Conversation
🦋 Changeset detectedLatest commit: 867c329 The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
Important Review skippedAuto incremental reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
WalkthroughDependency cleanup across the monorepo reclassifying runtime dependencies as development-only in three packages, removing unused dependencies entirely, and updating the GitHub Actions release workflow to use NPM provenance instead of token-based authentication for publishing. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/release.yml:
- Around line 53-56: Change the publish step so it invokes npm directly to
enable npm OIDC Trusted Publishing: replace the current `publish: pnpm -r
publish --provenance` with using `pnpm -r exec npm publish` (remove the
`--provenance` flag since npm will generate provenance under OIDC), keep the
environment variables (`GITHUB_TOKEN`, `NPM_CONFIG_PROVENANCE`) as needed, and
ensure every package in the monorepo has a corresponding npm Trusted Publisher
configured for this GitHub repo (per-package Trusted Publisher settings on npm)
so the `exec npm publish` OIDC flow will succeed.
In `@packages/browser-consumer/package.json`:
- Around line 42-45: The package manifest lists runtime libs under
devDependencies; move "idb" and "js-untar" from devDependencies into
dependencies in packages/browser-consumer/package.json so they are installed for
consumers — these are required at runtime (openDB from idb in
packages/browser-consumer/src/indexeddb-utils.ts and the dynamic import usage in
packages/browser-consumer/src/browser-config-storage.ts). Ensure the versions
remain "^8.0.0" and "^2.0.0" respectively and remove them from devDependencies
to avoid breakage outside the monorepo.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: c1951b89-66a4-4912-ae08-753e5de99a8a
📒 Files selected for processing (5)
.changeset/tender-pants-dress.md.github/workflows/release.ymlpackages/browser-consumer/package.jsonpackages/cli/package.jsonpackages/utils/package.json
.github/workflows/release.yml
Outdated
| publish: pnpm -r publish --provenance | ||
| env: | ||
| GITHUB_TOKEN: ${{ secrets.CHANGESETS_GH_TOKEN }} | ||
| NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| NPM_CONFIG_PROVENANCE: true |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
For npm Trusted Publishing with GitHub Actions OIDC, is pnpm -r publish --provenancesufficient withoutNODE_AUTH_TOKEN, and what npm package/repository linkage is required?
💡 Result:
-
No:
pnpm -r publish --provenanceis not “sufficient” for npm Trusted Publishing (GitHub Actions OIDC) unless it ultimately runsnpm publish. npm’s docs explicitly note that trusted publishing (OIDC auth) applies to thenpm publishoperation, and provenance is generated automatically when publishing via trusted publishing (so--provenanceis unnecessary in that case). You also do not needNODE_AUTH_TOKENfor the publish step when OIDC trusted publishing is being used. [1]- You may still need
NODE_AUTH_TOKENas a read-only token to install private dependencies during the workflow (OIDC doesn’t covernpm install/npm ci). [1]
- You may still need
-
Required npm↔GitHub linkage (per package):
- Configure a Trusted Publisher for the package that matches the GitHub repo and workflow file name (and optionally a GitHub “environment”). You can do this in the npm UI or with:
npm trust github [package] --file <workflow.yml> --repository <owner/repo> [--environment <env>][2] - Ensure the package’s
package.jsonhasrepository.urlthat exactly matches the GitHub repository you’re publishing from (npm uses this for validation/matching and warns mismatches will fail at publish time). [1]
- Configure a Trusted Publisher for the package that matches the GitHub repo and workflow file name (and optionally a GitHub “environment”). You can do this in the npm UI or with:
Practical upshot: keep using pnpm for build/test, but for the publish step in a monorepo run something like pnpm -r exec npm publish (or npm publish in each package) so OIDC trusted publishing actually applies. [1]
Sources:
[1] npm Docs – Trusted publishing for npm packages: https://docs.npmjs.com/trusted-publishers/
[2] npm Docs – npm trust command (npm trust github ... flags): https://docs.npmjs.com/cli/v11/commands/npm-trust/
Publish command bypasses npm Trusted Publishing; reconfigure for OIDC linkage.
The pnpm -r publish command doesn't invoke npm publish directly, so npm's OIDC trusted publishing won't be triggered. For OIDC to work, change to pnpm -r exec npm publish. Additionally, --provenance is redundant—npm auto-generates provenance when OIDC trusted publishing is active.
Critical: Each package must have a Trusted Publisher configured in npm (matching this GitHub repo and workflow file). Without per-package npm Trusted Publisher linkage, publish will fail regardless of id-token: write permission or environment variables. Confirm all packages have this configured at https://npmjs.com/settings/[scope]/teams/developers/tokens (or package-specific settings).
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/release.yml around lines 53 - 56, Change the publish step
so it invokes npm directly to enable npm OIDC Trusted Publishing: replace the
current `publish: pnpm -r publish --provenance` with using `pnpm -r exec npm
publish` (remove the `--provenance` flag since npm will generate provenance
under OIDC), keep the environment variables (`GITHUB_TOKEN`,
`NPM_CONFIG_PROVENANCE`) as needed, and ensure every package in the monorepo has
a corresponding npm Trusted Publisher configured for this GitHub repo
(per-package Trusted Publisher settings on npm) so the `exec npm publish` OIDC
flow will succeed.
| "@repo/types": "workspace:*", | ||
| "@repo/utils": "workspace:*", | ||
| "idb": "^8.0.0", | ||
| "js-untar": "^2.0.0", |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Verify runtime imports for moved deps in browser-consumer source
rg -nP --type ts "(from\s+['\"](idb|js-untar|@repo/types)['\"]|require\(['\"](idb|js-untar|@repo/types)['\"]\))" packages/browser-consumer/srcRepository: calycode/xano-tools
Length of output: 450
🏁 Script executed:
# Check the actual package.json structure for browser-consumer
head -60 packages/browser-consumer/package.json | tail -30Repository: calycode/xano-tools
Length of output: 1144
🏁 Script executed:
# Search for js-untar imports more broadly, including dynamic requires and indirect usage
rg "js-untar" packages/browser-consumer/Repository: calycode/xano-tools
Length of output: 450
Move runtime dependencies idb and js-untar from devDependencies to dependencies.
Both are imported at runtime:
packages/browser-consumer/src/indexeddb-utils.ts:1importsopenDBfromidbpackages/browser-consumer/src/browser-config-storage.tsdynamically imports fromjs-untar
Keeping them as dev-only dependencies will break consumers when this package is installed outside the monorepo. (@repo/types is correctly placed in devDependencies since it uses type-only imports.)
Proposed manifest fix
+ "dependencies": {
+ "idb": "^8.0.0",
+ "js-untar": "^2.0.0"
+ },
"devDependencies": {
"@repo/types": "workspace:*",
"@repo/utils": "workspace:*",
- "idb": "^8.0.0",
- "js-untar": "^2.0.0",🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@packages/browser-consumer/package.json` around lines 42 - 45, The package
manifest lists runtime libs under devDependencies; move "idb" and "js-untar"
from devDependencies into dependencies in packages/browser-consumer/package.json
so they are installed for consumers — these are required at runtime (openDB from
idb in packages/browser-consumer/src/indexeddb-utils.ts and the dynamic import
usage in packages/browser-consumer/src/browser-config-storage.ts). Ensure the
versions remain "^8.0.0" and "^2.0.0" respectively and remove them from
devDependencies to avoid breakage outside the monorepo.
1 participant
Summary by CodeRabbit