Skip to content

ci: install npm in user prefix#204

Merged
FranciscoMoretti merged 1 commit into
mainfrom
codex/fix-npm-trusted-publishing
Jul 3, 2026
Merged

ci: install npm in user prefix#204
FranciscoMoretti merged 1 commit into
mainfrom
codex/fix-npm-trusted-publishing

Conversation

@FranciscoMoretti

@FranciscoMoretti FranciscoMoretti commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Summary

  • install latest npm into a user-owned prefix for trusted publishing
  • add that prefix to GITHUB_PATH before Changesets publishes

Validation

  • parsed .github/workflows/release.yml with Ruby YAML loader

Summary by Sourcery

CI:

  • Update the release workflow to install the latest npm into a user-scoped prefix and add its bin directory to GITHUB_PATH before running the Changesets publish step.

Summary by cubic

Update the release workflow to install the latest npm into a user-scoped prefix (~/.npm-global) and add ~/.npm-global/bin to GITHUB_PATH before the Changesets publish step. This supports Trusted Publishing and avoids permission issues with global installs.

Written for commit 8452ad1. Summary will update on new commits.

Review in cubic

Summary by CodeRabbit

  • Chores
    • Improved the release process to make package publishing more reliable and consistent.

@vercel

vercel Bot commented Jul 3, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
chat-js-site Ready Ready Preview, Comment Jul 3, 2026 9:36am
sparka Ready Ready Preview, Comment Jul 3, 2026 9:36am

Request Review

@sourcery-ai

sourcery-ai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updates the release GitHub Actions workflow so that the latest npm is installed into a user-owned prefix and that prefix is added to GITHUB_PATH before the Changesets publish step, to satisfy trusted publishing requirements.

Flow diagram for updated npm installation in release workflow

flowchart TD
  A[GitHub Actions runner
  release job] --> B[Step
  bun install --frozen-lockfile]
  B --> C[Step
  npm install --global npm@latest --prefix ~/.npm-global]
  C --> D[Step
  echo $HOME/.npm-global/bin >> $GITHUB_PATH]
  D --> E[Step
  changesets/action@v1
  Create Release PR or Publish]
Loading

File-Level Changes

Change Details Files
Install npm into a user-owned prefix instead of globally and expose its bin directory on PATH during the release workflow.
  • Change the npm update step from a global install to installing npm@latest into ~/.npm-global using the --prefix flag.
  • Append the ~/.npm-global/bin directory to GITHUB_PATH so subsequent steps, including Changesets, use the newly installed npm.
.github/workflows/release.yml

Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@coderabbitai

coderabbitai Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

📝 Walkthrough

Walkthrough

The release workflow's "Update npm for trusted publishing" step is modified to install npm@latest into a user-local prefix (~/.npm-global) and append the resulting bin directory to GITHUB_PATH, replacing the previous global installation command.

Changes

Release Workflow npm Install Update

Layer / File(s) Summary
npm install prefix and PATH update
.github/workflows/release.yml
The npm update step now installs npm@latest with a --prefix ~/.npm-global flag and appends the prefix's bin directory to GITHUB_PATH, replacing the prior global install command.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Related Issues: None provided.

Related PRs: None provided.

Suggested labels: ci, github-actions

Suggested reviewers: FranciscoMoretti


🐰 A hop, a skip, a tiny fix,
Npm now lives where prefixes mix,
No global mess, just local grace,
GITHUB_PATH finds its rightful place,
A carrot cheer for CI's new trick! 🥕

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main CI change: installing npm in a user-owned prefix.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch codex/fix-npm-trusted-publishing

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sourcery-ai sourcery-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • Consider using $HOME consistently instead of mixing ~ and $HOME in the npm prefix path to avoid any shell or environment edge cases.
  • Add a mkdir -p "$HOME/.npm-global" before the npm install command to ensure the user-scoped prefix directory exists on a clean runner.
Prompt for AI Agents
Please address the comments from this code review:

## Overall Comments
- Consider using `$HOME` consistently instead of mixing `~` and `$HOME` in the npm prefix path to avoid any shell or environment edge cases.
- Add a `mkdir -p "$HOME/.npm-global"` before the `npm install` command to ensure the user-scoped prefix directory exists on a clean runner.

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@greptile-apps

greptile-apps Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR fixes a CI permission issue on the GitHub Actions runner by installing the latest npm into a user-owned prefix (~/.npm-global) instead of the system-global prefix, and then exports that prefix to GITHUB_PATH so the Changesets publish step can pick up the newer npm binary.

