Skip to content

Fix Publishing Issues#51

Merged
naveensky merged 2 commits intomainfrom
npm-publish
Nov 28, 2025
Merged

Fix Publishing Issues#51
naveensky merged 2 commits intomainfrom
npm-publish

Conversation

@naveensky
Copy link
Contributor

No description provided.

naveensky and others added 2 commits November 28, 2025 13:14
- Upgrade to Node 22 and npm@latest (11.5.1+ required for OIDC)
- Remove --provenance flag (automatic with OIDC)
- Remove NPM_TOKEN dependency

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@naveensky naveensky merged commit f9bc479 into main Nov 28, 2025
2 checks passed
@naveensky naveensky deleted the npm-publish branch November 28, 2025 07:48
@claude
Copy link

claude bot commented Nov 28, 2025

PR Review: Fix Publishing Issues

Summary

This PR modifies the NPM publishing workflow to address publishing issues. The changes include updating Node.js version, removing provenance support, changing the trigger branch, and adding a production environment.

Code Quality & Best Practices

✅ Positive Changes

  • Production environment: Adding environment: production (line 15) is a good practice for protecting sensitive operations
  • Node.js update: Upgrading from Node 20 to 22 brings better performance and newer features
  • Explicit npm update: Adding the npm update step ensures OIDC support compatibility

⚠️ Concerns

1. Branch Configuration Issue (HIGH PRIORITY)

branches:
  - npm-publish

This workflow now triggers on pushes to npm-publish branch, but the DEPLOY.md documentation (lines 7-8) states that deployment happens on pushes to main branch. This creates a mismatch between documentation and implementation.

Recommendation:

  • If this is intentional, update DEPLOY.md to reflect the new deployment branch
  • If unintentional, this should trigger on main branch instead
  • Consider whether you want automatic publishing on every push or prefer manual triggers/tags

2. Provenance Removal (SECURITY)

- run: npm publish --access=public

The --provenance flag was removed from the publish command. NPM provenance provides:

  • Cryptographic proof of package origin
  • Build transparency
  • Supply chain security

Questions:

  • Was provenance causing the publishing issues?
  • What specific error occurred?
  • The workflow still maintains id-token: write permission (line 9) which is specifically for provenance

Recommendation: If provenance was causing issues, document the specific error. Consider re-enabling it once the underlying issue is resolved, as it's a security best practice.

3. Global npm Installation

- name: Update npm for OIDC support
  run: npm install -g npm@latest

Installing npm@latest globally:

  • May introduce unpredictable breaking changes
  • Could cause different behavior between runs
  • The step name mentions "OIDC support" but OIDC is used for provenance (which was removed)

Recommendation:

  • Pin to a specific npm version (e.g., npm@10.x) for reproducible builds
  • Remove or clarify this step if provenance is no longer being used

Performance Considerations

✅ No significant performance concerns. The Node.js 22 upgrade may provide minor performance improvements.

Security Concerns

🔴 Medium Risk Items

  1. Reduced Supply Chain Security: Removing --provenance reduces transparency about package origins
  2. Unpinned npm version: Using npm@latest could introduce supply chain vulnerabilities if a compromised version is released
  3. Branch confusion: If the workflow triggers on wrong branch, unauthorized publishes could occur

Recommendations

  1. Consider using release tags instead of branch pushes:

    on:
      push:
        tags:
          - 'v*'

    This provides better control over when packages are published.

  2. Add approval requirement: Since you're using environment: production, configure branch protection or environment protection rules in GitHub Settings.

  3. Consider adding a manual approval step for production publishes.

Test Coverage

⚠️ Not Applicable: This PR only modifies CI/CD configuration. However, the workflow itself still runs tests before publishing, which is good.

Questions for the Author

  1. What specific publishing issue was this PR intended to fix?
  2. Why was the provenance flag removed? What error occurred?
  3. Is the branch change from main to npm-publish intentional?
  4. Have you tested this workflow in a non-production environment?
  5. Why is the npm update step needed if provenance is removed?

Overall Assessment

Status: ⚠️ Needs Discussion

While the changes may fix immediate publishing issues, they introduce configuration inconsistencies and reduce security posture. Before merging or if already merged, please:

  1. Update DEPLOY.md to match the actual deployment branch
  2. Document what specific issue this PR fixed
  3. Consider pinning the npm version
  4. Investigate re-enabling provenance if possible
  5. Consider using tag-based releases for better control

Review generated with attention to security, documentation consistency, and best practices.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant