Skip to content

Fix npm release TOML formatting#29

Open
findolor wants to merge 1 commit into
mainfrom
npm-release-taplo-format-fix
Open

Fix npm release TOML formatting#29
findolor wants to merge 1 commit into
mainfrom
npm-release-taplo-format-fix

Conversation

@findolor

@findolor findolor commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Summary by CodeRabbit

  • Chores
    • Improved the release workflow to run an extra formatting check before packaging and publishing.
    • Reordered and standardized setup, testing, and release steps for a smoother release process.
    • Normalized a package configuration entry to keep formatting consistent.

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

Reorganizes the npm-release GitHub Actions workflow to add Nix/Node setup, a repository URL consistency check, build/test steps, hash-based version bump logic, and a new taplo fmt formatting step before packaging/publishing. Also normalizes whitespace in a Cargo.toml dependency path.

Changes

NPM Release Workflow Update

Layer / File(s) Summary
Job setup and environment provisioning
.github/workflows/npm-release.yaml
Adds Nix installer and flakehub cache actions, sets up Node.js 24.x, and upgrades npm for OIDC publishing.
Repository consistency check
.github/workflows/npm-release.yaml
Adds a step verifying the git remote URL matches the repository field in pkg/package.json, failing the workflow on mismatch.
Build, test, and hash computation
.github/workflows/npm-release.yaml
Runs Nix build, installs Playwright dependencies, runs integration tests, configures git identity, and stores the old package hash in GITHUB_ENV.
Conditional version bump, formatting, and publish
.github/workflows/npm-release.yaml
Adds a taplo fmt step and retains conditional tarball creation, renaming, npm publish, commit/tag, push, and GitHub release creation when hashes differ.

Cargo.toml Formatting

Layer / File(s) Summary
Dependency path formatting
packages/sqlite-web-core/Cargo.toml
Normalizes whitespace in the rain-math-float dependency path value.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

  • rainlanguage/sqlite-web#2: Directly related to the same npm-release.yaml workflow, including step reordering and the taplo fmt addition.

Suggested reviewers: 0xgleb, hardyjosh

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main change: fixing TOML formatting in the npm release workflow and related Cargo.toml formatting.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch npm-release-taplo-format-fix

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

findolor commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator Author

This stack of pull requests is managed by Graphite. Learn more about stacking.

@findolor findolor marked this pull request as ready for review July 1, 2026 07:26
@findolor findolor self-assigned this Jul 1, 2026
@findolor findolor requested review from 0xgleb and JuaniRios July 1, 2026 07:30

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
.github/workflows/npm-release.yaml (2)

30-33: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Unpinned npm version installed via @latest.

npm install -g npm@latest installs whatever version is current at run-time, which is non-reproducible and could unexpectedly change publish/OIDC behavior between runs. Consider pinning to a known-good npm major/minor version.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/npm-release.yaml around lines 30 - 33, The npm upgrade
step in the workflow is using an unpinned `@latest` version, which makes release
behavior non-reproducible. Update the upgrade logic in the OIDC setup step to
install a specific known-good npm version instead of npm@latest, and keep the
version check afterward so the selected version is visible in logs. Use the
workflow step named Upgrade npm for OIDC as the place to pin the version.

21-24: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Consider pinning Nix/FlakeHub actions to a released version instead of @main.

Both DeterminateSystems/nix-installer-action@main and DeterminateSystems/flakehub-cache-action@main track a floating branch ref. A branch ref can change at any time (intentionally or via compromise), which is a supply-chain risk for a workflow that publishes releases and signs commits/tags. DeterminateSystems' own docs note that flakehub-cache-action fully supports explicit version pinning "for maximum consistency," and recommend determinate-nix-action@v3 (or a pinned patch version) over nix-installer-action@main when full pinning is desired.

♻️ Suggested pinning
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/nix-installer-action@v3
         with:
           determinate: true
-      - uses: DeterminateSystems/flakehub-cache-action@main
+      - uses: DeterminateSystems/flakehub-cache-action@v3
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/npm-release.yaml around lines 21 - 24, The workflow
currently uses floating branch refs for the Nix and FlakeHub actions, which
should be pinned to released versions. Update the npm-release workflow entries
that use DeterminateSystems/nix-installer-action and
DeterminateSystems/flakehub-cache-action so they reference stable tagged
releases (or an explicit pinned version) instead of `@main`. Keep the existing
action setup and only change the action references to the corresponding pinned
versions.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In @.github/workflows/npm-release.yaml:
- Around line 30-33: The npm upgrade step in the workflow is using an unpinned
`@latest` version, which makes release behavior non-reproducible. Update the
upgrade logic in the OIDC setup step to install a specific known-good npm
version instead of npm@latest, and keep the version check afterward so the
selected version is visible in logs. Use the workflow step named Upgrade npm for
OIDC as the place to pin the version.
- Around line 21-24: The workflow currently uses floating branch refs for the
Nix and FlakeHub actions, which should be pinned to released versions. Update
the npm-release workflow entries that use
DeterminateSystems/nix-installer-action and
DeterminateSystems/flakehub-cache-action so they reference stable tagged
releases (or an explicit pinned version) instead of `@main`. Keep the existing
action setup and only change the action references to the corresponding pinned
versions.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6556649a-dde1-4f05-8662-f623caea4ab5

📥 Commits

Reviewing files that changed from the base of the PR and between 0c9a50c and 9e2dfbc.

📒 Files selected for processing (2)
  • .github/workflows/npm-release.yaml
  • packages/sqlite-web-core/Cargo.toml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant