feat: add npm publish job to release workflow

[qianzhicheng95]

Summary

• Add publish-npm job to the release workflow that runs after goreleaser completes
• On tag push (v*), automatically publishes the package to npm registry
• Uses Node.js 20, actions/setup-node@v4, and authenticates via NPM_TOKEN secret

Prerequisites

• Configure NPM_TOKEN secret in repo Settings > Secrets and variables > Actions

Test plan

• Push a v* tag and verify the publish-npm job runs after goreleaser succeeds
• Confirm the package is published to npm with --access public

Summary by CodeRabbit

• Chores
  • Automated npm publishing added to the release workflow so packages are published automatically after a release.
• Releases
  • Package version updated from 1.0.0 to 1.0.1 to reflect the new release.

[CLAassistant]

All committers have signed the CLA.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 5d76a5b5-a2ed-4e1b-bea9-49e8dfda4dcc

📥 Commits

Reviewing files that changed from the base of the PR and between 86b6e2a and 46d4ab5.

📒 Files selected for processing (1)

• package.json

✅ Files skipped from review due to trivial changes (1)

• package.json

---

📝 Walkthrough

Walkthrough

Added a new GitHub Actions job that runs after goreleaser to publish the package to npm using Node.js 20 and NODE_AUTH_TOKEN for authentication; package version bumped from 1.0.0 to 1.0.1.

Changes

Cohort / File(s)	Summary
GitHub Actions Release Workflow ​.github/workflows/release.yml	Added publish-npm job that needs: goreleaser, checks out the repo, sets up Node.js 20, configures npm auth from secrets.NPM_TOKEN, and runs npm publish --access public.
Package Metadata package.json	Bumped package version from 1.0.0 → 1.0.1. No other changes.

Sequence Diagram(s)

sequenceDiagram
  participant Workflow as GitHub Actions (workflow)
  participant Repo as Repository
  participant Node as Node.js Runner
  participant Npm as npm Registry

  Workflow->>Repo: checkout code
  Workflow->>Node: setup Node.js 20
  Workflow->>Node: configure npm auth (NODE_AUTH_TOKEN)
  Node->>Npm: npm publish --access public
  Npm-->>Workflow: publish result (success/failure)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

🐇 I hopped through CI and found a door,

Now packages fly from branch to shore,
A tiny token, a Node set right,
I push the publish button with delight,
Hooray — the npm stars shine bright!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: adding an npm publish job to the release workflow, which is the primary modification in .github/workflows/release.yml.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/npm_workflow

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Greptile Summary

This PR adds a publish-npm job to the release workflow that runs after goreleaser completes, automating publication of the @larksuite/cli wrapper package to npm on every v* tag push. The job structure, pinned action SHAs, and NODE_AUTH_TOKEN wiring are all correct — however, there is one critical blocking issue before this is merge-ready.

Key issue found:

• Missing version-bump step (P0): package.json hardcodes \"version\": \"1.0.0\". The workflow never updates this to match the pushed tag before calling npm publish. This has two immediate consequences:

  • The first publish succeeds, but every subsequent release tag (e.g. v1.1.0) will fail with npm's duplicate-version error.
  • scripts/install.js constructs the GitHub release download URL directly from package.json's version field. Any user who installs the npm package will always try to download the v1.0.0 binary, regardless of the actual release — resulting in a 404 or wrong binary for every release after the first.

  A single step — npm version ${{ github.ref_name }} --no-git-tag-version — inserted before npm publish is required to fix this.

Confidence Score: 2/5

Not safe to merge — the missing version-bump step will break all npm publishes after the first tag and silently break binary downloads for end users.

The PR has a single critical logic error that directly breaks the primary user path: every release after the first will fail to publish, and the published package will always download the wrong (or non-existent) binary. One targeted fix resolves the issue entirely, but it must be in place before merging.

.github/workflows/release.yml — needs a npm version ${{ github.ref_name }} --no-git-tag-version step before npm publish.

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Adds a publish-npm job after goreleaser, but is missing a critical version-bump step — the hardcoded "version": "1.0.0" in package.json will cause all releases after the first to fail, and will break binary downloads for end users.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub (tag push)
    participant GR as goreleaser job
    participant NP as publish-npm job
    participant NPM as npmjs.org
    participant User as End User (npm install)
    participant GHR as GitHub Releases

    GH->>GR: trigger on v* tag
    GR->>GHR: upload Go binaries (e.g. v1.2.3)
    GR-->>NP: job succeeds (needs: goreleaser)
    NP->>NP: checkout + setup-node
    Note over NP: Missing: npm version $tag, package.json still says 1.0.0
    NP->>NPM: npm publish --access public (version=1.0.0)
    NPM-->>NP: first publish OK / subsequent publishes FAIL

    User->>NPM: npm install @larksuite/cli
    NPM-->>User: package with version=1.0.0
    User->>User: runs scripts/install.js
    Note over User: VERSION = require(package.json).version = 1.0.0
    User->>GHR: download binary for v1.0.0 (wrong tag)
    GHR-->>User: 404 if v1.0.0 release does not exist for new tag

Loading

_{Reviews (1): Last reviewed commit: "feat: add npm publish job to release wor..." | Re-trigger Greptile}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

49-51: Adopt OIDC trusted publishing instead of long-lived NPM_TOKEN for enhanced security.

OIDC trusted publishing eliminates long-lived tokens and uses short-lived credentials automatically. To migrate:

1. Configure trusted publisher on npmjs.com under your package's access settings (owner, repository, workflow filename, optional environment).
2. Update the workflow to set permissions: id-token: write (required for OIDC token generation) and contents: read.
3. Remove the NODE_AUTH_TOKEN env var and NPM_TOKEN secret; npm CLI will detect OIDC automatically.
4. Ensure Node 22.14.0+ and npm CLI 11.5.1+.
5. Optionally add --provenance flag or set "provenance": true in package.json for supply-chain attestation (automatically enabled with OIDC in recent npm versions).

Use GitHub-hosted runners (self-hosted not supported). This approach is now the recommended standard for publishing from GitHub Actions.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 49 - 51, Replace the long-lived
NPM_TOKEN pattern used via env: NODE_AUTH_TOKEN and the npm publish step with
OIDC trusted publishing: update the workflow to add permissions: id-token: write
and contents: read, remove the env: NODE_AUTH_TOKEN and any use of the NPM_TOKEN
secret, and leave the run: npm publish --access public step (npm CLI will pick
up OIDC automatically); also ensure runner/node/npm compatibility (Node
>=22.14.0 and npm >=11.5.1) and optionally add the --provenance flag or set
"provenance": true in package.json for attestation.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Around line 48-51: The publish step fails because package.json is not updated
to the release tag and scripts/install.js reads package.json for the binary URL;
add a pre-publish "version sync" step before the npm publish run that extracts
the release tag (github.ref or GITHUB_REF_NAME) and updates package.json's
"version" field to that tag (or tag without leading "v") so the published
package and postinstall binary URL match the release; implement this as a
workflow step that modifies package.json in-place (or via npm version
--no-git-tag-version) and verifies the change before running the existing "npm
publish --access public" step.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 49-51: Replace the long-lived NPM_TOKEN pattern used via env:
NODE_AUTH_TOKEN and the npm publish step with OIDC trusted publishing: update
the workflow to add permissions: id-token: write and contents: read, remove the
env: NODE_AUTH_TOKEN and any use of the NPM_TOKEN secret, and leave the run: npm
publish --access public step (npm CLI will pick up OIDC automatically); also
ensure runner/node/npm compatibility (Node >=22.14.0 and npm >=11.5.1) and
optionally add the --provenance flag or set "provenance": true in package.json
for attestation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0cc6ccea-1e14-447e-be72-1ec8bc679602

📥 Commits

Reviewing files that changed from the base of the PR and between c8341bb and 86b6e2a.

📒 Files selected for processing (1)

• .github/workflows/release.yml