Support npm publishing via OIDC

[stwiname]

Description

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

Fixes # (issue)

Type of change

Please delete options that are not relevant.

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

Checklist

• I have tested locally
• I have performed a self review of my changes
• Updated any relevant documentation
• Linked to any relevant issues
• I have added tests relevant to my changes
• Any dependent changes have been merged and published in downstream modules
• My code is up to date with the base branch
• I have updated relevant changelogs. We suggest using chan

Summary by CodeRabbit

• Chores
  • Updated GitHub Actions and Node.js runtime versions across CI workflows.
  • Upgraded Yarn package manager from 3.2.4 to 4.12.0 and updated yarn config.
  • Removed NPM token usage from CI/publish steps.
  • Added a new consolidated publish workflow and removed legacy release/prerelease workflows.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Removes npm-token inputs from local create-release/prerelease actions, upgrades GitHub Actions to v5 and Node.js to 22 across workflows, adds a new Publish workflow with release/prerelease gating, and upgrades Yarn from 3.2.4 to 4.12.0 with related .yarnrc.yml and package.json updates.

Changes

Cohort / File(s)	Summary
Local release action inputs \.github/actions/create-prerelease/action.yml, \.github/actions/create-release/action.yml	Removed npm-token input declarations and removed usage of NPM_TOKEN environment variable in publish steps; publish command left unchanged.
New Publish workflow \.github/workflows/publish.yml	Added Publish workflow with pre-ci (extracts commit message), release (runs for commits starting with [release]), and prerelease (runs for other commits); includes checkout, Node setup, install/build, and invokes local create-release/create-prerelease actions; conditional gating and concurrency defined.
Removed legacy workflows \.github/workflows/prerelease.yml, \.github/workflows/release.yml	Deleted previous prerelease.yml and release.yml workflows (their logic replaced by the new publish workflow).
Actions & Node version bumps \.github/workflows/gh-release.yml, \.github/workflows/pr.yml, \.github/workflows/query-docker.yml	Bumped actions/checkout v4→v5, actions/setup-node v4→v5, and Node.js runtime 20→22; no other control-flow changes.
Yarn upgrade & config \.yarnrc.yml, package.json	Upgraded Yarn from 3.2.4 → 4.12.0, updated yarnPath and added settings (compressionLevel: mixed, enableGlobalCache: false, nodeLinker: node-modules), removed deprecated plugins block; updated packageManager in package.json.

Sequence Diagram

sequenceDiagram
    participant Push as Dev push (main)
    participant PreCI as pre-ci job
    participant Gate as Commit-message gating
    participant Release as release job
    participant Prerelease as prerelease job
    participant LocalAction as ./\.github/actions/* (create-release/prerelease)
    participant Git as Git (commit/push)

    Push->>PreCI: triggers workflow
    PreCI->>PreCI: extract commit message -> output
    PreCI->>Gate: provide commit-message output

    alt commit starts with [release]
        Gate->>Release: allow run
        Release->>Release: checkout, setup Node 22, npm update, install, build
        Release->>LocalAction: invoke create-release action
        LocalAction-->>Release: publish result
    else commit does not start with [release]
        Gate->>Prerelease: allow run
        Prerelease->>Prerelease: checkout (with token), setup Node 22, npm update, install, build
        Prerelease->>LocalAction: invoke create-prerelease action
        LocalAction-->>Prerelease: prerelease result
        Prerelease->>Git: commit changes with [SKIP CI] marker
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Pay attention to publish.yml gating logic and repository-scoped conditions.
• Verify local action authentication after npm-token removal and that registry auth works in CI.
• Confirm Yarn 4 config (nodeLinker node-modules, removed plugins, yarnPath) is compatible with CI steps and build tooling.
• Validate upgrade of actions/setup-node and actions/checkout usage (v5) in workflow contexts.

Poem

🐇 I hopped through configs, yarn bumped up high,
No npm-token baggage, just a cleaner sky.
Actions five and Node twenty-two, a nimble, breezy cheer —
A rabbit's little release dance, skipping tokens from here! 🎉

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Support npm publishing via OIDC' directly aligns with the main changes: removing npm-token inputs and environment variables from GitHub Actions workflows while updating actions/Node.js versions across multiple files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch npm-oidc-publishing

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Coverage report for .

St.❔	Category	Percentage	Covered / Total
🟢	Statements	83.87% (+13.76% 🔼)	1846/2201
🟡	Branches	76.36% (-1.93% 🔻)	239/313
🟢	Functions	88% (+25.5% 🔼)	44/50
🟢	Lines	83.87% (+13.76% 🔼)	1846/2201

Show new covered files 🐣

St.❔	File	Statements	Branches	Functions	Lines
🟢	... / graphile.config.ts	100%	12.5%	100%	100%
🟢	config/index.ts	100%	100%	100%	100%
🟢	config/yargs.ts	100%	100%	100%	100%
🔴	index.ts	0%	0%	0%	0%
🟢	... / GetMetadataPlugin.ts	95.74%	88.89%	100%	95.74%
🟡	... / GetSubqueryMetadataPlugin.ts	78.98%	80%	80%	78.98%
🟢	... / OffsetToSkipPlugin.ts	100%	100%	100%	100%
🟢	... / PgIdToNodeIdPlugin.ts	92%	80%	100%	92%
🟢	... / PgRowByVirtualIdPlugin.ts	91.44%	62.07%	100%	91.44%
🟢	... / ArgFilterAttributesPlugin.ts	95.24%	92%	100%	95.24%
🟡	... / ArgFilterBackwardRelationsPlugin.ts	68.22%	79.17%	80%	68.22%
🟢	... / ArgFilterLogicalOperatorsPlugin.ts	85.71%	87.5%	100%	85.71%
🟡	... / ArgFilterPlugin.ts	79.39%	71.43%	100%	79.39%
🟢	... / OrderByAttributesPlugin.ts	95.56%	77.14%	100%	95.56%
🔴	... / interface.ts	0%	0%	0%	0%
🟡	... / utils.ts	79.37%	62.79%	100%	79.37%
🟢	... / PgBlockHeightPlugin.ts	91.56%	83.33%	83.33%	91.56%
🟢	... / index.ts	100%	100%	100%	100%
🟡	... / utils.ts	61.11%	100%	50%	61.11%
🟢	... / smartTagsPlugin.ts	100%	100%	100%	100%
🟡	server.ts	75.93%	66.67%	100%	75.93%

Test suite run success

26 tests passing in 1 suite.

Report generated by 🧪jest coverage report action from 3c961d0

[coderabbitai]

Actionable comments posted: 5

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c24fb26 and 1158466.

⛔ Files ignored due to path filters (7)

• .yarn/plugins/@yarnpkg/plugin-interactive-tools.cjs is excluded by !**/.yarn/**
• .yarn/plugins/@yarnpkg/plugin-typescript.cjs is excluded by !**/.yarn/**
• .yarn/plugins/@yarnpkg/plugin-version.cjs is excluded by !**/.yarn/**
• .yarn/plugins/@yarnpkg/plugin-workspace-tools.cjs is excluded by !**/.yarn/**
• .yarn/releases/yarn-3.2.4.cjs is excluded by !**/.yarn/**
• .yarn/releases/yarn-4.12.0.cjs is excluded by !**/.yarn/**
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (8)

• .github/actions/create-prerelease/action.yml (2 hunks)
• .github/actions/create-release/action.yml (0 hunks)
• .github/workflows/gh-release.yml (1 hunks)
• .github/workflows/pr.yml (2 hunks)
• .github/workflows/publish.yml (1 hunks)
• .github/workflows/query-docker.yml (3 hunks)
• .yarnrc.yml (2 hunks)
• package.json (1 hunks)

💤 Files with no reviewable changes (1)

• .github/actions/create-release/action.yml

🧰 Additional context used

🪛 actionlint (1.7.9)

.github/workflows/publish.yml

30-30: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details

(expression)

---

74-74: unexpected EOF while lexing expression

(expression)

---

108-108: input "npm-token" is not defined in action "Remove Stable Versions" defined at "./.github/actions/create-prerelease". available inputs are "package-path"

(action)

🔇 Additional comments (6)

.github/workflows/query-docker.yml (1)

19-19: GitHub Actions version upgrade is consistent.

The upgrade from actions/checkout@v4 to actions/checkout@v5 across the workflow is aligned with repository-wide GH Actions modernization and introduces no functional changes.

Also applies to: 43-43

package.json (1)

70-70: Yarn version lock is consistent with repository updates.

The packageManager field correctly reflects the Yarn 4.12.0 upgrade coordinated across the PR's configuration files and workflow changes.

.github/workflows/gh-release.yml (1)

11-11: GitHub Actions and Node.js versions are updated consistently.

Upgrades to actions/checkout@v5, actions/setup-node@v5, and Node.js 22 align with repository-wide tooling modernization. No functional changes detected.

Also applies to: 16-16, 18-18

.github/workflows/pr.yml (1)

11-11: Version upgrades are applied consistently across all jobs.

Checkout v4→v5, setup-node v4→v5, and Node.js 20→22 are uniformly applied throughout the PR workflow. No functional changes.

Also applies to: 13-13, 15-15, 46-46, 52-52, 54-54

.github/workflows/publish.yml (1)

1-16: Permissions and concurrency configuration is appropriate.

Lines 9–15 correctly set up OIDC permissions (id-token: write) and concurrency controls to prevent race conditions during publish workflows. This is well-configured for the intended OIDC publish flow.

.yarnrc.yml (1)

15-15: Clarify token configuration: OIDC for publish ≠ OIDC for installs.

Line 15 configures npmAuthToken for dependency installs, which still requires a static token. GitHub OIDC trusted publishing handles automated publish operations via npm CLI, not install-time authentication. If the PR adopts OIDC for publish workflows, the npmAuthToken setting and NPM_TOKEN environment variable remain necessary for install steps (or can be removed only if no private dependencies exist). Confirm whether NPM_TOKEN is still provided to the CI runner or if this codebase has no private dependencies requiring authentication.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Mitigate script injection risk by isolating untrusted input.

Lines 30–38 use github.event.head_commit.message directly in a script expression, which is flagged by actionlint as a potential injection vector. Pass untrusted data through environment variables to isolate it from expression parsing.

Apply this fix:

  - id: get_commit_message
+   env:
+     HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
    run: |
-     if [ -n "${{ github.event.head_commit.message }}" ]
+     if [ -n "$HEAD_COMMIT_MESSAGE" ]
      then
-       commit_msg="${{ github.event.head_commit.message }}"
+       commit_msg="$HEAD_COMMIT_MESSAGE"
        echo "commit-message=${commit_msg}" | head -n 1 >> "$GITHUB_OUTPUT"
      else
        commit_message=$(git log -1 --pretty=%B | head -n 1)
        echo "commit-message=$commit_message" >> "$GITHUB_OUTPUT"
      fi

Reference: https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	run: |
	if [ -n "${{ github.event.head_commit.message }}" ]
	then
	commit_msg="${{ github.event.head_commit.message }}"
	echo "commit-message=${commit_msg}" | head -n 1 >> "$GITHUB_OUTPUT"
	else
	commit_message=$(git log -1 --pretty=%B | head -n 1)
	echo "commit-message=$commit_message" >> "$GITHUB_OUTPUT"
	fi
	- id: get_commit_message
	env:
	HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
	run: |
	if [ -n "$HEAD_COMMIT_MESSAGE" ]
	then
	commit_msg="$HEAD_COMMIT_MESSAGE"
	echo "commit-message=${commit_msg}" | head -n 1 >> "$GITHUB_OUTPUT"
	else
	commit_message=$(git log -1 --pretty=%B | head -n 1)
	echo "commit-message=$commit_message" >> "$GITHUB_OUTPUT"
	fi

🧰 Tools

🪛 actionlint (1.7.9)

30-30: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details

(expression)

