modify release.yml to include new npm granular access token

[islameldesoky95]

User description

PR Type

Enhancement

---

Description

• Update GitHub Actions workflow to use OIDC for npm publishing

• Replace deprecated action versions with latest releases

• Add granular npm token support with provenance

• Simplify dependency installation and formatting

---

Diagram Walkthrough

flowchart LR
  A["release.yml workflow"] --> B["Add OIDC permissions"]
  A --> C["Update Actions to v4"]
  A --> D["Use npm publish provenance"]
  B --> E["id-token: write permission"]
  C --> F["checkout@v4, setup-node@v4"]
  D --> G["Granular npm token support"]

Loading

File Walkthrough

Relevant files

Configuration changes

release.yml Update release workflow for OIDC npm publishing                    .github/workflows/release.yml Added OIDC permissions (id-token: write) for secure npm publishing Updated GitHub Actions versions from v2 to v4 for checkout and setup-node Replaced yarn install --frozen-lockfile with npm ci for consistency Added --provenance flag to npm publish command for granular token support Removed unused NODE_JS_VERSION environment variable declaration Simplified YAML formatting and removed unnecessary blank lines +9/-13

---

---

CodeAnt-AI Description

Use OIDC-based npm publishing with provenance and update release workflow

What Changed

• Release workflow now requests GitHub OIDC id-token permission and publishes to npm with provenance, enabling use of granular npm tokens for release publishing
• Updated Actions to checkout@v4 and setup-node@v4 and set workflow permissions (contents: read, id-token: write)
• Switched dependency install to npm ci and removed legacy install commands for more reproducible release installs

Impact

✅ OIDC-based npm publishing
✅ Granular npm tokens for releases
✅ Reproducible release installs

💡 Usage Guide

Checking Your Pull Request

Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.

Talking to CodeAnt AI

Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:

@codeant-ai ask: Your question here

This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.

Example

@codeant-ai ask: Can you suggest a safer alternative to storing this secret?

Preserve Org Learnings with CodeAnt

You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:

@codeant-ai: Your feedback here

This helps CodeAnt AI learn and adapt to your team's coding style and standards.

Example

@codeant-ai: Do not flag unused imports.

Retrigger review

Ask CodeAnt AI to review the PR again, by typing:

@codeant-ai: review

Check Your Repository Health

To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.

Summary by CodeRabbit

• Chores
  • Updated CI workflow to use newer action versions for improved compatibility.
  • Migrated pipeline package management from yarn to npm.
  • Enabled provenance tracking on release publication for added security and transparency.
  • Adjusted workflow permissions and normalized release trigger configuration for more reliable releases.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[codeant-ai]

CodeAnt AI is reviewing your PR.

---

Thanks for using CodeAnt! 🎉

We're free for open-source projects. if you're enjoying it, help us grow by sharing.

Share on X ·
Reddit ·
LinkedIn

[coderabbitai]

Walkthrough

The pull request updates the GitHub Actions release workflow: upgrades action versions to v4, adds workflow permissions (contents and id-token), normalizes trigger syntax, and replaces yarn steps with npm equivalents (adds npm ci, adjusts prepare/publish steps and adds --provenance).

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow Configuration \.github/workflows/release.yml``	Upgrades action versions from v2 → v4; adds permissions block (contents, id-token); normalizes release trigger syntax; swaps yarn commands for npm equivalents (npm ci, adjusts prepare/publish) and adds --provenance to publish; minor env/comment and formatting adjustments.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Single CI workflow file changed; primarily version and tooling substitutions.
• Review focus:
  • Confirm v4 action compatibility and required inputs/outputs.
  • Verify npm steps mirror previous yarn behavior and --provenance usage.
  • Validate added permissions scope is appropriate.

Poem

🐰
A workflow hopped from v2 to v4,
npm replaced yarn upon the floor.
Tokens ready, provenance in tow,
Releases hum and softly go.
✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective of the PR: updating the release workflow to support npm granular access tokens via OIDC and provenance.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/MSDK-3168-replace-npm-token

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 70e3539 and 284cb0c.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/release.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test-android
• GitHub Check: test-ios

