chore: add js release workflow

[sd2k]

Adds a GitHub Actions workflow to build, test, and publish the npm
package for @bsull/augurs using trusted publishing.

Summary by CodeRabbit

• Chores
  • Added automated CI/CD workflow for building, testing, and publishing the JavaScript package to npm on releases.

[coderabbitai]

Walkthrough

A GitHub Actions workflow is added to automate building, testing, and publishing the @bsull/augurs JavaScript package. The workflow includes two sequential jobs: build-and-test (which builds the WASM package and runs tests) and publish (which deploys to npm on release events).

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/js-release.yml	New CI/CD workflow with two jobs: build-and-test triggered on augurs-v* releases/dispatch (installs Rust nightly, wasm32 target, builds WASM, runs typecheck and tests, uploads artifact); publish triggered after build succeeds (downloads artifact, publishes to npm with OIDC provenance and public access).

Sequence Diagram

sequenceDiagram
    actor User
    participant GitHub as GitHub Actions
    participant Rust as Rust Toolchain
    participant Builder as WASM Builder
    participant Tests as Test Suite
    participant Artifacts as Artifact Storage
    participant NPM as npm Registry

    User->>GitHub: Push release tag or dispatch workflow
    GitHub->>Rust: Install nightly + wasm32 target
    Rust-->>GitHub: Toolchain ready
    GitHub->>Builder: Build augurs-js with wasm-pack
    Builder-->>GitHub: Build complete
    GitHub->>Tests: Run typecheck and unit tests
    Tests-->>GitHub: Tests passed
    GitHub->>Artifacts: Upload js-package artifact (5-day retention)
    Artifacts-->>GitHub: Artifact stored
    GitHub->>NPM: Download artifact & publish to npm
    NPM-->>GitHub: Package published with OIDC provenance
    GitHub-->>User: Workflow complete

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 A workflow springs to life, so fine,
With Rust and npm, stars align,
Test and build with careful care,
Then publish to npm's air!
Automation hops with glee,
Releasing what will be! 📦✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding a JavaScript release workflow file to automate building, testing, and publishing the npm package.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch add-js-release-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (4)

.github/workflows/js-release.yml (4)

61-64: registry-url is unnecessary in the build-and-test job.

This option configures .npmrc for publishing auth (it's only needed in the publish job). The default npm registry is already https://registry.npmjs.org, so this setting is redundant for test runs.

🧹 Proposed cleanup

  - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
    with:
      node-version-file: js/.node-version
-     registry-url: "https://registry.npmjs.org"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/js-release.yml around lines 61 - 64, Remove the
unnecessary registry-url setting from the actions/setup-node step used in the
build-and-test job: in the setup-node invocation that uses node-version-file:
js/.node-version, delete the registry-url: "https://registry.npmjs.org" entry so
tests use the default registry; keep any registry-url configuration only in the
publish job's setup-node step where publishing auth is required.

---

93-110: Reorder steps: checkout before artifact download to avoid fragile workspace state.

actions/checkout defaults to clean: true (git clean -ffdx). On a fresh GitHub-hosted runner this is harmless (no pre-existing .git), but on any runner with a pre-existing workspace the checkout would delete the downloaded package/ directory before npm publish has a chance to use it. The canonical order is checkout → download.

🔧 Proposed reorder

    steps:
-     - name: Download JS package
-       uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
-       with:
-         name: js-package
-         path: package/
-
-     - name: Checkout sources
-       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-       with:
-         persist-credentials: false
-
-     - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
-       with:
-         node-version-file: js/.node-version
-         registry-url: "https://registry.npmjs.org"
+     - name: Checkout sources
+       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+       with:
+         persist-credentials: false
+
+     - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+       with:
+         node-version-file: js/.node-version
+         registry-url: "https://registry.npmjs.org"
+
+     - name: Download JS package
+       uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+       with:
+         name: js-package
+         path: package/

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/js-release.yml around lines 93 - 110, The workflow step
order is fragile: the "Checkout sources" step (uses: actions/checkout) must run
before "Download JS package" (uses: actions/download-artifact) so the checkout's
git-clean won't remove the downloaded package; reorder the steps so the
actions/checkout step executes prior to actions/download-artifact, keeping the
subsequent setup-node and "Publish to npm" (working-directory: package) steps
unchanged.

---

109-111: --provenance is redundant when using npm trusted publishing.

When you publish using trusted publishing, npm automatically generates and publishes provenance attestations for your package — you don't need to add the --provenance flag to your publish command. The flag is harmless but can be dropped for clarity.

🧹 Proposed cleanup

-     run: npm publish --provenance --access public
+     run: npm publish --access public

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/js-release.yml around lines 109 - 111, Remove the
redundant --provenance flag from the GitHub Actions "Publish to npm" step;
locate the step named "Publish to npm" that runs the command npm publish
--provenance --access public and edit the run line to call npm publish --access
public instead, leaving the working-directory and access settings unchanged.

---

49-52: dtolnay/rust-toolchain is missing a version comment.

All other pinned actions include a # vX.Y.Z comment for auditability. Add the version tag as a comment for consistency:

- - uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9
+ - uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # v1.93.1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/js-release.yml around lines 49 - 52, Add a version comment
for the pinned GitHub Action: update the dtolnay/rust-toolchain invocation
(dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9) to include a
trailing comment with its semantic version like the other actions (e.g. append a
"# vX.Y.Z" comment on the same line) so the action pin remains auditable and
consistent with other entries.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/js-release.yml:
- Around line 61-64: Remove the unnecessary registry-url setting from the
actions/setup-node step used in the build-and-test job: in the setup-node
invocation that uses node-version-file: js/.node-version, delete the
registry-url: "https://registry.npmjs.org" entry so tests use the default
registry; keep any registry-url configuration only in the publish job's
setup-node step where publishing auth is required.
- Around line 93-110: The workflow step order is fragile: the "Checkout sources"
step (uses: actions/checkout) must run before "Download JS package" (uses:
actions/download-artifact) so the checkout's git-clean won't remove the
downloaded package; reorder the steps so the actions/checkout step executes
prior to actions/download-artifact, keeping the subsequent setup-node and
"Publish to npm" (working-directory: package) steps unchanged.
- Around line 109-111: Remove the redundant --provenance flag from the GitHub
Actions "Publish to npm" step; locate the step named "Publish to npm" that runs
the command npm publish --provenance --access public and edit the run line to
call npm publish --access public instead, leaving the working-directory and
access settings unchanged.
- Around line 49-52: Add a version comment for the pinned GitHub Action: update
the dtolnay/rust-toolchain invocation
(dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9) to include a
trailing comment with its semantic version like the other actions (e.g. append a
"# vX.Y.Z" comment on the same line) so the action pin remains auditable and
consistent with other entries.

---

ℹ️ Review info

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6c527a7 and 6b9f865.

📒 Files selected for processing (1)

• .github/workflows/js-release.yml