🤖 Prompt for AI Agents

In .github/workflows/publish.yml around lines 30-38, the workflow reads
github.event.head_commit.message directly in a shell expression (actionlint
flagged injection risk); change to first write that value into an environment
variable via the recommended GITHUB_ENV heredoc and then reference the env var
in the script. Concretely: set COMMIT_MSG into GITHUB_ENV using the heredoc
pattern (echo "COMMIT_MSG<<EOF" >> $GITHUB_ENV; echo "${{
github.event.head_commit.message }}" >> $GITHUB_ENV; echo "EOF" >> $GITHUB_ENV),
then in the run block check if [ -n "$COMMIT_MSG" ] to use it, otherwise fall
back to git log -1 --pretty=%B | head -n 1 and write the chosen value to
$GITHUB_OUTPUT as before.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

npm registry OIDC authentication automatic discovery Yarn 4.12.0

💡 Result:

Short answer: Yarn 4.12.0 does not perform automatic OIDC discovery/authentication against the npm registry. npm's OIDC "trusted publishing" flow (OIDC token exchanged for an npm publish token) is implemented on the npm/GitHub‑Actions/GitLab side and is intended for publish operations from CI using the npm CLI; Yarn's docs expose npm registry configuration and token auth (npmRegistries / npmAuthToken) but do not describe an automatic OIDC discovery/auth flow. [1][2]

Sources:

• npm/GitHub announcement: npm trusted publishing with OIDC (general availability; OIDC used for publishing from CI and automatic provenance). [1]
• Yarn configuration docs / yarnrc options showing npmRegistries and npmAuthToken (no OIDC discovery/auth described). [2]

If you want, I can:

• show how to publish from GitHub Actions using npm OIDC trusted publishing, or
• show a Yarn-friendly workaround (use npm in your CI publish step or exchange an OIDC token for an npm token and set npmAuthToken/npmRegistries for Yarn).

---

🏁 Script executed:

# Search for the create-release action definition
find .github/actions -type f -name "*.yml" -o -name "*.yaml"

Repository: subquery/query-subgraph

Length of output: 153

---

🏁 Script executed:

# Search for .yarnrc.yml configuration
find . -name ".yarnrc.yml" -o -name ".yarnrc"

Repository: subquery/query-subgraph

Length of output: 80

---

🏁 Script executed:

cat -n .github/actions/create-release/action.yml

Repository: subquery/query-subgraph

Length of output: 1051

---

🏁 Script executed:

cat -n .yarnrc.yml

Repository: subquery/query-subgraph

Length of output: 503

---

🏁 Script executed:

cat -n .github/actions/create-prerelease/action.yml

Repository: subquery/query-subgraph

Length of output: 987

---

🏁 Script executed:

cat -n .github/workflows/publish.yml

Repository: subquery/query-subgraph

Length of output: 3827

---

OIDC integration is incomplete—Yarn cannot auto-discover OIDC tokens, and the release job has no authentication configured.

The review's three concerns are either incorrect or incomplete:

1. Automatic OIDC discovery: Yarn 4.12.0 does not automatically discover or use GitHub Actions OIDC tokens. npm's OIDC trusted publishing is designed for the npm CLI only, not Yarn. Yarn requires either an explicit npm token or an environment variable like NPM_TOKEN.

2. .yarnrc.yml configuration: The setting npmAuthToken: "${NPM_TOKEN:-}" does not handle OIDC—it only reads the NPM_TOKEN environment variable. Since the release job does not set NPM_TOKEN, the token defaults to an empty string, and yarn npm publish will fail without credentials.

3. create-release action inconsistency: The create-release action no longer accepts npm-token input, but the create-prerelease action still does (line 108 of publish.yml). The release job must either:

   • Pass npm-token to create-release (like create-prerelease does), or
   • Exchange the OIDC token for an npm token and set it as the NPM_TOKEN environment variable before invoking the action.

Without one of these approaches, yarn npm publish in the release job will fail due to missing credentials.

