Verify npm token before version bump#1347
Conversation
✅ Deploy Preview for testcontainers-node ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
cristianrgreco
added
maintenance
ChatGPT Codex Connector
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8ff8c1ea25
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if: ${{ github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && inputs.publish) }} | ||
| run: npm publish --ws |
There was a problem hiding this comment.
When workflow_dispatch is run with publish: true, this step publishes after the local Update versions mutation, but the commit and push steps above are still guarded with github.event_name == 'release'. For a manual publish of a new version, npm receives package tarballs with updated package.json/lockfile/sonar metadata that are never recorded on main, leaving the repository behind the published artifacts and making the next release/rerun operate from stale version files. Either persist the bump for the manual publish path or require this path to run only when the selected ref already contains the version bump.
Useful? React with 👍 / 👎.
cristianrgreco
force-pushed
the
codex/harden-npm-publish
branch
from
8ff8c1e to
81ba9d0
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 81ba9d00ee
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - name: Verify npm publish token | ||
| if: ${{ github.event_name == 'release' }} | ||
| run: | | ||
| if npm whoami > /dev/null 2>&1; then |
There was a problem hiding this comment.
For release runs where secrets.npm_token is a valid but non-publishing token, such as a read-only or wrong-scope granular npm token, npm whoami still authenticates successfully; I checked npm whoami --help, which only says it displays the npm username, and npm’s token docs distinguish read-only from read/write package permissions. In this workflow that means the job can still reach the guarded Git commit/Git push steps before npm publish --ws fails, leaving the version bump pushed without published packages, so this needs to verify actual publish access or move the mutation push after a publish-capable check.
Useful? React with 👍 / 👎.
cristianrgreco
changed the title
1 participant
Summary
Verification
ruby -e 'require "yaml"; YAML.load_file(".github/workflows/npm-publish.yml"); puts "yaml ok"'git diff --checkSemver impact
Patch. This is release workflow-only maintenance and does not change package runtime behavior.