Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the publish workflow to use npm's native OIDC authentication instead of the JS-DevTools npm-publish action with a manual token. The repository URL is also updated to reflect the organization name change from "solid" to "SolidOS".
Changes:
- Repository URL updated from solid/folder-pane to SolidOS/folder-pane
- Workflow permissions moved from global to job-level with OIDC support
- npm publish process migrated from JS-DevTools action to native npm CLI with OIDC authentication
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.
| File | Description |
|---|---|
| package.json | Updates repository URL to reflect SolidOS organization |
| .github/workflows/ci.yml | Migrates publish jobs to use OIDC authentication with npm CLI and adjusts permissions to job-level scope |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' | ||
| with: | ||
| token: ${{ secrets.NPM_TOKEN }} | ||
| tag: ${{ env.GITHUB_REF_SLUG }} | ||
| run: npm publish --tag ${{ env.GITHUB_REF_SLUG }} |
There was a problem hiding this comment.
The publish command should include the --provenance flag to enable package provenance when using OIDC authentication. This provides transparency about where and how the package was built.
| if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' | ||
| with: | ||
| token: ${{ secrets.NPM_TOKEN }} | ||
| tag: latest | ||
| run: npm publish --tag latest |
There was a problem hiding this comment.
The publish command should include the --provenance flag to enable package provenance when using OIDC authentication. This provides transparency about where and how the package was built.
| with: | ||
| token: ${{ secrets.NPM_TOKEN }} | ||
| tag: ${{ env.GITHUB_REF_SLUG }} | ||
| run: npm publish --tag ${{ env.GITHUB_REF_SLUG }} |
There was a problem hiding this comment.
The npm publish command lacks the --access flag. If this is a scoped package or if access level needs to be explicitly controlled, specify either --access public or --access restricted to avoid publish failures or unintended access settings.
| with: | ||
| token: ${{ secrets.NPM_TOKEN }} | ||
| tag: latest | ||
| run: npm publish --tag latest |
There was a problem hiding this comment.
The npm publish command lacks the --access flag. If this is a scoped package or if access level needs to be explicitly controlled, specify either --access public or --access restricted to avoid publish failures or unintended access settings.
2 participants
No description provided.