Dev#168
Conversation
fix: update ci to publish on npm
There was a problem hiding this comment.
Pull request overview
This PR modifies the release configuration for ducsvg and ducpdf packages, removing the @semantic-release/npm plugin and updating the corresponding GitHub Actions workflows to include Node.js setup, npm update, and security verification steps.
Key changes:
- Removes
@semantic-release/npmplugin from release configurations while keepingnpm publishin@semantic-release/exec - Adds Node.js setup, npm 11.5.1+ update, and npm audit signatures steps to release workflows
- Minor formatting changes to workflow step names
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| packages/ducsvg/release.config.cjs | Removes @semantic-release/npm plugin configuration with provenance settings |
| packages/ducpdf/release.config.cjs | Removes @semantic-release/npm plugin configuration with provenance settings |
| .github/workflows/release-ducsvg.yml | Adds Node.js setup, npm update, and npm audit signatures steps; includes extra blank lines |
| .github/workflows/release-ducpdf.yml | Adds Node.js setup, npm update, and npm audit signatures steps; includes extra blank lines; renames release step |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@semantic-release/exec", | ||
| { | ||
| prepareCmd: "node ../../scripts/semrel-set-version.js packages/ducsvg ${nextRelease.version}", | ||
| publishCmd: "npm publish", |
There was a problem hiding this comment.
The publishCmd uses plain "npm publish" without the --provenance flag. This removes the OIDC-based provenance attestation that was previously configured via the @semantic-release/npm plugin. Provenance attestations are important for supply chain security as they provide verifiable information about how the package was built and published. Even though the workflow has id-token: write permission and npm 11.5.1+ is installed, the --provenance flag must be explicitly passed to npm publish for provenance to be generated. Consider either keeping the @semantic-release/npm plugin with provenance: true or changing this to "npm publish --provenance".
| publishCmd: "npm publish", | |
| publishCmd: "npm publish --provenance", |
| "@semantic-release/exec", | ||
| { | ||
| prepareCmd: "node ../../scripts/semrel-set-version.js packages/ducpdf ${nextRelease.version}", | ||
| publishCmd: "npm publish", |
There was a problem hiding this comment.
The publishCmd uses plain "npm publish" without the --provenance flag. This removes the OIDC-based provenance attestation that was previously configured via the @semantic-release/npm plugin. Provenance attestations are important for supply chain security as they provide verifiable information about how the package was built and published. Even though the workflow has id-token: write permission and npm 11.5.1+ is installed, the --provenance flag must be explicitly passed to npm publish for provenance to be generated. Consider either keeping the @semantic-release/npm plugin with provenance: true or changing this to "npm publish --provenance".
| publishCmd: "npm publish", | |
| publishCmd: "npm publish --provenance", |
| - name: Update npm | ||
| run: npm install -g npm@latest | ||
|
|
||
|
|
There was a problem hiding this comment.
There are two consecutive blank lines here. This appears to be unintentional extra whitespace. Remove one of the blank lines to maintain consistent formatting.
| - name: Update npm | ||
| run: npm install -g npm@latest | ||
|
|
||
|
|
There was a problem hiding this comment.
There are two consecutive blank lines here. This appears to be unintentional extra whitespace. Remove one of the blank lines to maintain consistent formatting.
|
🎉 This PR is included in version 3.1.2 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 3.1.2 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 2.3.1 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 2.2.3 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
|
🎉 This PR is included in version 2.1.1 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
No description provided.