docs(ci): correct the publish root-cause comment; self-trigger on workflow changes#13
Merged
Merged
Conversation
…w changes The 2026-07-13 fix's comment blamed registry-url's dummy token for blocking OIDC. Verification disproved that mechanism: npm attempts OIDC unconditionally (its own CLI source); the true cause was a stale Trusted Publisher binding after the repo was deleted+recreated for the open-source cut — npm binds the original repository, so the UI string looks right while the binding points at the dead repo. Recovered only after delete+re-add on npmjs.com. The dummy token's real effect was disguising the failure as 404-unauthorized instead of an honest ENEEDAUTH, so registry-url stays out for signal quality and the comment now sends the next debugger to the binding first. Also adds publish.yml to its own trigger paths — during the outage every repair needed a manual dispatch. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Kitt7TS73PAVzmzteeU7vW
📝 WalkthroughWalkthroughThe publish workflow now re-runs when its own file changes on ChangesPublish workflow
Estimated code review effort: 1 (Trivial) | ~3 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/publish.yml:
- Around line 15-18: Add a bun run format:check validation step to the publish
workflow before the publish stage, alongside the existing lint, typecheck, and
test checks. Keep the current validation order and publishing behavior otherwise
unchanged.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro
Run ID: c268546c-1a84-4277-8dc2-1dafa5ce8690
📒 Files selected for processing (1)
.github/workflows/publish.yml
Keep the release workflow aligned with the repository's four mandatory validation gates before any package publish. Agent-Actor: scout Agent-Run-Id: anvil-cycle-001
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Verification
bun run lintbun run format:checkbun run typecheckbun testReview checklist
Root-cause note
The merged comment previously recorded a mechanism that later verification disproved. npm attempts OIDC unconditionally; the placeholder token's actual effect was to disguise the stale-binding failure as a 404 instead of ENEEDAUTH. The binding was repaired by deleting and re-adding the Trusted Publisher configuration on npmjs.com on 2026-07-13.