chore: npm publish & release-please setup#18
Merged
Conversation
Add track artifacts (spec, plan, metadata) and begin implementation. Refs #16
Configure release-please to manage @pleaseai/ask (packages/cli) releases with conventional commits and node release type. Refs #16
Add repository, files, and publishConfig fields required for publishing @pleaseai/ask to npm with public access. Refs #16
- Job 1: release-please creates/updates Release PR on push to main - Job 2: on release, bun pack (workspace dep resolution) + npm publish --provenance - Uses OIDC (id-token: write) for SLSA provenance attestation - npm environment for trusted publisher support Refs #16
Without explicit tarball path, npm publish re-packages from directory and ignores bun pack's resolved workspace dependencies. Refs #16
6 tasks
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
bun pack does not exist; the correct command is bun pm pack. Refs #16
Contributor
There was a problem hiding this comment.
2 issues found across 8 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name=".github/workflows/release.yml">
<violation number="1" location=".github/workflows/release.yml:10">
P2: Avoid granting `id-token: write` at workflow scope; it unnecessarily expands OIDC token permissions to non-publish jobs.</violation>
<violation number="2" location=".github/workflows/release.yml:40">
P2: Pin Bun to a specific version in the release workflow to keep publish builds reproducible and aligned with the repo toolchain.</violation>
</file>
Architecture diagram
sequenceDiagram
participant Dev as Maintainer
participant GHA as GitHub Actions
participant RP as Release Please
participant npm as npm Registry (OIDC)
Note over Dev, npm: Setup: Configure Trusted Publisher (OIDC) on npmjs.com
Dev->>GHA: Push/Merge to 'main' branch
GHA->>RP: NEW: Run release-please-action
RP->>RP: Parse conventional commits
RP->>GHA: NEW: Create/Update Release PR (version bump + changelog)
Note over Dev, GHA: Execution: Merging the Release PR
Dev->>GHA: Merge Release PR to 'main'
GHA->>RP: NEW: Run release-please-action
RP-->>GHA: Output: release_created=true, tag_name=vX.Y.Z
alt NEW: Release Created
GHA->>GHA: NEW: bun install (frozen-lockfile)
GHA->>GHA: NEW: bun run build (packages/cli)
GHA->>GHA: NEW: bun pack (resolves workspace dependencies)
Note over GHA, npm: Auth via GitHub OIDC Token (id-token: write)
GHA->>npm: NEW: npm publish --provenance (SLSA attestation)
alt Success
npm-->>GHA: 200 OK (Package Published)
else Failure (e.g. Auth/Version Conflict)
npm-->>GHA: 4xx/5xx Error
Note right of GHA: Job Fails (Requires manual retry or fix)
end
else No release created
Note right of GHA: Skip npm-publish job
end
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
packages/clionly).github/workflows/release.ymlwith two jobs: release-please + npm publishpackages/cli/package.jsonwithrepository,files,publishConfigfieldsbun pack(workspace dep resolution) →npm publish --provenance(SLSA attestation)environment: npm+id-token: writeCloses #16
Setup Required
After merging, repo admin must:
npmenvironment in GitHub repo settings@pleaseai/ask(or addNPM_TOKENsecret as fallback)Test Plan
release-please-config.jsonis valid JSON.release-please-manifest.jsonversion matchespackages/cli/package.jsonrelease.ymlsyntax withactionlintor GitHub Actions linterSummary by cubic
Automates releases and npm publishing for
@pleaseai/ask(packages/cli) using release-please and GitHub Actions. On Release PR merge, builds withbun, packs viabun pm packinto a tarball, then publishes that tarball to npm with provenance via trusted publisher (OIDC), addressing #16.npmenvironment in GitHub repo settings.@pleaseai/ask(or addNPM_TOKENas a fallback).Written for commit 34da69b. Summary will update on new commits.