Publish-Profile

[phillipc]

Here is the first iteration of a GitHub action release workflow based on a tag.

@brianmhunt, we need to configure a trusted publisher in the TKO organization. See https://docs.npmjs.com/trusted-publishers.

Furthermore, I see the following release steps:

1. Manually run the "make bump" command and set the version.
2. We push and tag this.
3. The GitHub action runs and publishes.

Summary by CodeRabbit

• Chores
  • Added a new automated workflow that runs on tag pushes and executes environment setup, install, build, test, and publish steps to streamline release publication.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a GitHub Actions workflow that runs on tag pushes matching v*; it checks out code, sets up Node.js, installs dependencies, runs build and headless tests via make, links artifacts, and publishes packages with lerna using OIDC authentication.

Changes

Cohort / File(s)	Summary
CI/CD Workflow /.github/workflows/publish.yml	New "Publish Package" workflow triggered on tag pushes v*; configures OIDC (id-token: write), checks out repo, sets up Node.js v24 with npm registry, runs npm install, make targets (build/tsc, headless tests), links and runs lerna publish from-package --yes --skip-npm --no-git-tag-version.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Developer as Dev
  participant GitHub as "GitHub (Tag Push)"
  participant Actions as "GitHub Actions Runner"
  participant Node as "Node.js / npm"
  participant Lerna as "Lerna"
  participant Registry as "npm Registry"

  Dev->>GitHub: push tag vX.Y.Z
  GitHub->>Actions: trigger Publish workflow
  Actions->>Actions: checkout repo
  Actions->>Node: setup Node v24
  Actions->>Node: run npm install
  Actions->>Actions: run make build (tsc)
  Actions->>Actions: run make test:headless
  Actions->>Actions: run make link
  Actions->>Lerna: run lerna publish from-package --yes --skip-npm --no-git-tag-version
  Lerna->>Registry: publish package metadata/artifacts (OIDC-authenticated)
  Registry-->>Actions: publish result
  Actions-->>GitHub: workflow status (success/failure)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hop, tag, and trigger with a cheer,

Build by day and test by night,
Lerna leads the packages near,
OIDC keeps the publish light,
Packages leap into the bright.

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title check	❓ Inconclusive	The title 'Publish-Profile' is vague and does not clearly convey the main change: adding a GitHub Actions publish/release workflow. A reader scanning history would not understand the primary purpose.	Consider a more descriptive title such as 'Add GitHub Actions publish workflow' or 'Add OIDC-based npm release workflow' to better communicate the changeset's intent.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch pc/publishProfile

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[brianmhunt]

I think this process is perfect.

[brianmhunt]

👍

[brianmhunt]

I may have been a bit premature approving this, but just ping / re-review

[phillipc]

Is the trust between npm and GitHub already set up? You can also add me to the TKO organization in npm: phillipc2 / https://www.npmjs.com/~phillipc2

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/publish.yml (1)

19-23: Consider adding dependency caching to speed up workflow runs.

Unlike other workflows in this project (which use Node v22), this workflow targets Node v24, which is now in Active LTS (as of October 2025). To match the caching strategy used in other workflows, add cache: 'npm' to improve performance:

      - name: Setup Node.js
        uses: actions/setup-node@v6
        with:
          node-version: 24
          registry-url: 'https://registry.npmjs.org'
+         cache: 'npm'

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6412c34 and ad777ad.

📒 Files selected for processing (1)

• .github/workflows/publish.yml

🔇 Additional comments (6)

.github/workflows/publish.yml (6)

1-2: LGTM!

Clear workflow name with helpful documentation reference.

---

4-7: LGTM!

Standard trigger pattern for version-tagged releases.

---

9-11: LGTM!

Permissions correctly configured for OIDC trusted publishers authentication.

---

25-25: LGTM!

Standard dependency installation step.

---

27-30: LGTM!

Proper build and test validation before publishing ensures package quality.

---

32-32: This workflow is already correctly configured for npm trusted publishers; the suggested diff should not be applied.

The current setup properly implements OIDC publishing:

• ✓ permissions: id-token: write with contents: read (correct minimal scoping)
• ✓ setup-node@v6 with registry-url: 'https://registry.npmjs.org' (OIDC-ready)
• ✓ Lerna v9.0.3 (supports OIDC)

The suggested diff contains errors that would break this setup:

• --provenance is not a Lerna CLI flag; npm handles provenance automatically via the OIDC flow
• NODE_AUTH_TOKEN should not be set when using OIDC trusted publishers; the token is generated automatically and setting it would override OIDC authentication

One consideration: Scoped packages (@tko/*) without publishConfig default to restricted access. If public publication is intended, add "publishConfig": { "access": "public" } to the relevant package.json files.

Likely an incorrect or invalid review comment.

[phillipc]

@brianmhunt What do you thing about an ESM-Bundle-Package of TKO? I find the usage of TKO with one ESM-Bundle-Package much simpler.

# Build a ESM bundle, targetting ES6.
dist/tko.js: $(src) package.json
	@echo "[make] Compiling ${package} => $@"
	$(ESBUILD) \
		--platform=neutral \
		--format=esm \
		--log-level=$(log-level) \
		--banner:js="$(banner) ESM" \
		--define:BUILD_VERSION='"${version}"' \
		--bundle \
		--sourcemap=external \
		--outfile=$@ \
		./src/index.ts

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/publish.yml (1)

9-11: LGTM!

The permissions are correctly configured for npm OIDC authentication. The minimal permissions follow security best practices.

Consider adding contents: write permission if you plan to create GitHub releases as part of this workflow in the future.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ad777ad and 3dd304c.

📒 Files selected for processing (1)

• .github/workflows/publish.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: testheadless (22.x, on)

🔇 Additional comments (3)

.github/workflows/publish.yml (3)

1-7: LGTM!

The workflow name and trigger configuration are appropriate. Triggering on v* tags is a standard pattern for version-based releases.

---

25-31: LGTM!

Good practice to run comprehensive tests before publishing. The build and test steps ensure package quality before release.

---

19-23: Node.js 24 is production-ready (Active LTS since October 28, 2025, with support through April 2028). The configuration is appropriate.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find and examine package.json for Lerna version
fd -t f "package.json" | head -5 | while read f; do
  echo "=== File: $f ==="
  cat "$f" | jq -r '.devDependencies.lerna // .dependencies.lerna // empty' 2>/dev/null || echo "No lerna found"
done

Repository: knockout/tko

Length of output: 271

---

🏁 Script executed:

#!/bin/bash
# Check for .npmrc files and their content
fd -t f ".npmrc" | while read f; do
  echo "=== File: $f ==="
  cat "$f"
done

Repository: knockout/tko

Length of output: 38

---

🏁 Script executed:

#!/bin/bash
# Examine the complete workflow file for context
cat .github/workflows/publish.yml | head -50

Repository: knockout/tko

Length of output: 766

---

🌐 Web query:

Lerna publish command npm OIDC trusted publishers GitHub Actions

💡 Result:

Summary — using Lerna publish with npm OIDC (Trusted Publishers) from GitHub Actions

• Lerna v9+ supports npm’s Trusted Publishing (OIDC) flow — no npm token required; Lerna will use the workflow-issued OIDC token when publishing. [1]
• npm Trusted Publishers (OIDC) lets you register a GitHub Actions workflow (org/repo + workflow filename + environment) as the only allowed publisher for a package; publishing uses short‑lived credentials and emits provenance. Requires npm CLI >= 11.5.1. [2][3]
• GitHub Actions requirements: enable the id-token permission (id-token: write) for the workflow and use GitHub-hosted runners; configure actions/setup-node (registry URL) so npm publish runs in that environment. Exact workflow filename and environment must match the configuration on npm. [2][4]
• Practical notes with Lerna/GHA:
  • With OIDC/trusted-publisher configured on npm, simply run lerna publish in the workflow — Lerna v9+ will work with the OIDC exchange. [1][5]
  • If you instead use an npm automation token, older Lerna checks may fail (403 on npm whoami). If using an automation token you may need --no-verify-access with lerna publish to bypass Lerna’s access verification. Prefer OIDC for security. [6][1]
  • Trusted publishing currently requires cloud-hosted runners (GitHub-hosted); self-hosted runners are not supported for OIDC trusted publishing. [2]

References

1. Lerna docs — Using OIDC trusted publishing with Lerna. [Lerna docs]. [1]
2. npm Docs — Trusted publishing for npm packages. [npm docs]. [2]
3. GitHub Changelog — npm trusted publishing with OIDC (GA). [GitHub blog]. [3]
4. npm Docs — Trusted publishing troubleshooting / GitHub Actions note. [npm docs]. [2]
5. Example repos / samples showing Lerna v9 OIDC examples (JamesHenry / lerna-v9-oidc example). [5]
6. Community note / workaround: use --no-verify-access when publishing with npm automation tokens (Stack Overflow / GitHub issue). [6][1]

Would you like a ready-to-use GitHub Actions workflow example that runs lerna publish via OIDC?

