Nvl 1618 move libraries to trusted publishing

[dominik-deak]

PR Type

Enhancement

---

Description

• Add GitHub Actions workflow for automated package publishing with OIDC Trusted Publishing support

• Replace bun with Node.js for OIDC compatibility in publishing pipeline

• Add validation step to ensure git tag matches package.json version

• Lock Node.js version to v24.12.0 via .nvmrc file

---

Diagram Walkthrough

flowchart LR
  A["Git Tag Push"] -->|"Triggers workflow"| B["Setup Node.js 20"]
  B -->|"Validate"| C["Tag vs package.json"]
  C -->|"Build"| D["npm run build"]
  D -->|"Publish"| E["npm publish with OIDC"]
  E -->|"No token needed"| F["Trusted Publishing"]

Loading

File Walkthrough

Relevant files

Configuration changes

publish.yml GitHub Actions workflow for OIDC package publishing            .github/workflows/publish.yml New GitHub Actions workflow triggered on version tags (v*) Sets up Node.js 20 with npm registry configuration Validates git tag matches package.json version before publishing Builds package and publishes to npm using OIDC Trusted Publishing with provenance +39/-0    .nvmrc Lock Node.js version to v24.12.0                                                  .nvmrc Specifies Node.js version v24.12.0 for consistent runtime environment +1/-0

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Supply chain pinning Description: The workflow relies on mutable, unpinned dependencies (e.g., actions/checkout@v4, actions/setup-node@v4, and npm install -g npm@latest), which creates a supply-chain risk where a compromised action release or a malicious/buggy newly-published npm version could execute arbitrary code during publishing. publish.yml [15-23] Referred Code - uses: actions/checkout@v4 - uses: actions/setup-node@v4 with: node-version: "20" registry-url: "https://registry.npmjs.org" - name: Update npm run: npm install -g npm@latest
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
🔴	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Node version mismatch: The workflow pins node-version: "20" while the repo adds .nvmrc v24.12.0, creating a likely build/publish failure mode when Node-specific behavior differs across environments. Referred Code - uses: actions/setup-node@v4 with: node-version: "20" registry-url: "https://registry.npmjs.org" Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unpinned npm update: The step npm install -g npm@latest pulls an unpinned toolchain dependency at publish time, which can undermine supply-chain integrity and reproducibility unless there is a documented control/justification. Referred Code - name: Update npm run: npm install -g npm@latest Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	✅ Use .nvmrc for consistent Node.js version Suggestion Impact: The workflow's Node.js version was changed from "20" to "24", likely to align with the version in .nvmrc, addressing the version mismatch concern. However, it did not implement the suggested best practice of using node-version-file: '.nvmrc'. code diff: - uses: actions/setup-node@v4 with: - node-version: "20" + node-version: "24" registry-url: "https://registry.npmjs.org" Modify the actions/setup-node step to use the .nvmrc file for setting the Node.js version, ensuring consistency with the development environment. .github/workflows/publish.yml [17-20] - uses: actions/setup-node@v4 with: - node-version: "20" + node-version-file: '.nvmrc' registry-url: "https://registry.npmjs.org" [Suggestion processed] Suggestion importance[1-10]: 7 __ Why: This suggestion correctly identifies the Node.js version mismatch between the workflow and the .nvmrc file and proposes using node-version-file, which is the best practice for ensuring consistency and improving maintainability.	Medium
	Specify npm registry on publish Add the --registry https://registry.npmjs.org flag to the npm publish command to explicitly target the public npm registry. .github/workflows/publish.yml [39] -- run: npm publish --provenance --access public +- run: npm publish --provenance --access public --registry https://registry.npmjs.org Apply / Chat Suggestion importance[1-10]: 2 __ Why: This change is redundant because the actions/setup-node step already configures the npm registry URL. While being explicit is not harmful, it adds little value and is unnecessary for the workflow's correctness.	Low
Update

[Copilot]

Pull request overview

This PR migrates the package publishing process from Bun to Node.js to support npm's Trusted Publishing via OIDC authentication. This eliminates the need for manually managed authentication tokens by leveraging GitHub Actions' OIDC integration with npm.

Key Changes:

• Adds npm package-lock.json for dependency management with Node.js
• Introduces GitHub Actions workflow for automated publishing with Trusted Publishing
• Configures Node.js version v24.12.0 via .nvmrc

Reviewed changes

Copilot reviewed 2 out of 5 changed files in this pull request and generated 2 comments.

File	Description
package-lock.json	Adds npm lock file with project dependencies (@types/node, typescript, yaml, change-case) for Node.js-based builds
.nvmrc	Specifies Node.js v24.12.0 for consistent runtime environment
.gitignore	Removes package-lock.json from ignore list to track it in version control (required for npm ci)
.github/workflows/publish.yml	Implements automated publishing workflow with OIDC/Trusted Publishing, including tag validation and provenance

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[AG-Labs]

Everything looks good but im not seeing what I would expect in npmjs.com?

[AG-Labs]

has dry run turned on
remove that and do another beta deploy under 1.1.1 once the actions are all updated. if that works we can merge and then ill move onto looking at the other prs