Skip to content

Add npm publish workflow with OIDC trusted publishing#8

Open
devm33 wants to merge 2 commits intomainfrom
devm33/add-publish-workflow
Open

Add npm publish workflow with OIDC trusted publishing#8
devm33 wants to merge 2 commits intomainfrom
devm33/add-publish-workflow

Conversation

@devm33
Copy link
Copy Markdown
Member

@devm33 devm33 commented Apr 3, 2026
edited
Loading

Adds a workflow_dispatch workflow (.github/workflows/publish.yml) for publishing to npm.

Features

  • Version input: Accepts version_type (major/minor/patch, default patch)
  • Auto-versioning: Determines next version from the latest npm-published version
  • OIDC publishing: Uses trusted publishing — no npm tokens needed (requires npm-publish environment + trusted publisher config on npmjs.com)
  • GitHub release: Creates a release with auto-generated notes (using --notes-start-tag from previous release) and attaches the npm tarball
  • Observability: Pipes npm publish and gh release create output to $GITHUB_STEP_SUMMARY; key version info written progressively
  • Security: Uses environment variables to avoid script injection from workflow inputs

@devm33
Add npm publish workflow with OIDC trusted publishing
274890d 
Adds a workflow_dispatch workflow (.github/workflows/publish.yml) that:
- Accepts version_type input (major/minor/patch, default patch)
- Determines next version from the latest npm-published version
- Publishes to npm using OIDC trusted publishing (no tokens needed)
- Creates a GitHub release with auto-generated notes and npm tarball
- Pipes command output to GITHUB_STEP_SUMMARY for visibility
- Hardens against script injection using environment variables

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings April 3, 2026 23:59
@devm33 devm33 requested a review from a team as a code owner April 3, 2026 23:59
Copilot AI reviewed Apr 4, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a manually triggered GitHub Actions workflow to publish the package to npm using OIDC trusted publishing, and to create a corresponding GitHub Release with generated notes and the npm tarball attached.

Changes:

  • Introduces a workflow_dispatch publish workflow with a version_type (major/minor/patch) input.
  • Computes the next version from the latest npm-published version, builds the package, packs, and publishes to npm.
  • Creates a GitHub Release with autogenerated notes (optionally starting from the previous release tag) and attaches the packed tarball.
Show a summary per file
File Description
.github/workflows/publish.yml New workflow to compute a next version, publish to npm via OIDC, and create a GitHub Release with notes and the tarball asset.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 7

@devm33
Address PR review feedback
b22e5fb 
- Use semver package for robust version incrementing
- Filter out drafts and pre-releases when finding previous tag
- Add concurrency guard to prevent publish races
- Enable npm caching in setup-node

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@devm33