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Unpinned runtime version Description: The workflow references node-version: ${{ env.NODE_JS_VERSION }} but the PR removes the env definition, which can cause the action to resolve to latest Node, potentially breaking supply-chain reproducibility and provenance verification; explicitly pin a Node major/minor version or reintroduce a controlled env to avoid unexpected runtime changes. release.yml [15-21] Referred Code node-version: ${{ env.NODE_JS_VERSION }} registry-url: 'https://registry.npmjs.org' - run: npm ci - run: yarn prepare - run: npm publish --access public --provenance env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # Granular token
	Risky script execution Description: Running yarn prepare after npm ci mixes package managers in the same workspace, which can execute arbitrary scripts from the repository or dependencies and increase the attack surface during a release; disable lifecycle scripts or ensure prepare is required and safe, or use a single, vetted package manager. release.yml [18-19] Referred Code - run: yarn prepare - run: npm publish --access public --provenance
	Excess OIDC permissions Description: The job grants id-token: write for OIDC but does not scope permissions at the job or step level beyond contents: read; verify least-privilege by moving OIDC to only the step requiring it and ensuring no other steps can use the token to request unintended federated credentials. release.yml [8-11] Referred Code permissions: contents: read id-token: write # Required for OIDC steps:
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: No audit logs: The workflow changes do not introduce or modify any application logging for critical actions, and it's unclear whether audit trails are handled elsewhere in the system. Referred Code name: release on: release: types: [created] jobs: release: runs-on: ubuntu-latest permissions: contents: read id-token: write # Required for OIDC steps: - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_JS_VERSION }} registry-url: 'https://registry.npmjs.org' - run: npm ci - run: yarn prepare - run: npm publish --access public --provenance env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # Granular token Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Missing retries: The workflow steps (install, prepare, publish) lack explicit error handling or retry/fallback logic, which may be acceptable in CI but cannot be confirmed from the diff. Referred Code - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: ${{ env.NODE_JS_VERSION }} registry-url: 'https://registry.npmjs.org' - run: npm ci - run: yarn prepare - run: npm publish --access public --provenance env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # Granular token Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Secret handling: Although a granular npm token and OIDC permissions are used, the workflow still exports NODE_AUTH_TOKEN to the environment; confirm least-privilege scope and that logs do not echo the token. Referred Code env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # Granular token Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Fix undefined Node.js version reference The setup-node action references env.NODE_JS_VERSION, but the top-level env block defining it has been removed. Hardcode the Node.js version (e.g., '20.x') to prevent workflow failure. .github/workflows/release.yml [13-16] - uses: actions/setup-node@v4 with: - node-version: ${{ env.NODE_JS_VERSION }} + node-version: '20.x' registry-url: 'https://registry.npmjs.org' Apply / Chat Suggestion importance[1-10]: 10 __ Why: The suggestion correctly identifies a critical issue where NODE_JS_VERSION is referenced after its definition was removed, which would cause the release workflow to fail.	High
Update

[codeant-ai]

CodeAnt AI finished reviewing your PR.

[pantoaibot]

PR Summary:

Summary: Update release GitHub Action to use newer actions, grant OIDC permission, switch to npm-based CI/publish, and mark the NPM token as a granular token.

Changes:

• Workflow metadata
  • Minor reformatting of the release event types line.
• Permissions
  • Added job-level permissions: contents: read and id-token: write (for OIDC).
• Actions upgraded
  • actions/checkout@v2 -> actions/checkout@v4
  • actions/setup-node@v2 -> actions/setup-node@v4
• Node/npm setup and install
  • Removed explicit NODE_JS_VERSION env block (env variable reference remains in setup-node).
  • Replaced yarn install with npm ci.
  • Kept yarn prepare step.
• Publish behavior
  • npm publish now uses --provenance.
  • NODE_AUTH_TOKEN still sourced from secrets.NPM_TOKEN, annotated as a granular token.
• Potential breaking/attention items
  • NODE_JS_VERSION environment variable declaration was removed — ensure the referenced env var is defined elsewhere or restore it.
  • Switching from yarn install to npm ci and adding --provenance may change CI behavior and require appropriate npm/node versions and lockfile compatibility.

Reviewed by Panto AI

[pantoaibot]

[CRITICAL_BUG] The step uses node-version: ${{ env.NODE_JS_VERSION }} but the global env: NODE_JS_VERSION was removed in this change. This will make actions/setup-node receive an empty/undefined value and likely fail. Restore the env block (env: NODE_JS_VERSION: 20.19.5) at the top of the workflow or replace the reference with a concrete value (e.g. node-version: '20.19.5') so the runner has a deterministic Node version.

name: release

env:
  NODE_JS_VERSION: 20.19.5

on:
  release:
    types: [created]

jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write  # Required for OIDC
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_JS_VERSION }}
          registry-url: 'https://registry.npmjs.org'

      - run: npm ci
      - run: yarn prepare
      - run: npm publish --access public --provenance
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}  # Granular token

[pantoaibot]

[REFACTORING] This workflow mixes package managers: it runs npm ci (line 17) then yarn prepare (line 18). Mixing npm and yarn can cause inconsistent dependency resolution (different lockfiles, caches). Choose one install strategy and keep steps consistent: either run npm ci && npm run prepare (if prepare script exists) or use yarn install --frozen-lockfile && yarn prepare. Also align with other workflows (ci.yml uses yarn install) to avoid environment drift.

      - uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_JS_VERSION }}
          registry-url: 'https://registry.npmjs.org'

      - run: yarn install --frozen-lockfile
      - run: yarn prepare
      - run: npm publish --access public --provenance
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}  # Granular token

[pantoaibot]

Reviewed up to commit:70e3539b532439fa6c270476fc75c617779ad828

Additional Suggestion

.github/workflows/release.yml, line:19

You added --provenance to npm publish. Ensure the Node/npm version provided by actions/setup-node supports the --provenance flag (npm versions vary by Node). If you keep the env var removal, the node/npm version may change unexpectedly. Either pin a supported Node version or remove the flag if the runner's npm doesn't support it.

      - uses: actions/setup-node@v4
        with:
          node-version: 20.19.5
          registry-url: 'https://registry.npmjs.org'

      - run: npm ci
      - run: yarn prepare
      - run: npm publish --access public --provenance
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}  # Granular token

.github/workflows/release.yml, line:8-10

You added a job-level permissions block (contents: read, id-token: write). Confirm these are the least privileges required: id-token: write is needed only when using OIDC flows; if you are not using OIDC in this workflow you can remove it. If the intention is to use OIDC for publishing, add the corresponding OIDC auth step and documentation. Also consider placing permissions at workflow-level if they are intended to apply to all jobs.

jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      # id-token: write  # Enable only if using OIDC for npm publishing
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: ${{ env.NODE_JS_VERSION }}
          registry-url: 'https://registry.npmjs.org'

      - run: npm ci
      - run: yarn prepare
      - run: npm publish --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}  # Granular token

Reviewed by Panto AI

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4bfd885 and 70e3539.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: test-ios
• GitHub Check: test-android

🔇 Additional comments (1)

.github/workflows/release.yml (1)

8-10: Permissions and action upgrades look solid.

Adding id-token: write permission is required for OIDC support, which is necessary for the --provenance flag in npm v9.5+. The action version upgrades to v4 are current and recommended.

Also applies to: 12-13

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Inconsistent package manager: yarn used alongside npm in workflow.

Line 17 switches to npm ci, but line 18 still uses yarn prepare. If yarn is not available in the CI environment, this step will fail. Either:

1. Switch line 18 to npm run prepare (if prepare is defined in package.json scripts)
2. Or keep yarn installed and update line 17 to use yarn install --frozen-lockfile

This is likely an incomplete migration from yarn to npm.

Apply one of the following fixes:

Option 1: Replace yarn with npm equivalent (recommended)

  - run: npm ci
- - run: yarn prepare
+ - run: npm run prepare
  - run: npm publish --access public --provenance

Option 2: Revert to yarn-based approach

- - run: npm ci
+ - run: yarn install --frozen-lockfile
  - run: yarn prepare
  - run: npm publish --access public --provenance

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- run: npm ci
	- run: yarn prepare
	- run: npm ci --legacy-peer-deps
	- run: npm publish --access public
	- run: npm publish --access public --provenance
	- run: npm ci
	- run: npm run prepare
	- run: npm publish --access public --provenance

Suggested change

	- run: npm ci
	- run: yarn prepare
	- run: npm ci --legacy-peer-deps
	- run: npm publish --access public
	- run: npm publish --access public --provenance
	- run: yarn install --frozen-lockfile
	- run: yarn prepare
	- run: npm publish --access public --provenance

🤖 Prompt for AI Agents

.github/workflows/release.yml lines 17-19: the workflow mixes npm and yarn (uses
`npm ci` then `yarn prepare`), which can fail if yarn is not available; fix by
either (preferred) replacing the yarn call with the npm equivalent: change `yarn
prepare` to `npm run prepare` (ensure a prepare script exists in package.json),
or if you intend to use yarn across the job, replace `npm ci` with `yarn install
--frozen-lockfile` and ensure subsequent steps use yarn consistently.