ci: install npm in user prefix#204
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Reviewer's guide (collapsed on small PRs)Reviewer's GuideUpdates the release GitHub Actions workflow so that the latest npm is installed into a user-owned prefix and that prefix is added to GITHUB_PATH before the Changesets publish step, to satisfy trusted publishing requirements. Flow diagram for updated npm installation in release workflowflowchart TD
A[GitHub Actions runner
release job] --> B[Step
bun install --frozen-lockfile]
B --> C[Step
npm install --global npm@latest --prefix ~/.npm-global]
C --> D[Step
echo $HOME/.npm-global/bin >> $GITHUB_PATH]
D --> E[Step
changesets/action@v1
Create Release PR or Publish]
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
📝 WalkthroughWalkthroughThe release workflow's "Update npm for trusted publishing" step is modified to install npm@latest into a user-local prefix (~/.npm-global) and append the resulting bin directory to GITHUB_PATH, replacing the previous global installation command. ChangesRelease Workflow npm Install Update
Estimated code review effort: 1 (Trivial) | ~3 minutes Related Issues: None provided. Related PRs: None provided. Suggested labels: ci, github-actions Suggested reviewers: FranciscoMoretti 🐰 A hop, a skip, a tiny fix, 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- Consider using
$HOMEconsistently instead of mixing~and$HOMEin the npm prefix path to avoid any shell or environment edge cases. - Add a
mkdir -p "$HOME/.npm-global"before thenpm installcommand to ensure the user-scoped prefix directory exists on a clean runner.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- Consider using `$HOME` consistently instead of mixing `~` and `$HOME` in the npm prefix path to avoid any shell or environment edge cases.
- Add a `mkdir -p "$HOME/.npm-global"` before the `npm install` command to ensure the user-scoped prefix directory exists on a clean runner.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/release.yml (1)
39-43: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider pinning npm version instead of
latestfor a trusted-publishing step.
npm@latestis unpinned, so the exact npm build used for provenance-signed publishing can silently change between runs — exactly the kind of ad-hoc, unlocked dependency zizmor flags. For a step whose whole purpose is npm's trusted-publishing/provenance support, pinning to a known-good npm version reduces supply-chain risk and makes builds reproducible.♻️ Example: pin to a specific npm version
- name: Update npm for trusted publishing run: | - npm install --global npm@latest --prefix ~/.npm-global + npm install --global npm@11.x.y --prefix ~/.npm-global echo "$HOME/.npm-global/bin" >> "$GITHUB_PATH"🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/release.yml around lines 39 - 43, The trusted-publishing workflow step currently installs npm via npm@latest, which leaves the provenance-signing toolchain unpinned. Update the “Update npm for trusted publishing” step in the release workflow to install a specific known-good npm version instead of latest, while keeping the PATH export unchanged. This should make the release job reproducible and avoid silent npm changes in the publishing flow.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/release.yml:
- Around line 39-43: The trusted-publishing workflow step currently installs npm
via npm@latest, which leaves the provenance-signing toolchain unpinned. Update
the “Update npm for trusted publishing” step in the release workflow to install
a specific known-good npm version instead of latest, while keeping the PATH
export unchanged. This should make the release job reproducible and avoid silent
npm changes in the publishing flow.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 700a0aa6-5ffb-4b21-aaf5-fde79a197455
📒 Files selected for processing (1)
.github/workflows/release.yml
Summary
GITHUB_PATHbefore Changesets publishesValidation
.github/workflows/release.ymlwith Ruby YAML loaderSummary by Sourcery
CI:
Summary by cubic
Update the release workflow to install the latest
npminto a user-scoped prefix (~/.npm-global) and add~/.npm-global/bintoGITHUB_PATHbefore the Changesets publish step. This supports Trusted Publishing and avoids permission issues with global installs.Written for commit 8452ad1. Summary will update on new commits.
Summary by CodeRabbit