Skip to content

Move @epubknowledge/common from GitHub Packages to NPM#2

Merged
codingChewie merged 2 commits into
mainfrom
chore/remove-github-packages-auth
Jul 17, 2026
Merged

Move @epubknowledge/common from GitHub Packages to NPM#2
codingChewie merged 2 commits into
mainfrom
chore/remove-github-packages-auth

Conversation

@codingChewie

@codingChewie codingChewie commented Jul 17, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • New Features

    • The package is now published to the public npm registry.
    • Standard npm, pnpm, and Yarn installation workflows are supported without private registry configuration.
  • Documentation

    • Updated installation and publishing instructions for npm.
    • Added guidance for local and CI-based publishing, including required authentication setup.
    • Revised import readiness documentation to reflect public npm distribution.

@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@codingChewie, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 44 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 83dbf6a7-efb5-4820-990d-273d812b5418

📥 Commits

Reviewing files that changed from the base of the PR and between 1f1090f and 31b749f.

📒 Files selected for processing (4)
  • .github/workflows/release-package.yml
  • README.md
  • docs/importing.md
  • package.json
📝 Walkthrough

Walkthrough

The package release configuration now targets the public npm registry instead of GitHub Packages. CI uses NPM_TOKEN, package metadata points to npmjs.org, registry configuration is removed, and README/importing documentation describes npm installation and publishing.

Changes

Public npm publishing

Layer / File(s) Summary
Publishing configuration and CI
.github/workflows/release-package.yml, package.json, .npmrc
The package registry and release workflow now target npmjs.org, use NPM_TOKEN, and publish with npm publish --access public; the GitHub Packages registry entry is removed.
Installation and publishing documentation
README.md, docs/importing.md
Documentation now describes public npm installation, publishing prerequisites, CI token configuration, standard package-manager validation, and npm scope access checks.

Estimated code review effort: 3 (Moderate) | ~20 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: moving @epubknowledge/common from GitHub Packages to npm.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/remove-github-packages-auth

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

Copy link
Copy Markdown

Test Report

Tests — ✅ Passed

Metric Value
Pass rate 100.00% (min 85%)
Passed 207
Failed 0
Skipped/Pending 0
Todo 0
Runtime error suites 0

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (3)
.github/workflows/release-package.yml (2)

16-16: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Disable credential persistence in checkout.

By default, actions/checkout persists the GitHub token in the local git configuration. To prevent malicious scripts (e.g., during dependency installation or build steps) from exfiltrating or misusing this token, it is a security best practice to disable credential persistence unless specifically needed to push back to the repository.

🔐 Proposed refactor
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-package.yml at line 16, Update the
actions/checkout@v4 step in the release workflow to disable credential
persistence by setting its persist-credentials input to false, leaving the
checkout behavior otherwise unchanged.

Source: Linters/SAST tools


10-29: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Adopt npm provenance (trusted publishing) instead of long-lived secrets.

Currently, publishing relies on a long-lived NPM_TOKEN secret. Using npm's trusted publishing (OIDC) is the recommended best practice. It eliminates the need to manage secret tokens and enables --provenance badges for the package, improving supply chain security.

🔐 Proposed refactor for trusted publishing

Update the workflow to request the id-token: write permission and use --provenance. (You will also need to link your GitHub repository to your npm package settings via the npm website).

     permissions:
       contents: read
+      id-token: write
     env:
-      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
     steps:
       - uses: actions/checkout@v4
       # Setup .npmrc file to publish to the public npm registry
       - uses: actions/setup-node@v4
         with:
           node-version: '22.x'
           registry-url: 'https://registry.npmjs.org'
           scope: '`@epubknowledge`'
       - run: yarn install --frozen-lockfile
       - name: Run Vitest and capture results
         continue-on-error: true
         run: yarn test --reporter=json --outputFile=.test-results.json
       - name: Require 85% test pass rate
         run: node .github/scripts/verify-test-pass-rate.mjs .test-results.json 85
-      - run: npm publish --access public
+      - run: npm publish --access public --provenance

Note: If you adopt this, remember to remove references to NPM_TOKEN from the README.md publishing documentation.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-package.yml around lines 10 - 29, Update the
release workflow permissions to grant id-token: write, remove the
NODE_AUTH_TOKEN reference to secrets.NPM_TOKEN, and change the npm publish step
to use --provenance for npm trusted publishing. Also remove outdated NPM_TOKEN
references from the publishing documentation.

Source: Linters/SAST tools

docs/importing.md (1)

11-17: 🩺 Stability & Availability | 🔵 Trivial | ⚡ Quick win

Publishing step executed before completing readiness checklist.

The CI workflow release-package.yml has been updated to execute npm publish --access public in this PR. However, this checklist indicates that packaging checks and smoke tests (items #2 and #3) should be implemented and verified before publishing a new version to npm.

If the release workflow runs automatically on merges to the main branch or upon release creation, merging this PR could result in an untested package being published immediately. Consider implementing the remaining smoke tests before finalizing the migration, or ensure the publish step in CI is temporarily disabled until they are complete.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/importing.md` around lines 11 - 17, Disable or remove the automatic npm
publish step in the release-package.yml workflow until the packaging smoke test
and consumer smoke test from the Remaining Checklist are implemented and
verified. Preserve the publish command for re-enablement only after those checks
pass, preventing untested packages from being published automatically.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-package.yml:
- Line 29: Update the release workflow step before npm publish to run the
package build and verification commands, ensuring compiled dist assets are
generated and validated before publication. Inspect the package scripts for the
established build and test/type-check commands, then preserve npm publish
--access public only after those steps succeed.

---

Nitpick comments:
In @.github/workflows/release-package.yml:
- Line 16: Update the actions/checkout@v4 step in the release workflow to
disable credential persistence by setting its persist-credentials input to
false, leaving the checkout behavior otherwise unchanged.
- Around line 10-29: Update the release workflow permissions to grant id-token:
write, remove the NODE_AUTH_TOKEN reference to secrets.NPM_TOKEN, and change the
npm publish step to use --provenance for npm trusted publishing. Also remove
outdated NPM_TOKEN references from the publishing documentation.

In `@docs/importing.md`:
- Around line 11-17: Disable or remove the automatic npm publish step in the
release-package.yml workflow until the packaging smoke test and consumer smoke
test from the Remaining Checklist are implemented and verified. Preserve the
publish command for re-enablement only after those checks pass, preventing
untested packages from being published automatically.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 754e1f76-a26d-4291-90c3-3eb765a9e0b7

📥 Commits

Reviewing files that changed from the base of the PR and between 77b499c and 1f1090f.

📒 Files selected for processing (5)
  • .github/workflows/release-package.yml
  • .npmrc
  • README.md
  • docs/importing.md
  • package.json
💤 Files with no reviewable changes (1)
  • .npmrc

Comment thread .github/workflows/release-package.yml Outdated
@sonarqubecloud

Copy link
Copy Markdown

@codingChewie
codingChewie merged commit 63bc398 into main Jul 17, 2026
3 checks passed
@codingChewie
codingChewie deleted the chore/remove-github-packages-auth branch July 17, 2026 17:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant