ci: add npm publish workflow on GitHub release

[erikras-richard-agent]

Adds a GitHub Actions workflow that automatically publishes to npm whenever a GitHub Release is published.

What it does

• Triggers on (not on every tag push — requires an explicit GitHub Release to be published, giving you a manual checkpoint before anything hits npm)
• Runs tests and build first, then
• Uses the secret for authentication

Prerequisites

An secret needs to be added to this repo (or at the org level) before the workflow will work. Use a granular npm automation token scoped to publish access for this package only.

Summary by CodeRabbit

• Chores
  • Automated publishing: releases now trigger an automated publish pipeline.
  • Pre-release handling: pre-releases are published with the "next" tag.
  • Validation before publish: tests and a production build run automatically prior to publishing.
  • Environment update: publishing pipeline now uses Node.js 22.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 444cbf03-b304-4cef-9c2d-3e54b222d528

📥 Commits

Reviewing files that changed from the base of the PR and between 8678c41 and 0f8979a.

📒 Files selected for processing (1)

• .github/workflows/publish.yml

---

📝 Walkthrough

Walkthrough

Adds a GitHub Actions workflow .github/workflows/publish.yml named "Publish" that triggers on published GitHub Releases, sets permissions, uses Node.js 22 with Yarn to install, test, and build, then publishes to npm using NODE_AUTH_TOKEN, tagging prereleases as next when applicable. (48 words)

Changes

Release Publishing Workflow

Layer / File(s)	Summary
Trigger / Metadata .github/workflows/publish.yml	Workflow named "Publish" triggers on release events of type published and sets workflow-level permissions (contents: read, id-token: write).
Environment Setup .github/workflows/publish.yml	Job runs on ubuntu-latest and sets up Node.js 22 configured for the npm registry.
Dependency / Build Steps .github/workflows/publish.yml	Runs yarn install --frozen-lockfile, yarn start test, and yarn start build.
Publish Action .github/workflows/publish.yml	Runs npm publish --provenance, conditionally appending --tag next when github.event.release.prerelease is truthy, with NODE_AUTH_TOKEN from secrets.NPM_TOKEN.

Sequence Diagram(s)

sequenceDiagram
  participant Release as GitHub Release
  participant Actions as GitHub Actions
  participant Runner as Actions Runner
  participant NPM as npm Registry

  Release->>Actions: release.published event
  Actions->>Runner: start "publish" job
  Runner->>Runner: checkout repo
  Runner->>Runner: setup Node.js 22 & npm registry
  Runner->>Runner: yarn install --frozen-lockfile
  Runner->>Runner: yarn start test
  Runner->>Runner: yarn start build
  Runner->>NPM: npm publish (auth via NODE_AUTH_TOKEN, optional --tag next)
  NPM-->>Runner: publish response

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐰 I hop at the release, tail all a-flutter,

I run tests and build with a whirl and a mutter,
Yarn neat, node set, token snug in my paw,
Publish takes flight — carrots and packages soar! 🥕📦

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main change: adding a GitHub Actions workflow for npm publishing triggered by GitHub releases.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/add-npm-publish-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yml:
- Around line 13-17: Replace the mutable action tags actions/checkout@v4 and
actions/setup-node@v4 with their corresponding full immutable commit SHAs:
locate the workflow steps using the identifiers "uses: actions/checkout@v4" and
"uses: actions/setup-node@v4" and update each "uses" value to the specific full
Git commit SHA for that action (e.g., actions/checkout@<full-sha> and
actions/setup-node@<full-sha>) so the publish workflow pins to immutable
versions; fetch the correct SHAs from the official GitHub Actions
repositories/releases and replace the tags accordingly.
- Around line 8-10: The publish job currently has no explicit GITHUB_TOKEN
permissions; update the publish job (the job named "publish") to add a
permissions block that scopes the GitHub token to only contents: read so
actions/checkout@v4 works but broader repo permissions are not granted.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 8dd09004-1e14-4270-a3c4-1140380e15a3

📥 Commits

Reviewing files that changed from the base of the PR and between 890df94 and 5bc6200.

📒 Files selected for processing (1)

• .github/workflows/publish.yml

[erikras-dinesh-agent]

LGTM

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.18%. Comparing base (f25a24e) to head (0f8979a).
⚠️ Report is 13 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1086      +/-   ##
==========================================
- Coverage   98.60%   94.18%   -4.42%     
==========================================
  Files          18       18              
  Lines         359      413      +54     
  Branches      105      132      +27     
==========================================
+ Hits          354      389      +35     
- Misses          5       24      +19     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.