🧰 Tools

🪛 actionlint (1.7.9)

74-74: unexpected EOF while lexing expression

(expression)

🤖 Prompt for AI Agents

.github/workflows/publish.yml lines 44-74: the release job has no npm
credentials and relies on Yarn to auto-discover OIDC (which it does not), so
yarn npm publish will fail; fix by ensuring an npm token is provided before
publishing — either (A) set NPM_TOKEN in the job environment (e.g. NPM_TOKEN:
${{ secrets.NPM_TOKEN }}) or exchange the Actions OIDC token for an npm token
and export it as NPM_TOKEN in a step prior to running yarn/npm publish, and also
update the create-release action invocation to pass the npm-token input if that
action still accepts it (or remove any stale npm-token usage for consistency
with create-prerelease); place the token-export step before the build/publish
steps and ensure .yarnrc.yml reads npmAuthToken from that NPM_TOKEN.

[coderabbitai]

Actionable comments posted: 3

♻️ Duplicate comments (3)

.github/workflows/publish.yml (3)

29-38: Mitigate script injection risk by isolating untrusted input.

Lines 30–38 use github.event.head_commit.message directly in a shell expression, which is vulnerable to script injection. Treat all github.event.* fields as untrusted and pass them through environment variables to prevent shell metacharacters from breaking out of quotes or injecting commands.

Apply this diff:

  - id: get_commit_message
+   env:
+     HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
    run: |
-     if [ -n "${{ github.event.head_commit.message }}" ]
+     if [ -n "$HEAD_COMMIT_MESSAGE" ]
      then
-       commit_msg="${{ github.event.head_commit.message }}"
+       commit_msg="$HEAD_COMMIT_MESSAGE"
        echo "commit-message=${commit_msg}" | head -n 1 >> "$GITHUB_OUTPUT"
      else
        commit_message=$(git log -1 --pretty=%B | head -n 1)
        echo "commit-message=$commit_message" >> "$GITHUB_OUTPUT"
      fi

---

29-38: Mitigate script injection risk by isolating untrusted input.

Lines 30–38 use github.event.head_commit.message directly in a shell expression, creating a script injection vulnerability. Malicious characters in the commit message (e.g., "; arbitrary_command; #") can break out of the conditional and execute arbitrary shell code. Per GitHub Security Lab guidance, pass untrusted data through environment variables to isolate it from expression parsing.

Apply this diff:

  - id: get_commit_message
+   env:
+     HEAD_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
    run: |
-     if [ -n "${{ github.event.head_commit.message }}" ]
+     if [ -n "$HEAD_COMMIT_MESSAGE" ]
      then
-       commit_msg="${{ github.event.head_commit.message }}"
+       commit_msg="$HEAD_COMMIT_MESSAGE"
        echo "commit-message=${commit_msg}" | head -n 1 >> "$GITHUB_OUTPUT"
      else
        commit_message=$(git log -1 --pretty=%B | head -n 1)
        echo "commit-message=$commit_message" >> "$GITHUB_OUTPUT"
      fi

---

76-113: Add npm credentials for prerelease publishing.

The prerelease job calls yarn npm publish in the create-prerelease action, but the workflow does not set the NPM_TOKEN environment variable that .yarnrc.yml expects (npmAuthToken: "${NPM_TOKEN:-}"). This will cause publishing to fail.

Add an environment variable before the create-prerelease action invocation (after line 101):

      - name: build
        run: yarn build

+     - name: Bump query-subgraph & deploy
+       uses: ./.github/actions/create-prerelease
+       with:
+         package-path: .
+       env:
+         NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

Alternatively, configure OIDC token exchange since the workflow has permissions: id-token: write but does not use it.

Note: The release job has the same issue—it also calls yarn npm publish without setting NPM_TOKEN.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1158466 and 3c961d0.

📒 Files selected for processing (3)

• .github/workflows/prerelease.yml (0 hunks)
• .github/workflows/publish.yml (1 hunks)
• .github/workflows/release.yml (0 hunks)

💤 Files with no reviewable changes (2)

• .github/workflows/prerelease.yml
• .github/workflows/release.yml

🧰 Additional context used

🪛 actionlint (1.7.9)

.github/workflows/publish.yml

30-30: "github.event.head_commit.message" is potentially untrusted. avoid using it directly in inline scripts. instead, pass it through an environment variable. see https://docs.github.com/en/actions/reference/security/secure-use#good-practices-for-mitigating-script-injection-attacks for more details

(expression)

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# First, let's look at the full workflow file to understand the pre-ci and prerelease jobs
cat -n .github/workflows/publish.yml

Repository: subquery/query-subgraph

Length of output: 3777

---

🏁 Script executed:

# Check if create-release action exists and what it does
cat -n .github/actions/create-release/action.yml

Repository: subquery/query-subgraph

Length of output: 1051

---

🏁 Script executed:

# Check .yarnrc.yml configuration
cat -n .yarnrc.yml 2>/dev/null || echo "File not found"

Repository: subquery/query-subgraph

Length of output: 503

---

Fix inconsistent commit message check and add npm credentials.

Two critical issues:

1. Inconsistent commit message checks: Line 48 checks github.event.head_commit.message directly, but the prerelease job (line 80) correctly uses needs.pre-ci.outputs.commit-message. Use the consistent pre-ci output source:

  if: >
-   !startsWith(github.event.head_commit.message, '[SKIP CI]')
-   && startsWith(github.event.head_commit.message, '[release]')
+   !startsWith(needs.pre-ci.outputs.commit-message, '[SKIP CI]')
+   && startsWith(needs.pre-ci.outputs.commit-message, '[release]')
    && github.repository == 'subquery/query-subgraph'

2. Missing npm credentials: The create-release action executes yarn npm publish but receives only repo-token (for git/release operations). The .yarnrc.yml expects npmAuthToken from the NPM_TOKEN environment variable. Without it, npm publishing will fail.

Add npm token setup before invoking create-release:

      - name: Update npm
        run: npm install -g npm@latest

+     - name: Set npm token
+       env:
+         NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+       run: npm config set //registry.npmjs.org/:_authToken="${NPM_TOKEN}"

      - run: yarn

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	release:
	name: Release Publish
	needs: [pre-ci]
	if: >
	!startsWith(github.event.head_commit.message, '[SKIP CI]')
	&& startsWith(github.event.head_commit.message, '[release]')
	&& github.repository == 'subquery/query-subgraph'
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v5
	with:
	fetch-depth: 0
	- name: Setup Node.js environment
	uses: actions/setup-node@v5
	with:
	node-version: lts/*
	- name: Update npm
	run: npm install -g npm@latest
	- run: yarn
	- name: build
	run: yarn build
	- name: Publish subgraph-query
	uses: ./.github/actions/create-release
	with:
	package-path: .
	repo-token: ${{ secrets.REPO_TOKEN }}
	release:
	name: Release Publish
	needs: [pre-ci]
	if: >
	!startsWith(needs.pre-ci.outputs.commit-message, '[SKIP CI]')
	&& startsWith(needs.pre-ci.outputs.commit-message, '[release]')
	&& github.repository == 'subquery/query-subgraph'
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v5
	with:
	fetch-depth: 0
	- name: Setup Node.js environment
	uses: actions/setup-node@v5
	with:
	node-version: lts/*
	- name: Update npm
	run: npm install -g npm@latest
	- name: Set npm token
	env:
	NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
	run: npm config set //registry.npmjs.org/:_authToken="${NPM_TOKEN}"
	- run: yarn
	- name: build
	run: yarn build
	- name: Publish subgraph-query
	uses: ./.github/actions/create-release
	with:
	package-path: .
	repo-token: ${{ secrets.REPO_TOKEN }}

🤖 Prompt for AI Agents

In .github/workflows/publish.yml around lines 44 to 75, the release job uses
github.event.head_commit.message for the commit message check (inconsistent with
prerelease which uses needs.pre-ci.outputs.commit-message) and the
create-release step lacks npm credentials; update the job's if condition to use
needs.pre-ci.outputs.commit-message (the same output used by pre-ci) and add the
NPM_TOKEN into the environment available to the create-release step (or to the
job) so the action can authenticate to npm (e.g., pass NPM_TOKEN from secrets
into the step/job env) before invoking the create-release action.

---

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/publish.yml

Repository: subquery/query-subgraph

Length of output: 3777

---

🏁 Script executed:

cat -n .github/actions/create-release/action.yml

Repository: subquery/query-subgraph

Length of output: 1051

---

🏁 Script executed:

cat -n .github/actions/create-prerelease/action.yml

Repository: subquery/query-subgraph

Length of output: 987

---

🏁 Script executed:

cat -n .yarnrc.yml 2>/dev/null || echo "File not found or cannot be read"

Repository: subquery/query-subgraph

Length of output: 503

---

Add npm authentication and use consistent commit message source.

Two critical issues:

1. Inconsistent commit message check: Line 48–49 check github.event.head_commit.message directly, but the pre-ci job output should be used consistently (like the prerelease job does on line 80–81). Use needs.pre-ci.outputs.commit-message instead, which safely handles cases where the event payload is empty.

2. Missing npm credentials for publishing: Both create-release (line 17) and the corresponding prerelease action run yarn npm publish without setting the NPM_TOKEN environment variable. The .yarnrc.yml file is configured to read npmAuthToken from the NPM_TOKEN environment variable (line 15), but neither the workflow nor the actions provide it. Without this, publish will fail due to missing authentication.

Fix the release job condition:

  release:
    name: Release Publish
    needs: [pre-ci]
    if: >
-     !startsWith(github.event.head_commit.message, '[SKIP CI]')
-     && startsWith(github.event.head_commit.message, '[release]')
+     !startsWith(needs.pre-ci.outputs.commit-message, '[SKIP CI]')
+     && startsWith(needs.pre-ci.outputs.commit-message, '[release]')
      && github.repository == 'subquery/query-subgraph'

Add npm authentication in the release job before invoking create-release:

      - name: Update npm
        run: npm install -g npm@latest

+     - run: yarn

+     - name: build
+       run: yarn build

+     - name: Publish subgraph-query
+       uses: ./.github/actions/create-release
+       with:
+         package-path: .
+         repo-token: ${{ secrets.REPO_TOKEN }}
+       env:
+         NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

Pass NPM_TOKEN to the create-release action so yarn can authenticate with npm registry.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	release:
	name: Release Publish
	needs: [pre-ci]
	if: >
	!startsWith(github.event.head_commit.message, '[SKIP CI]')
	&& startsWith(github.event.head_commit.message, '[release]')
	&& github.repository == 'subquery/query-subgraph'
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v5
	with:
	fetch-depth: 0
	- name: Setup Node.js environment
	uses: actions/setup-node@v5
	with:
	node-version: lts/*
	- name: Update npm
	run: npm install -g npm@latest
	- run: yarn
	- name: build
	run: yarn build
	- name: Publish subgraph-query
	uses: ./.github/actions/create-release
	with:
	package-path: .
	repo-token: ${{ secrets.REPO_TOKEN }}
	release:
	name: Release Publish
	needs: [pre-ci]
	if: >
	!startsWith(needs.pre-ci.outputs.commit-message, '[SKIP CI]')
	&& startsWith(needs.pre-ci.outputs.commit-message, '[release]')
	&& github.repository == 'subquery/query-subgraph'
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v5
	with:
	fetch-depth: 0
	- name: Setup Node.js environment
	uses: actions/setup-node@v5
	with:
	node-version: lts/*
	- name: Update npm
	run: npm install -g npm@latest
	- run: yarn
	- name: build
	run: yarn build
	- name: Publish subgraph-query
	uses: ./.github/actions/create-release
	with:
	package-path: .
	repo-token: ${{ secrets.REPO_TOKEN }}

🤖 Prompt for AI Agents

.github/workflows/publish.yml lines 44-75: the release job currently reads
github.event.head_commit.message directly and does not provide npm credentials
for publishing; change the job condition to use
needs.pre-ci.outputs.commit-message instead of github.event.head_commit.message,
add a step before calling the create-release action to configure npm auth by
writing the NPM_TOKEN into the environment (e.g., export or set env for yarn/npm
using the repository secret), and pass NPM_TOKEN into the create-release action
via its env so yarn/npm can authenticate when the action runs.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

