ci(mono-pub): run publish job from LTS node #28
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change | ||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,38 @@ | ||||||||||||||||||||||
| name: Publish NPM packages | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| permissions: | ||||||||||||||||||||||
| contents: write | ||||||||||||||||||||||
| id-token: write | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
|
|
||||||||||||||||||||||
| on: | ||||||||||||||||||||||
| push: | ||||||||||||||||||||||
| branches: [ "main" ] | ||||||||||||||||||||||
| pull_request: | ||||||||||||||||||||||
| branches: [ "main" ] | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
|
Comment on lines
+8
to
+13
There was a problem hiding this comment. Reconsider workflow triggers for package publishing Running the publish workflow on PR events could be risky:
Consider this configuration instead: on:
push:
branches: [ "main" ]
- pull_request:
- branches: [ "main" ]📝 Committable suggestion
Suggested change
|
||||||||||||||||||||||
| jobs: | ||||||||||||||||||||||
| publish: | ||||||||||||||||||||||
| runs-on: ubuntu-22.04 | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| steps: | ||||||||||||||||||||||
| - name: Checkout code | ||||||||||||||||||||||
| uses: actions/checkout@v4 | ||||||||||||||||||||||
| with: | ||||||||||||||||||||||
| fetch-depth: 0 | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| - name: Setup Node.js environment | ||||||||||||||||||||||
| uses: actions/setup-node@v4 | ||||||||||||||||||||||
| with: | ||||||||||||||||||||||
| cache: 'yarn' | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
|
Comment on lines
+24
to
+28
There was a problem hiding this comment. Specify Node.js LTS version As per PR objective to run from LTS node, the Node.js version should be explicitly specified. - name: Setup Node.js environment
uses: actions/setup-node@v4
with:
+ node-version: 'lts/*'
cache: 'yarn'📝 Committable suggestion
Suggested change
|
||||||||||||||||||||||
| - name: Install dependencies | ||||||||||||||||||||||
| run: yarn --immutable | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| # NOTE: Mono-pub uses itself to publish its packages, so we need to prebuild them | ||||||||||||||||||||||
| - name: Build packages | ||||||||||||||||||||||
| run: yarn build | ||||||||||||||||||||||
|
|
||||||||||||||||||||||
| - name: Debug 1 | ||||||||||||||||||||||
| run: | | ||||||||||||||||||||||
| git tag --merged | ||||||||||||||||||||||
|
Comment on lines
+36
to
+38
There was a problem hiding this comment. Debug step appears incomplete The debug step only shows merged tags but doesn't provide meaningful debugging information. Consider:
- name: Debug 1
run: |
- git tag --merged
+ git status
+ git tag --merged
+ yarn workspaces list
+ yarn workspaces foreach npm version📝 Committable suggestion
Suggested change
|
||||||||||||||||||||||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
💡 Codebase verification
Permissions are unnecessarily broad for the debug workflow
The
id-token: writepermission is not used in this workflow as there's no OIDC authentication or token exchange. Additionally,contents: writeis excessive since the debug workflow only reads git tags. Suggested permissions:.github/workflows/nodejs.packages.debug.yml: Removeid-token: writeand downgradecontentstoread🔗 Analysis chain
Review and restrict permissions scope
The workflow has broad write permissions that should be reviewed:
contents: writemight be too permissive if only needed for taggingid-token: writesuggests OIDC usage, but no OIDC configuration is present in the workflow🏁 Scripts executed
The following scripts were executed for the analysis:
Script:
Length of output: 185
Script:
Length of output: 3780