feat: add reusable npm package publish workflow#35
Conversation
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1c5e9c12b7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| bun-version: ${{ inputs.bun-version }} | ||
|
|
||
| - name: Set up npm | ||
| run: npm install --global "npm@${{ inputs.npm-version }}" |
There was a problem hiding this comment.
When this workflow runs without a real NODE_AUTH_TOKEN, the preceding pinned actions/setup-node@v6 writes an npmrc auth line reading from NODE_AUTH_TOKEN and exports the placeholder XXXXX-XXXXX-XXXXX-XXXXX; npm then sends that invalid bearer token even for public registry reads, so this npm install --global npm@... step fails with 403 before the hardened publish action gets a chance to neutralize the placeholder. This affects the normal trusted-publishing path where no legacy npm token is provided; clear/override NODE_AUTH_TOKEN before any npm command after setup-node.
Useful? React with 👍 / 👎.
1 participant
Adds a reusable npm package publishing workflow for stella package repositories.\n\nThe workflow:\n- installs pinned Node, npm, and Bun versions\n- runs standard package checks\n- packs configured package directories into tarballs\n- publishes through the existing hardened OIDC npm publish action\n\nCaller workflows keep the package-specific directory list and grant id-token permissions.