Fix npm release TOML formatting#29
Conversation
WalkthroughReorganizes the npm-release GitHub Actions workflow to add Nix/Node setup, a repository URL consistency check, build/test steps, hash-based version bump logic, and a new ChangesNPM Release Workflow Update
Cargo.toml Formatting
Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
.github/workflows/npm-release.yaml (2)
30-33: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winUnpinned npm version installed via
@latest.
npm install -g npm@latestinstalls whatever version is current at run-time, which is non-reproducible and could unexpectedly change publish/OIDC behavior between runs. Consider pinning to a known-good npm major/minor version.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/npm-release.yaml around lines 30 - 33, The npm upgrade step in the workflow is using an unpinned `@latest` version, which makes release behavior non-reproducible. Update the upgrade logic in the OIDC setup step to install a specific known-good npm version instead of npm@latest, and keep the version check afterward so the selected version is visible in logs. Use the workflow step named Upgrade npm for OIDC as the place to pin the version.
21-24: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick winConsider pinning Nix/FlakeHub actions to a released version instead of
@main.Both
DeterminateSystems/nix-installer-action@mainandDeterminateSystems/flakehub-cache-action@maintrack a floating branch ref. A branch ref can change at any time (intentionally or via compromise), which is a supply-chain risk for a workflow that publishes releases and signs commits/tags. DeterminateSystems' own docs note thatflakehub-cache-actionfully supports explicit version pinning "for maximum consistency," and recommenddeterminate-nix-action@v3(or a pinned patch version) overnix-installer-action@mainwhen full pinning is desired.♻️ Suggested pinning
- - uses: DeterminateSystems/nix-installer-action@main + - uses: DeterminateSystems/nix-installer-action@v3 with: determinate: true - - uses: DeterminateSystems/flakehub-cache-action@main + - uses: DeterminateSystems/flakehub-cache-action@v3🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/npm-release.yaml around lines 21 - 24, The workflow currently uses floating branch refs for the Nix and FlakeHub actions, which should be pinned to released versions. Update the npm-release workflow entries that use DeterminateSystems/nix-installer-action and DeterminateSystems/flakehub-cache-action so they reference stable tagged releases (or an explicit pinned version) instead of `@main`. Keep the existing action setup and only change the action references to the corresponding pinned versions.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In @.github/workflows/npm-release.yaml:
- Around line 30-33: The npm upgrade step in the workflow is using an unpinned
`@latest` version, which makes release behavior non-reproducible. Update the
upgrade logic in the OIDC setup step to install a specific known-good npm
version instead of npm@latest, and keep the version check afterward so the
selected version is visible in logs. Use the workflow step named Upgrade npm for
OIDC as the place to pin the version.
- Around line 21-24: The workflow currently uses floating branch refs for the
Nix and FlakeHub actions, which should be pinned to released versions. Update
the npm-release workflow entries that use
DeterminateSystems/nix-installer-action and
DeterminateSystems/flakehub-cache-action so they reference stable tagged
releases (or an explicit pinned version) instead of `@main`. Keep the existing
action setup and only change the action references to the corresponding pinned
versions.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 6556649a-dde1-4f05-8662-f623caea4ab5
📒 Files selected for processing (2)
.github/workflows/npm-release.yamlpackages/sqlite-web-core/Cargo.toml

Summary by CodeRabbit