Skip to content
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 74 additions & 12 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -1,19 +1,81 @@
name: Release

# 手动触发发布,通过 npm OIDC trusted publishing 发布(无需 NPM_TOKEN)
on:
# 合并后自动发布
push:
branches: [ master ]
workflow_dispatch:
inputs:
version_type:
description: 'Version bump type'
required: true
default: 'patch'
type: choice
options:
- patch
- minor
- major
dry_run:
description: 'Dry run (do not publish or push)'
required: false
default: false
type: boolean

# 手动发布
workflow_dispatch: {}
permissions:
contents: write # push the version bump commit + tag, create the GitHub release
id-token: write # npm OIDC trusted publishing

jobs:
release:
name: Node.js
uses: artusjs/github-actions/.github/workflows/node-release.yml@v1
secrets:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
with:
checkTest: false
name: Release
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
Comment thread
coderabbitai[bot] marked this conversation as resolved.
with:
fetch-depth: 0

- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
registry-url: 'https://registry.npmjs.org'
Comment on lines +36 to +40

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Remove registry-url when using OIDC trusted publishing.

Setting registry-url causes setup-node to generate an .npmrc file configured to use NODE_AUTH_TOKEN. Since NODE_AUTH_TOKEN is not provided to the workflow steps, this results in an unresolved variable in the config, which can cause npm warnings or authentication conflicts.

Since you are relying on npm's native OIDC trusted publishing (which generates its own token via the OIDC id-token), you can safely remove registry-url.

♻️ Proposed fix
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: 20
-          registry-url: 'https://registry.npmjs.org'
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
registry-url: 'https://registry.npmjs.org'
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: 20
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 25 - 29, Remove the registry-url
setting from the Setup Node.js step in the release workflow, leaving the Node.js
version configuration unchanged so npm uses OIDC trusted publishing without
setup-node generating an NODE_AUTH_TOKEN-based .npmrc.


# OIDC trusted publishing requires npm >= 11.5.1
- name: Upgrade npm
run: npm install -g npm@latest

- name: Install dependencies
run: npm i --no-package-lock --no-fund

- name: Test
run: npm test

- name: Configure Git
run: |
git config --local user.email "github-actions[bot]@users.noreply.github.com"
git config --local user.name "github-actions[bot]"

- name: Version bump
id: bump
run: |
npm version ${{ github.event.inputs.version_type }} -m "Release v%s"
echo "tag=v$(node -p "require('./package.json').version")" >> "$GITHUB_OUTPUT"
Comment on lines +59 to +61

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Prevent template injection by using environment variables.

Directly interpolating GitHub contexts into run scripts can lead to code injection. Although version_type is currently constrained by a choice input, passing it via an environment variable is a safer practice and prevents future vulnerabilities if the input type changes. Additionally, prefer the modern inputs context over the deprecated github.event.inputs.

🛡️ Proposed fix
       - name: Version bump
         id: bump
+        env:
+          VERSION_TYPE: ${{ inputs.version_type }}
         run: |
-          npm version ${{ github.event.inputs.version_type }} -m "Release v%s"
+          npm version "$VERSION_TYPE" -m "Release v%s"
           echo "tag=v$(node -p "require('./package.json').version")" >> "$GITHUB_OUTPUT"
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
run: |
npm version ${{ github.event.inputs.version_type }} -m "Release v%s"
echo "tag=v$(node -p "require('./package.json').version")" >> "$GITHUB_OUTPUT"
env:
VERSION_TYPE: ${{ inputs.version_type }}
run: |
npm version "$VERSION_TYPE" -m "Release v%s"
echo "tag=v$(node -p "require('./package.json').version")" >> "$GITHUB_OUTPUT"
🧰 Tools
🪛 zizmor (1.26.1)

[error] 61-61: code injection via template expansion (template-injection): may expand into attacker-controllable code

(template-injection)

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 60 - 62, Update the release
step’s npm version command to consume the version type through a step
environment variable populated from the modern inputs context, rather than
directly interpolating github.event.inputs.version_type in the shell script.
Preserve the existing release message and tag output behavior.

Source: Linters/SAST tools


- name: Publish (dry run)
if: ${{ github.event.inputs.dry_run == 'true' }}
run: npm publish --provenance --dry-run

# Publish before pushing: if publish fails, nothing is pushed and the
# run can be retried cleanly without a double version bump.
- name: Publish
if: ${{ github.event.inputs.dry_run != 'true' }}
run: npm publish --provenance

- name: Push commit and tag
if: ${{ github.event.inputs.dry_run != 'true' }}
run: git push origin HEAD --follow-tags

- name: Create GitHub Release
if: ${{ github.event.inputs.dry_run != 'true' }}
run: gh release create "${{ steps.bump.outputs.tag }}" --verify-tag --generate-notes
env:
GITHUB_TOKEN: ${{ github.token }}
Loading