gha: update publish-to-npm (using OIDC now) #158
Conversation
✅ Deploy Preview for docs-extensions-and-macros ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Note Other AI code review bot(s) detectedCodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review. 📝 WalkthroughWalkthroughThe GitHub Actions workflow for publishing to npm has been updated to use newer action versions (checkout@v5 and setup-node@v5) and modified to remove AWS Secrets Manager retrieval and explicit npm token passing to the publish step. This change aligns with moving away from classic npm tokens toward trusted publishing mechanisms, addressing security token lifecycle requirements. Estimated code review effort🎯 1 (Trivial) | ⏱️ ~5 minutes
Pre-merge checks and finishing touches✅ Passed checks (5 passed)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Pull request overview
This PR updates the npm publish workflow to use OIDC authentication instead of token-based authentication, addressing DEVPROD-3689. The changes modernize the GitHub Actions versions and remove the explicit token parameter, relying on OIDC credentials configured externally.
Key Changes:
- Updated GitHub Actions from v4 to v5 for checkout and setup-node
- Removed explicit NPM_TOKEN parameter from npm-publish action to use OIDC authentication
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
clee
force-pushed
the
DEVPROD-3689-remove-npm-token
branch
from
d527d22 to
7052878
Compare
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
.github/workflows/publish-to-npm.yaml (1)
14-17: Remove unnecessary AWS credentials configuration from publish job.The AWS credentials configuration in the publish job appears redundant now that npm authentication has migrated to OIDC. This AWS role assumption was previously needed to retrieve the npm token from AWS Secrets Manager, but that step has been removed. Consider removing lines 14-17 to streamline the workflow and reduce unnecessary AWS API calls.
Note: The AWS configuration in the dispatch job (lines 36-39) is still needed to retrieve the GitHub Actions bot token.
- uses: aws-actions/configure-aws-credentials@v4 with: aws-region: ${{ vars.RP_AWS_CRED_REGION }} role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }} - - uses: actions/checkout@v5 + - uses: actions/checkout@v5
📜 Review details
Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro
Disabled knowledge base sources:
- Jira integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (1)
.github/workflows/publish-to-npm.yaml(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
- GitHub Check: test-property-extractor (3.11)
- GitHub Check: test-property-extractor (3.9)
clee
force-pushed
the
DEVPROD-3689-remove-npm-token
branch
from
7052878 to
9d12f3f
Compare
Should fix DEVPROD-3689, as I've already set up the OIDC link on the NPMJS side.