fix: stop requiring npm tokens

[codfish]

npm-pr-version no longer requires npm-token. If npm-token is omitted it now publishes via OIDC trusted publishing using npm publish --provenance, validates id-token: write availability, and tightens bash error handling; token-based mode still detects npm/yarn/pnpm.

setup-node-and-install now upgrades npm for OIDC. It moves to actions/setup-node@v6, adds a configurable upgrade-npm step (default on) pinned to npm@^11.5.1, and exposes additional outputs.

https://docs.npmjs.com/trusted-publishers

Summary by CodeRabbit

• New Features

  • OIDC trusted publishing support; npm-token now optional (falls back to OIDC)
  • PR comment controls with tag support; structured install and view-on-registry messages
  • Automatic npm v11 upgrade option for OIDC compatibility

• Improvements

  • Improved publish error extraction and unified error-message reporting
  • Exposed additional runtime outputs (version, package-name, node/pnpm details)

• Documentation

  • Updated examples/usages to v3 and added OIDC migration and troubleshooting guidance

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

📝 Walkthrough

Walkthrough

This PR updates action/version references to v3, adds OIDC trusted publishing (making npm-token optional) and PR comment controls to npm-publish-pr, adds npm v11 upgrade support and new outputs/inputs to setup-node-and-install, renames a Claude Code Review workflow input, and updates docs and examples accordingly.

Changes

Cohort / File(s)	Summary
Workflow \.github/workflows/claude-code-review.yml	Renamed Claude input from anthropic_api_key → claude_code_oauth_token.
npm-publish-pr action & docs npm-publish-pr/action.yml, npm-publish-pr/README.md	Made npm-token optional (fallback to OIDC), added comment & comment-tag inputs, unified error extraction/handling, bifurcated publish flow (OIDC vs token), updated PM detection and PR messages, added outputs (version, package-name, error-message).
setup-node-and-install action & docs setup-node-and-install/action.yml, setup-node-and-install/README.md	Added upgrade-npm input (default true) and outputs (node-version, pnpm-dest, pnpm-bin-dest); added conditional npm upgrade step to v11.5.1+ for OIDC; bumped actions/setup-node to v6; added yarn detection and pnpm step id.
Docs & examples, global README README.md, AGENT.md, SECURITY.md, comment/README.md, npm-publish-pr/README.md	Bumped action references to v3, expanded OIDC guidance and permissions, updated usage examples and inputs/outputs tables, added OIDC migration and troubleshooting content.
Tooling & scripts bin/generate-docs.js, package.json, renovate.json	Updated generated examples to reference v3, extended Prettier format glob to include yml, and reformatted renovate.json array (no semantic change).

Sequence Diagram(s)

sequenceDiagram
    participant GH as GitHub Actions
    participant Action as npm-publish-pr Action
    participant OIDC as OIDC Provider
    participant NPM as npm Registry

    GH->>Action: start (no `npm-token`)
    Action->>OIDC: request ID token
    OIDC-->>Action: return ID token
    Action->>NPM: run `npm publish --provenance` (with ID token)
    NPM-->>Action: publish result
    Action->>GH: set outputs (version, package-name) and (optionally) comment

Loading

sequenceDiagram
    participant GH as GitHub Actions
    participant Action as npm-publish-pr Action
    participant PM as Package Manager (npm/yarn/pnpm)
    participant NPM as npm Registry

    GH->>Action: start (with `npm-token`)
    Action->>Action: detect package manager (lockfile)
    Action->>PM: authenticate with token & publish
    PM->>NPM: publish request
    NPM-->>PM: publish result
    PM-->>Action: return version
    Action->>GH: set outputs (version, package-name) and (optionally) comment

Loading

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly Related PRs

• feat: upgrade deps, workflows and fix claude workflows #29: Modifies the same workflow file and renames the Claude Code Review input to claude_code_oauth_token.
• fix: stop requiring npm tokens #39: Overlapping changes around making npm-token optional and adding OIDC trusted publishing (updates to npm-publish-pr and setup-node-and-install).

Poem

🐰 Hopping through OIDC skies so bright,
Tokens balanced, provenance in sight,
Version three leaps and npm eleven sings,
Comments blossom on publishing wings,
A rabbit hops — release takes flight!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: stop requiring npm tokens' directly and clearly summarizes the main change—removing the npm token requirement and enabling OIDC trusted publishing.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch npm-trusted-publishing

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

🚀 Integration Test Results

npm-pr-version action test:

• ✅ Version generation: 0.0.0-PR-39--88701a1
• ✅ package.json update: Successful
• ✅ Format validation: Passed

The action is working correctly! 🎉

[github-actions]

🧪 Test Results

✅ All tests passed successfully!

• Linting: ✅ Passed
• Unit tests: ✅ Passed
• Integration tests: ✅ Passed

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude finished @codfish's task in 4m 20s —— View job

---

🎯 Comprehensive Code Review Complete

I've completed a thorough review of this PR which adds OIDC trusted publishing support for npm packages. Overall, this is a well-implemented feature with excellent documentation. Below is my detailed analysis across all requested areas.

---

📊 Summary

Overall Assessment: ✅ Approve with Minor Improvements Recommended

This PR successfully implements OIDC trusted publishing while maintaining backward compatibility with token-based authentication. The documentation is comprehensive and the feature is well-thought-out. However, there are a few issues that should be addressed before merging.

Key Strengths

• ✅ Excellent documentation (migration guide, troubleshooting, examples)
• ✅ Maintains backward compatibility with token-based auth
• ✅ Comprehensive test coverage for the core functionality
• ✅ Security improvement (eliminates need for npm tokens in public repos)
• ✅ Automatic npm 11 upgrade ensures OIDC compatibility

Issues Found

• 🔴 1 Critical Bug: Missing OIDC token validation (will cause cryptic errors)
• 🟡 2 Moderate Bugs: Undefined variable in OIDC mode, potential Yarn v1 compatibility issue
• 🔵 2 Minor Issues: Performance overhead, error extraction function limitations

---

🔒 1. Security Analysis

✅ Strengths

OIDC Implementation

• Correctly uses npm's --provenance flag for supply chain security
• Properly avoids setting NPM_TOKEN in environment when using OIDC (line 202)
• Good separation between OIDC and token-based modes

Documentation

• Excellent security guidance in troubleshooting section
• Clear warnings about permissions requirements
• Security.md properly updated

⚠️ Critical Issue: Missing OIDC Token Validation

npm-publish-pr/action.yml:104 (inline comment created)

The action doesn't validate that OIDC tokens are available before attempting to publish. This results in cryptic errors like "Access token expired or revoked" when users forget to add id-token: write permission.

Recommendation: Add validation at line 104:

if [ -z "$ACTIONS_ID_TOKEN_REQUEST_URL" ]; then
  error_message="❌ ERROR: OIDC token not available. Add 'permissions: { id-token: write }' to your workflow"
  echo "$error_message"
  echo "error-message=$error_message" >> $GITHUB_OUTPUT
  exit 1
fi

This would save users significant debugging time and align with the excellent troubleshooting documentation already provided.

🟢 Other Security Notes

• File descriptor usage in bin/generate-docs.js properly prevents TOCTOU vulnerabilities (good!)
• No secret leakage in error messages
• Input validation is thorough (package.json checks, jq validation)

---

💻 2. Code Quality

✅ Strengths

Code Organization

• Clear separation of concerns (OIDC vs token mode)
• Good use of shell functions (extract_error)
• Consistent error handling patterns

Readability

• Excellent comments explaining authentication modes
• Clear variable names
• Good logging with emoji indicators

🟡 Issues Found

Undefined Variable in OIDC Mode

npm-publish-pr/action.yml:127 (attempted inline comment)

Line 127 references $package_manager but it's only set in the token branch (lines 113-122). In OIDC mode, this outputs an empty string:

echo "📦 Publishing $package_name@$version with $package_manager"

Fix: Either remove the package manager from the message in OIDC mode, or set it explicitly:

# At line 105, add:
package_manager="npm"  # OIDC always uses npm

Error Extraction Function Limitations

npm-publish-pr/action.yml:59 (attempted inline comment)

The extract_error function only looks for "^npm error" patterns but is used for yarn and pnpm errors too (lines 164, 176, 188). This means yarn/pnpm errors will always fall through to the generic tail-based extraction, losing structured error information.

Recommendation: Make it package-manager aware (see inline comment for implementation).

Error Handling Pattern

npm-publish-pr/action.yml:51 (attempted inline comment)

Using set +e disables error checking for the entire script. This means typos, undefined variables, and other bugs won't cause the workflow to fail. Consider using set -euo pipefail with error traps instead.

---

⚡ 3. Performance

🟡 Unconditional npm Upgrade

setup-node-and-install/action.yml:129 (inline comment created)

The npm upgrade happens on every workflow run, adding ~10-15 seconds even when:

• Not using npm-publish-pr at all
• Using token-based publishing (which doesn't require npm 11)
• Just running tests/builds

Impact: For a project with 50 workflow runs/day, this adds ~10 minutes of compute time daily.

Options:

1. Add optional flag: upgrade-npm: boolean (default: true for now, users can opt-out)
2. Cache global npm: Use actions/cache to cache ~/.npm-packages or equivalent
3. Document trade-off: Keep as-is but clearly document the ~10-15s overhead

Recommendation: Option 1 (add optional flag) provides best balance of simplicity and flexibility.

✅ Other Performance Notes

• Good use of lockfile-based caching in setup-node-and-install
• Efficient package manager detection (file checks are fast)

---

🧪 4. Testing

✅ Strengths

Test Coverage

• Comprehensive unit tests in tests/integration/npm-pr-version/basic.bats
• Tests cover: version generation, package manager detection, error handling, comment workflow
• Good use of fixtures for different scenarios (scoped packages, etc.)

Test Quality

• Tests are well-organized and descriptive
• Use of test helpers (test-helpers.sh) promotes reusability
• Mock implementations prevent actual publishing during tests

⚠️ Missing Test Coverage

OIDC Mode Testing

• No tests for OIDC authentication path
• No tests for error handling when OIDC token unavailable
• No tests verifying --provenance flag is used

Yarn v1 Compatibility

• Tests don't validate the yarn publish command actually works
• The existing code uses flags that may not be valid for Yarn v1 (see Code Quality section)

Recommendation: Add integration tests that mock the OIDC environment variables and verify the correct npm command is executed.

---

📚 5. Documentation

✅ Excellent Documentation

This is one of the strongest aspects of this PR!

Migration Guide

• Clear step-by-step migration from token to OIDC
• Includes exact commands and configuration examples
• Shows diff format for easy understanding

Troubleshooting Section

• Comprehensive error scenarios covered
• Clear solutions for each problem
• Links to relevant documentation

Examples

• Multiple complete workflow examples
• Both OIDC and token modes shown
• Covers edge cases (forks, private packages, etc.)

🔵 Minor Documentation Issues

npm-publish-pr/README.md:44 (attempted inline comment)

The workflow filename documentation could be clearer about nested workflows:

- Workflow: `validate.yml` (filename or relative path like `ci/validate.yml` for nested workflows)

npm-publish-pr/README.md:10

Consider clarifying in the input description that OIDC only works for public packages:

description: 
  Registry authentication token with publish permissions. If not provided, OIDC trusted publishing 
  will be used (requires id-token write permission and public package)

✅ Auto-generated Documentation

• The bin/generate-docs.js updates are minimal and correct
• Proper use of file descriptors for security (TOCTOU prevention)
• Documentation markers are consistent

---

🐛 Summary of Issues

🔴 Critical (Must Fix)

1. Missing OIDC token validation - Will cause confusing errors for users → npm-publish-pr/action.yml:104

🟡 Moderate (Should Fix)

2. Undefined variable in OIDC mode - Outputs incorrect log message → npm-publish-pr/action.yml:127
3. Potential Yarn v1 incompatibility - Uses flags that may not exist → npm-publish-pr/action.yml:161

🔵 Minor (Nice to Have)

4. Performance overhead - Unconditional npm upgrade adds ~10-15s → setup-node-and-install/action.yml:129
5. Error extraction limitations - Only handles npm errors well → npm-publish-pr/action.yml:59
6. Error handling pattern - Using set +e may hide bugs → npm-publish-pr/action.yml:51

---

✅ Recommendations

Before Merging (Priority)

1. ✅ Add OIDC token validation to prevent cryptic errors
2. ✅ Fix undefined $package_manager variable in OIDC mode
3. ⚠️ Verify Yarn v1 compatibility or document limitations

Post-Merge Improvements

4. Consider making npm upgrade optional for performance
5. Enhance error extraction to handle yarn/pnpm errors
6. Add integration tests for OIDC mode
7. Consider using error traps instead of set +e

---

🎉 Conclusion

This is a high-quality PR that adds valuable functionality while maintaining excellent backward compatibility and documentation. The OIDC implementation follows npm best practices and will significantly improve security for public package publishing.

The critical issue (OIDC token validation) should be addressed before merging, but otherwise this is ready to go. Great work on the comprehensive documentation and migration guide!

Final Recommendation: Approve after addressing the OIDC token validation issue

---

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

comment/README.md (1)

20-32: ⚠️ Potential issue | 🟡 Minor

Add required outputs markers to this action README.

Each action README must include outputs markers even if there are no outputs to list.

➕ Add outputs section

@@
 <!-- end inputs -->
 
+## Outputs
+
+<!-- start outputs -->
+
+*No outputs*
+
+<!-- end outputs -->
+
 ## Examples

As per coding guidelines, each action README must contain inputs/outputs markers: ``/`` and ``/``.

bin/generate-docs.js (1)

59-88: ⚠️ Potential issue | 🟠 Major

Replace filename-based file reads with file descriptors to prevent TOCTOU vulnerabilities.

The extractUsageExample method (line 62-67) has a classic TOCTOU pattern: fs.existsSync is followed by fs.readFileSync, allowing the file to be deleted or modified between the check and read. The parseActionFile method (line 39) similarly needs to use file descriptors for consistency. Both should use fs.openSync/fs.readSync with proper error handling and cleanup in finally blocks, following the pattern already established elsewhere in this file (lines 217-240 and 295-320).

🔒 Suggested fix for `extractUsageExample`

-    try {
-      const content = fs.readFileSync(readmeFile, 'utf8');
+    let fd;
+    try {
+      fd = fs.openSync(readmeFile, 'r');
+      const stats = fs.fstatSync(fd);
+      const buffer = Buffer.alloc(stats.size);
+      fs.readSync(fd, buffer, 0, stats.size, 0);
+      const content = buffer.toString('utf8');
@@
-    } catch (error) {
+    } catch (error) {
       console.error(`Error reading README for ${dirName}:`, error.message);
       return this.generateBasicExample(dirName);
+    } finally {
+      if (fd !== undefined) {
+        try {
+          fs.closeSync(fd);
+        } catch (closeError) {
+          console.error(`Error closing README for ${dirName}:`, closeError.message);
+        }
+      }
     }

Apply the same pattern to parseActionFile (line 35-54).

npm-publish-pr/action.yml (1)

39-39: ⚠️ Potential issue | 🟡 Minor

Comment action still references @v2 instead of @v3.

The PR updates documentation to reference v3 for all actions, but this action.yml still uses codfish/actions/comment@v2 in three places. This should likely be updated for consistency.

✏️ Suggested fix

-    - uses: codfish/actions/comment@v2
+    - uses: codfish/actions/comment@v3

Apply this change at lines 39, 215, and 227.

Also applies to: 215-215, 227-227

🤖 Fix all issues with AI agents

In `@README.md`:
- Around line 173-175: The workflow example in README.md uses inconsistent
GitHub Action refs: change uses: actions/checkout@v3 to match other examples
(actions/checkout@v6), and replace uses:
codfish/actions/setup-node-and-install@main with a stable tag (e.g., `@v3`) to
match the repository's convention; update both action refs in the snippet so all
examples use the same pinned versions (actions/checkout and
codfish/actions/setup-node-and-install).

In `@setup-node-and-install/README.md`:
- Around line 141-145: The README example uses an undefined input
"cache-key-suffix" which is not declared in setup-node-and-install/action.yml;
either remove the "cache-key-suffix" line from the example in README.md or add a
matching input entry named "cache-key-suffix" to action.yml (with a description
and default) so the example and the action inputs agree; search for the README
snippet showing "uses: codfish/actions/setup-node-and-install@v3" and the
action.yml inputs to update the inconsistency.

🧹 Nitpick comments (1)

README.md (1)

162-166: Security consideration with pull_request_target and OIDC.

Using pull_request_target with id-token: write can be risky if the workflow checks out and runs code from the PR branch (e.g., actions/checkout without explicit ref). This could allow malicious PRs from forks to steal the OIDC token. The npm-publish-pr/README.md correctly shows using pull_request with a fork check condition as a safer pattern.

Consider adding a note about the security implications or switching the example to use pull_request with a fork check.

[cursor]

Cursor Bugbot has reviewed your changes and found 5 potential issues.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

This is the final PR Bugbot will review for you during this billing cycle

Your free Bugbot reviews will reset on March 6

Details

You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[coderabbitai]

Actionable comments posted: 3

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

npm-publish-pr/action.yml (1)

39-39: ⚠️ Potential issue | 🟡 Minor

Inconsistent comment action version.

The action uses codfish/actions/comment@v2 while the rest of the PR has migrated to v3. Consider updating for consistency.

✏️ Suggested fix

-    - uses: codfish/actions/comment@v2
+    - uses: codfish/actions/comment@v3

Apply this change at lines 39, 208, and 220.

Also applies to: 208-208, 220-220

🤖 Fix all issues with AI agents

In `@npm-publish-pr/action.yml`:
- Around line 176-183: In the case "$package_manager" branch for "yarn", remove
the redundant --new-version $version flag from the yarn publish invocation so it
reads a plain yarn publish --access public --tag pr --no-git-tag-version
--skip-check-working-tree (preserving capture of publish_output and
publish_exit_code and the existing call to handle_publish_error), ensuring
consistency with the npm/pnpm publish behavior that relies on the package.json
version already set earlier.

In `@npm-publish-pr/README.md`:
- Around line 223-232: The inputs table was edited inside the auto-generated
HTML block delimited by <!-- start inputs --> and <!-- end inputs --> in
README.md; revert any manual changes inside that block, update the upstream
generator or source-of-truth that produces the inputs table (not the README
directly), then re-generate the README so the correct table is produced; ensure
future edits to inputs/outputs/doctoc blocks are made in the generator files
rather than editing content between any HTML comment markers.
- Around line 238-244: The README's OIDC trusted publishing command string is
out of sync: update the documentation text that currently shows "npm publish
--access public --tag pr" to include the provenence flag so it reads "npm
publish --access public --tag pr --provenance"; locate the sentence block
describing OIDC trusted publishing (the bullet list under "When `npm-token` is
not provided") and replace the Command line accordingly so docs match the
implementation.

🧹 Nitpick comments (1)

npm-publish-pr/action.yml (1)

50-50: Consider stricter bash error handling.

Using set +e disables exit-on-error for the entire script. A more robust approach is to use strict mode (set -euo pipefail) at the start and handle specific commands that may fail using || true or explicit conditionals.

However, given the current structure with explicit exit code checks after each critical command, the current approach is functional. This is a minor suggestion for future consideration.

[github-actions]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[github-actions]

🎉 This PR is included in version 3.0.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