  • Replaces npm install -g npm@latest (prone to EACCES failures on shared runners) with npm install --global npm@latest --prefix ~/.npm-global, which writes entirely to user-owned space.
  • Appends $HOME/.npm-global/bin to GITHUB_PATH so the updated npm is on PATH for the subsequent changesets/action step.

Confidence Score: 5/5

Safe to merge — the two-line change correctly resolves the npm global-install permission problem and properly wires the new binary into PATH for downstream steps.

The change is narrow and well-understood: a user-prefix npm install followed by a GITHUB_PATH export is a standard GitHub Actions pattern. The new npm binary is available exactly where it is needed (the changesets publish step), and the old single-line approach that could silently fail due to write-permission errors on the system npm prefix is replaced cleanly.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/release.yml Replaces global npm install (which could fail due to permission errors) with a user-prefix install into ~/.npm-global, and correctly exports that prefix to GITHUB_PATH so subsequent steps pick up the newer npm binary.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant GH as GitHub Actions Runner
    participant SysNpm as System npm
    participant UserPrefix as ~/.npm-global
    participant GHPATH as GITHUB_PATH
    participant Changesets as changesets/action

    GH->>SysNpm: "npm install --global npm@latest --prefix ~/.npm-global"
    SysNpm->>UserPrefix: writes new npm binary to ~/.npm-global/bin/npm
    GH->>GHPATH: "echo "$HOME/.npm-global/bin" >> "$GITHUB_PATH""
    Note over GHPATH: PATH updated for subsequent steps
    GH->>Changesets: "run changesets/action@v1 (publish: bun run release)"
    Changesets->>UserPrefix: resolves npm via updated PATH
    UserPrefix-->>Changesets: latest npm binary with provenance support
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant GH as GitHub Actions Runner
    participant SysNpm as System npm
    participant UserPrefix as ~/.npm-global
    participant GHPATH as GITHUB_PATH
    participant Changesets as changesets/action

    GH->>SysNpm: "npm install --global npm@latest --prefix ~/.npm-global"
    SysNpm->>UserPrefix: writes new npm binary to ~/.npm-global/bin/npm
    GH->>GHPATH: "echo "$HOME/.npm-global/bin" >> "$GITHUB_PATH""
    Note over GHPATH: PATH updated for subsequent steps
    GH->>Changesets: "run changesets/action@v1 (publish: bun run release)"
    Changesets->>UserPrefix: resolves npm via updated PATH
    UserPrefix-->>Changesets: latest npm binary with provenance support
Loading

Reviews (1): Last reviewed commit: "ci: install npm in user prefix" | Re-trigger Greptile

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/release.yml (1)

39-43: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider pinning npm version instead of latest for a trusted-publishing step.

npm@latest is unpinned, so the exact npm build used for provenance-signed publishing can silently change between runs — exactly the kind of ad-hoc, unlocked dependency zizmor flags. For a step whose whole purpose is npm's trusted-publishing/provenance support, pinning to a known-good npm version reduces supply-chain risk and makes builds reproducible.

♻️ Example: pin to a specific npm version
       - name: Update npm for trusted publishing
         run: |
-          npm install --global npm@latest --prefix ~/.npm-global
+          npm install --global npm@11.x.y --prefix ~/.npm-global
           echo "$HOME/.npm-global/bin" >> "$GITHUB_PATH"
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 39 - 43, The trusted-publishing
workflow step currently installs npm via npm@latest, which leaves the
provenance-signing toolchain unpinned. Update the “Update npm for trusted
publishing” step in the release workflow to install a specific known-good npm
version instead of latest, while keeping the PATH export unchanged. This should
make the release job reproducible and avoid silent npm changes in the publishing
flow.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 39-43: The trusted-publishing workflow step currently installs npm
via npm@latest, which leaves the provenance-signing toolchain unpinned. Update
the “Update npm for trusted publishing” step in the release workflow to install
a specific known-good npm version instead of latest, while keeping the PATH
export unchanged. This should make the release job reproducible and avoid silent
npm changes in the publishing flow.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 700a0aa6-5ffb-4b21-aaf5-fde79a197455

📥 Commits

Reviewing files that changed from the base of the PR and between 49e74ed and 8452ad1.

📒 Files selected for processing (1)
  • .github/workflows/release.yml

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Re-trigger cubic

@FranciscoMoretti FranciscoMoretti merged commit 9a29a55 into main Jul 3, 2026
15 checks passed
@FranciscoMoretti FranciscoMoretti deleted the codex/fix-npm-trusted-publishing branch July 3, 2026 09:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant