Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the CI/CD workflow configuration and corrects the repository URL. The changes modernize the npm publishing process by migrating from token-based authentication to OIDC (OpenID Connect) authentication, which is a more secure approach for publishing packages to npm.
Changes:
- Updated repository URL from
solid/source-panetoSolidOS/source-panein package.json - Migrated npm publishing from
JS-DevTools/npm-publishaction to nativenpm publishcommands with OIDC authentication - Moved permissions configuration from workflow level to job level for better security scoping
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| package.json | Updated repository URL to reflect the correct GitHub organization |
| .github/workflows/ci.yml | Modernized CI workflow with OIDC-based npm publishing, refined permissions scope, and simplified node version matrix syntax |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| with: | ||
| token: ${{ secrets.NPM_TOKEN }} | ||
| tag: ${{ env.GITHUB_REF_SLUG }} | ||
| run: npm publish --tag ${{ env.GITHUB_REF_SLUG }} |
There was a problem hiding this comment.
The npm publish command should use the --provenance flag to generate provenance attestations. This provides transparency about package origin and build process. Add --provenance to the publish command.
| with: | ||
| token: ${{ secrets.NPM_TOKEN }} | ||
| tag: latest | ||
| run: npm publish --tag latest |
There was a problem hiding this comment.
The npm publish command should use the --provenance flag to generate provenance attestations. This provides transparency about package origin and build process. Add --provenance to the publish command.
|
@PreciousOritsedere similarly to solid-ui you are going to need to update the branch protections here so that this will merge. |
Could you guide me on what exactly needs to be updated in the branch protections for this and solid-ui as well? |
I gave explanation in solid-ui look in You could try to add a Ruleset to |
|
@bourgeoa I have added the ruleset now. Thank you for pointing that out |
3 participants
No description provided.