",
publishCmd: "npm publish --provenance",

Copilot uses AI. Check for mistakes.
- name: Update npm
run: npm install -g npm@latest


Copilot AI Dec 14, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are two consecutive blank lines here. This appears to be unintentional extra whitespace. Remove one of the blank lines to maintain consistent formatting.

Suggested change

Copilot uses AI. Check for mistakes.
- name: Update npm
run: npm install -g npm@latest


Copilot AI Dec 14, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are two consecutive blank lines here. This appears to be unintentional extra whitespace. Remove one of the blank lines to maintain consistent formatting.

Suggested change

Copilot uses AI. Check for mistakes.
@jorgedanisc jorgedanisc merged commit 2d59979 into main Dec 14, 2025
8 checks passed
@github-actions

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 3.1.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 3.1.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 2.3.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 2.2.3 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions

Copy link
Copy Markdown
Contributor

🎉 This PR is included in version 2.1.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

jorgedanisc added a commit that referenced this pull request Jun 2, 2026
jorgedanisc added a commit that referenced this pull request Jun 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants