Skip to content

Remove NPM_TOKEN from release-cycle CI #6009

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Remove NPM_TOKEN from release-cycle CI #6009

wants to merge 1 commit into from

Conversation

@ernestognw
Copy link
Member

Fixes #5993

Trusted publisher is already configured so we wouldn't need the NPM_TOKEN. Also, trusted publishers get provenance automatically.

Captura de pantalla 2025-10-21 a la(s) 10 08 44 a m

PR Checklist

  • Tests
  • Documentation
  • Changeset entry (run npx changeset add)

@ernestognw ernestognw requested a review from a team as a code owner October 21, 2025 16:11
@changeset-bot
Copy link

changeset-bot bot commented Oct 21, 2025

⚠️ No Changeset found

Latest commit: 24ca257

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@ernestognw ernestognw mentioned this pull request Oct 21, 2025
Open
@coderabbitai
Copy link

coderabbitai bot commented Oct 21, 2025

Walkthrough

The release workflow configuration is being updated to remove NPM authentication and provenance environment variables from the Publish step. Specifically, NPM_TOKEN and NPM_CONFIG_PROVENANCE are no longer explicitly passed, while other parameters like TARBALL and TAG remain in place. This aligns with the migration to npm's Trusted Publishing mechanism, which provides an alternative authentication method to legacy token-based approaches.

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)
Check name Status Explanation
Title Check ✅ Passed The pull request title "Remove NPM_TOKEN from release-cycle CI" clearly and specifically describes the main change in the changeset. It identifies what is being removed (NPM_TOKEN) and where it's being removed from (release-cycle CI), which directly corresponds to the modification in .github/workflows/release-cycle.yml where the Publish step no longer passes NPM_TOKEN. The title is concise, meaningful, and would allow a teammate reviewing the commit history to quickly understand the primary change.
Linked Issues Check ✅ Passed The changes align with the objectives of linked issue #5993. The issue requires migrating away from NPM_TOKEN dependency in the release CI workflow, which is precisely what this PR accomplishes by removing NPM_TOKEN and NPM_CONFIG_PROVENANCE from the Publish step environment. The PR description indicates that trusted publisher is already configured, confirming that the migration prerequisites are in place. This satisfies the core coding requirement to eliminate the legacy NPM_TOKEN and enable the automatic provenance generation provided by npm Trusted Publishers.
Out of Scope Changes Check ✅ Passed All changes in this pull request are within scope of the linked issue #5993. The modifications to .github/workflows/release-cycle.yml directly address the requirement to remove NPM_TOKEN from the release CI workflow. The removal of NPM_CONFIG_PROVENANCE is also in scope because trusted publishers automatically generate provenance, making this environment variable unnecessary. No unrelated changes to other files or functionality are present in this changeset.
Description Check ✅ Passed The pull request description is clearly related to the changeset. It references the linked issue #5993 and provides context for why NPM_TOKEN is being removed: trusted publisher is already configured, making the token unnecessary. The description explains the technical rationale that trusted publishers automatically generate provenance, which corresponds directly to the removal of both NPM_TOKEN and NPM_CONFIG_PROVENANCE from the environment variables in the workflow file.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1cf1377 and 24ca257.

📒 Files selected for processing (1)
  • .github/workflows/release-cycle.yml (0 hunks)
💤 Files with no reviewable changes (1)
  • .github/workflows/release-cycle.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (6)
  • GitHub Check: slither
  • GitHub Check: tests
  • GitHub Check: tests-upgradeable
  • GitHub Check: coverage
  • GitHub Check: tests-foundry
  • GitHub Check: halmos

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ignore-changeset

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Migrate to Trusted Publishing

1 participant

@ernestognw