# Find the create-prerelease action definition
find .github/actions -name "action.yml" -o -name "action.yaml" | head -20

Repository: subquery/query-subgraph

Length of output: 153

---

🏁 Script executed:

# Check the structure of .github/actions
ls -la .github/actions/

Repository: subquery/query-subgraph

Length of output: 304

---

🏁 Script executed:

# Look for create-prerelease action
find . -path "*/.github/actions/create-prerelease*" -type f

Repository: subquery/query-subgraph

Length of output: 174

---

🏁 Script executed:

cat -n .github/actions/create-prerelease/action.yml

Repository: subquery/query-subgraph

Length of output: 987

---

🏁 Script executed:

cat -n .github/actions/create-prerelease/remove-stable-version.js

Repository: subquery/query-subgraph

Length of output: 379

---

🏁 Script executed:

# Find the release job in publish.yml to compare npm auth setup
grep -n "release:" .github/workflows/publish.yml

Repository: subquery/query-subgraph

Length of output: 97

---

🏁 Script executed:

# Read the release job to see how npm auth is set up
sed -n '44,75p' .github/workflows/publish.yml

Repository: subquery/query-subgraph

Length of output: 856

---

🏁 Script executed:

# Check .yarnrc.yml for npm token configuration
cat -n .yarnrc.yml 2>/dev/null || echo "File not found or no .yarnrc.yml"

Repository: subquery/query-subgraph

Length of output: 503

---

🏁 Script executed:

# Search for NPM_TOKEN usage in workflow files
rg "NPM_TOKEN" .github/workflows/

Repository: subquery/query-subgraph

Length of output: 49

---

🏁 Script executed:

# Check create-release action to see if it also publishes
cat -n .github/actions/create-release/action.yml

Repository: subquery/query-subgraph

Length of output: 1051

---

🏁 Script executed:

# Search for any npm publish or auth logic in all workflows
rg "npm publish|npm config|npmAuthToken" .github/workflows/

Repository: subquery/query-subgraph

Length of output: 49

---

🏁 Script executed:

# Check if there's a .github/workflows/pull_request.yml or other workflow files
ls -la .github/workflows/

Repository: subquery/query-subgraph

Length of output: 482

---

🏁 Script executed:

# Double-check by looking at the entire publish.yml to see if there's any NPM_TOKEN setup anywhere
cat .github/workflows/publish.yml | grep -i "npm_token\|npmAuthToken\|npm config" || echo "No NPM_TOKEN setup found in publish.yml"

Repository: subquery/query-subgraph

Length of output: 106

---

🏁 Script executed:

# Check if there's any GitHub secret documented or referenced that might provide npm auth
grep -r "secrets\." .github/workflows/publish.yml | grep -i npm || echo "No NPM secrets referenced"

Repository: subquery/query-subgraph

Length of output: 92

---

Add npm credentials for prerelease publishing.

The create-prerelease action publishes to npm via yarn npm publish --tag dev, but the prerelease job provides no npm registry credentials. The .yarnrc.yml file expects npmAuthToken from the NPM_TOKEN environment variable; without it, publishing will fail. Add an npm credential setup step before invoking the action:

      - name: build
        run: yarn build

+     - name: Set npm token
+       env:
+         NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+       run: |
+         npm config set //registry.npmjs.org/:_authToken="${NPM_TOKEN}"

      #Add remove-stable-version
      - name: Bump query-subgraph & deploy
        uses: ./.github/actions/create-prerelease
        with:
          package-path: .

Note: The release job has the same issue and should also be updated.

🤖 Prompt for AI Agents

.github/workflows/publish.yml around lines 76 to 113: the prerelease job invokes
the create-prerelease action which runs yarn npm publish but never provides npm
credentials required by .yarnrc.yml (npmAuthToken from NPM_TOKEN); add a step
before the "Bump query-subgraph & deploy" action to configure npm auth (e.g.,
write NPM_TOKEN into the environment and create/update ~/.npmrc or set npm auth
via actions/setup-node with registry and node-auth-token: ${{ secrets.NPM_TOKEN
}}), ensuring the NPM_TOKEN secret is passed and available to the action; apply
the same change to the release job as noted in the comment.