---

🌐 Web query:

setup-node v6 npm OIDC authentication .npmrc configuration

💡 Result:

Short how-to + examples.

Key points

• setup-node v6 configures registry and can create a project .npmrc but OIDC publish uses npm's "Trusted publishing" (no long‑lived token) and is handled by the npm CLI (npm ≥ 11.5.1). [1][2]
• Your workflow must grant id-token: write so Actions can mint OIDC tokens. For installs of private packages you still need a read token (NODE_AUTH_TOKEN); only publish can use OIDC/TRUSTED PUBLISHING. [2][3]

Minimal workflow (publish with OIDC + install private deps)

• permissions:
  contents: read
  id-token: write
• steps:
  • uses: actions/checkout@v5
  • uses: actions/setup-node@v6
    with:
    node-version: 24
    registry-url: 'https://registry.npmjs.org' # optional for npmjs
  • name: Install deps (private deps require token)
    env:
    NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_READONLY }}
    run: npm ci
  • name: Publish (Trusted publishing / OIDC)
    run: npm publish

    do NOT set NODE_AUTH_TOKEN for this step so npm uses OIDC

Example .npmrc patterns

• For npmjs installs using a CI token (set NODE_AUTH_TOKEN in env):
  //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}
• For GitHub Packages scoped registry:
  @your-scope:registry=https://npm.pkg.github.com
  //npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}

Notes / requirements

• Enable Trusted Publisher for your package on npmjs.com (configure repo + workflow filename). Then npm CLI will exchange the GitHub OIDC ID token for a registry write token automatically when publishing. [2][4]
• Ensure npm CLI >= 11.5.1 (Trusted publishing support) and use GitHub-hosted runners (OIDC currently limited to cloud runners). [2][4]
• setup-node v6 can write .npmrc and set registry-url/scope inputs to help auth setup. [1]

Sources
[1] actions/setup-node (README).
[2] npm — Trusted publishing / OIDC docs.
[3] npm docs example (Trusted publishing workflow).
[4] blog/examples and community guides on OIDC trusted publishing.

---

Remove --skip-npm flag from Lerna publish command.

The workflow is correctly configured for OIDC trusted publishing (Lerna v9.0.3 supports it, id-token: write permission is set, setup-node@v6 configures the registry), but the --skip-npm flag on line 33 prevents npm publishing entirely. This flag should be removed so the publish command actually pushes to npm. The OIDC token from GitHub Actions will be automatically used by npm CLI for authentication with the configured trusted publisher.

🤖 Prompt for AI Agents

.github/workflows/publish.yml around lines 19 to 33: the Lerna publish
invocation includes the --skip-npm flag which prevents packages from being
pushed to npm; remove the --skip-npm flag from the npx lerna publish command so
it actually publishes to npm (keep the other flags like --yes and
--no-git-tag-version as needed) and commit the updated workflow.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Remove --skip-npm flag to enable publishing.

The --skip-npm flag prevents the workflow from actually publishing to npm. Based on the commit message, this was intentionally disabled for testing, but it means the workflow won't fulfill its stated purpose.

🔎 Proposed fix to enable publishing

-      - run: npx lerna publish from-package --yes --skip-npm --no-git-tag-version
+      - run: npx lerna publish from-package --yes --no-git-tag-version

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- run: npx lerna publish from-package --yes --skip-npm --no-git-tag-version
	- run: npx lerna publish from-package --yes --no-git-tag-version

🤖 Prompt for AI Agents

In .github/workflows/publish.yml around line 33 the lerna publish command uses
the --skip-npm flag which prevents packages from being published to npm; remove
the --skip-npm flag from the run command so it becomes: npx lerna publish
from-package --yes --no-git-tag-version (or simply drop --skip-npm while
preserving other flags), commit the change so the workflow will perform actual
npm publishing.