Move @epubknowledge/common from GitHub Packages to NPM#2
Conversation
|
Warning Review limit reached
Next review available in: 44 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (4)
📝 WalkthroughWalkthroughThe package release configuration now targets the public npm registry instead of GitHub Packages. CI uses ChangesPublic npm publishing
Estimated code review effort: 3 (Moderate) | ~20 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Test ReportTests — ✅ Passed
|
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (3)
.github/workflows/release-package.yml (2)
16-16: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winDisable credential persistence in checkout.
By default,
actions/checkoutpersists the GitHub token in the local git configuration. To prevent malicious scripts (e.g., during dependency installation or build steps) from exfiltrating or misusing this token, it is a security best practice to disable credential persistence unless specifically needed to push back to the repository.🔐 Proposed refactor
- - uses: actions/checkout@v4 + - uses: actions/checkout@v4 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release-package.yml at line 16, Update the actions/checkout@v4 step in the release workflow to disable credential persistence by setting its persist-credentials input to false, leaving the checkout behavior otherwise unchanged.Source: Linters/SAST tools
10-29: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winAdopt npm provenance (trusted publishing) instead of long-lived secrets.
Currently, publishing relies on a long-lived
NPM_TOKENsecret. Using npm's trusted publishing (OIDC) is the recommended best practice. It eliminates the need to manage secret tokens and enables--provenancebadges for the package, improving supply chain security.🔐 Proposed refactor for trusted publishing
Update the workflow to request the
id-token: writepermission and use--provenance. (You will also need to link your GitHub repository to your npm package settings via the npm website).permissions: contents: read + id-token: write env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true steps: - uses: actions/checkout@v4 # Setup .npmrc file to publish to the public npm registry - uses: actions/setup-node@v4 with: node-version: '22.x' registry-url: 'https://registry.npmjs.org' scope: '`@epubknowledge`' - run: yarn install --frozen-lockfile - name: Run Vitest and capture results continue-on-error: true run: yarn test --reporter=json --outputFile=.test-results.json - name: Require 85% test pass rate run: node .github/scripts/verify-test-pass-rate.mjs .test-results.json 85 - - run: npm publish --access public + - run: npm publish --access public --provenanceNote: If you adopt this, remember to remove references to
NPM_TOKENfrom theREADME.mdpublishing documentation.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release-package.yml around lines 10 - 29, Update the release workflow permissions to grant id-token: write, remove the NODE_AUTH_TOKEN reference to secrets.NPM_TOKEN, and change the npm publish step to use --provenance for npm trusted publishing. Also remove outdated NPM_TOKEN references from the publishing documentation.Source: Linters/SAST tools
docs/importing.md (1)
11-17: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick winPublishing step executed before completing readiness checklist.
The CI workflow
release-package.ymlhas been updated to executenpm publish --access publicin this PR. However, this checklist indicates that packaging checks and smoke tests (items#2and#3) should be implemented and verified before publishing a new version to npm.If the release workflow runs automatically on merges to the main branch or upon release creation, merging this PR could result in an untested package being published immediately. Consider implementing the remaining smoke tests before finalizing the migration, or ensure the publish step in CI is temporarily disabled until they are complete.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@docs/importing.md` around lines 11 - 17, Disable or remove the automatic npm publish step in the release-package.yml workflow until the packaging smoke test and consumer smoke test from the Remaining Checklist are implemented and verified. Preserve the publish command for re-enablement only after those checks pass, preventing untested packages from being published automatically.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/release-package.yml:
- Line 29: Update the release workflow step before npm publish to run the
package build and verification commands, ensuring compiled dist assets are
generated and validated before publication. Inspect the package scripts for the
established build and test/type-check commands, then preserve npm publish
--access public only after those steps succeed.
---
Nitpick comments:
In @.github/workflows/release-package.yml:
- Line 16: Update the actions/checkout@v4 step in the release workflow to
disable credential persistence by setting its persist-credentials input to
false, leaving the checkout behavior otherwise unchanged.
- Around line 10-29: Update the release workflow permissions to grant id-token:
write, remove the NODE_AUTH_TOKEN reference to secrets.NPM_TOKEN, and change the
npm publish step to use --provenance for npm trusted publishing. Also remove
outdated NPM_TOKEN references from the publishing documentation.
In `@docs/importing.md`:
- Around line 11-17: Disable or remove the automatic npm publish step in the
release-package.yml workflow until the packaging smoke test and consumer smoke
test from the Remaining Checklist are implemented and verified. Preserve the
publish command for re-enablement only after those checks pass, preventing
untested packages from being published automatically.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: 754e1f76-a26d-4291-90c3-3eb765a9e0b7
📒 Files selected for processing (5)
.github/workflows/release-package.yml.npmrcREADME.mddocs/importing.mdpackage.json
💤 Files with no reviewable changes (1)
- .npmrc
|



Summary by CodeRabbit
New Features
Documentation