Skip to content

ci: move-to-one-file #420

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 24, 2025
Merged

ci: move-to-one-file #420

merged 1 commit into from
Sep 24, 2025

Conversation

@ryanbas21
Copy link
Collaborator

@ryanbas21 ryanbas21 commented Sep 23, 2025
edited by coderabbitai bot
Loading

JIRA Ticket

n/a

Description

Final time i think! can't be two files, it will use the original file which breaks auth!

Summary by CodeRabbit

  • New Features
    • Enable manual triggering of snapshot publishing with selectable branch and dist-tag.
  • Chores
    • Consolidated snapshot publishing into a single CI workflow; removed the redundant snapshot workflow.
    • Standardized input descriptions and defaults for branch, dist-tag, prerelease, and access.
    • Added registry configuration and environment variables to improve reliability.
    • Retained build/test/e2e steps and clarified job names and labels for better visibility.

@changeset-bot
Copy link

changeset-bot bot commented Sep 23, 2025

⚠️ No Changeset found

Latest commit: cec2065

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link

coderabbitai bot commented Sep 23, 2025
edited
Loading

Walkthrough

Reworked .github/workflows/publish.yml to run via workflow_dispatch, refactored the snapshot/trusted-publish job into a single “Publish Snapshots” job, added env vars and npm registry configuration, and wired branch selection via inputs. Removed .github/workflows/snapshot.yml that previously called the publish workflow.

Changes

Cohort / File(s) Summary
Publish workflow refactor and env updates
.github/workflows/publish.yml		 Switched trigger to workflow_dispatch with inputs; renamed/rewired trusted-publish → snapshot job; checkout uses inputs.branch; added nx-set-shas main-branch-name; added env vars (NX_CLOUD_DISTRIBUTED_EXECUTION, PNPM_CACHE_FOLDER, CODECOV_TOKEN, CI); set Node registry-url; kept build/test/e2e, added prerelease versioning and dist-tag publish steps.
Remove external snapshot caller
.github/workflows/snapshot.yml		 Deleted the separate “Snapshots” workflow that previously invoked publish.yml via workflow_call with beta params.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer (manual)
  participant GH as GitHub Actions
  participant Repo as Repo
  participant NX as Nx Tasks
  participant NPM as npm Registry

  Dev->>GH: Run "Publish Snapshots"<br/>(workflow_dispatch with inputs.branch, dist_tag, prerelease, access)
  GH->>Repo: actions/checkout (ref = inputs.branch)
  GH->>GH: Setup Node (registry-url=https://registry.npmjs.org)
  GH->>GH: Set env (NX_CLOUD_DISTRIBUTED_EXECUTION, PNPM_CACHE_FOLDER, CODECOV_TOKEN, CI)
  GH->>NX: nx-set-shas(main-branch-name=main)
  GH->>NX: Build / Test / E2E CI
  alt prerelease flow
    GH->>Repo: Version packages as prerelease (inputs.prerelease)
    GH->>NPM: Publish packages (dist-tag=inputs.dist_tag, access=inputs.access)
  end
  GH-->>Dev: Job complete (artifacts/logs)
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

Suggested reviewers

  • cerebrl
  • ancheetah

Poem

I thump the ground—dispatch on cue,
No shadow workflows calling through.
A branch to check, a tag to cast,
Snapshots hop to npm fast.
With clouds and caches neatly spun,
This bunny’s publish job is done. 🐇✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)
Check name Status Explanation Resolution
Description Check ⚠️ Warning The description includes a JIRA header with "n/a" and a very brief note about why the change is needed, but it does not follow the repository template's expected detail: it omits which files were changed, whether a changeset was added, a clear, professional summary of the change, and any testing or verification steps, making the description too short and informal for reviewers. Please expand the PR description to follow the template by listing the changed files and key edits, clearly explaining why consolidating to one file fixes the auth issue, stating whether a changeset was added, and including testing/verification steps and any related Jira ticket or additional context.
✅ Passed checks (2 passed)
Check name Status Explanation
Title Check ✅ Passed The title "ci: move-to-one-file" is concise and accurately summarizes the primary change of consolidating CI workflow files into a single workflow, which matches the PR's modifications (removal of snapshot.yml and updates to publish.yml); it is specific enough for reviewers scanning history.
Docstring Coverage ✅ Passed No functions found in the changes. Docstring coverage check skipped.
✨ Finishing touches
🧪 Generate unit tests
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch use-trusted-publishers

Comment @coderabbitai help to get the list of available commands and usage tips.

@nx-cloud
Copy link

nx-cloud bot commented Sep 23, 2025
edited
Loading

View your CI Pipeline Execution ↗ for commit cec2065

Command Status Duration Result
nx run-many -t build ✅ Succeeded <1s View ↗
nx affected -t build typecheck lint test e2e-ci ✅ Succeeded 10m 12s View ↗
nx-cloud record -- nx format:check ✅ Succeeded 1s View ↗

☁️ Nx Cloud last updated this comment at 2025-09-23 23:17:12 UTC

coderabbitai[bot]
coderabbitai bot reviewed Sep 23, 2025
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
.github/workflows/publish.yml (2)

178-181: Set registry-url in snapshot job too (consistency + npm auth wiring)

Without registry-url, npm may not write the expected .npmrc config; add it to mirror the push job.

Apply this diff:

      - uses: actions/setup-node@v4
        with:
          node-version-file: '.node-version'
          cache: 'pnpm'
+         registry-url: 'https://registry.npmjs.org'

213-221: Add provenance and update lockfile before snapshot publish

  • After pnpm changeset version --snapshot run pnpm install --no-frozen-lockfile so the lockfile matches versioned packages (edit .github/workflows/publish.yml near the "Version Packages as prerelease" step).
  • Enable provenance on publish: add --provenance to pnpm publish (or set NPM_CONFIG_PROVENANCE: true / npm_config_provenance) and ensure the job has id-token: write so OIDC-based provenance can be minted (update publish steps in .github/workflows/publish.yml and any scripts that call pnpm publish, e.g. ci:release).

Apply this diff:

       - name: Version Packages as prerelease
         run: pnpm changeset version --snapshot ${{ inputs.prerelease }}
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

+      - name: Update lockfile after versioning
+        run: pnpm install --no-frozen-lockfile
+
       # The actual npm publish that must occur in the authorized file
       - name: Publish packages with dist-tag
-        run: pnpm publish -r --tag ${{ inputs.dist_tag }} --no-git-checks --access ${{ inputs.access }}
+        run: pnpm publish -r --tag ${{ inputs.dist_tag }} --no-git-checks --access ${{ inputs.access }} --provenance
🧹 Nitpick comments (4)
.github/workflows/publish.yml (4)

31-34: Scope CODECOV_TOKEN to steps instead of top‑level env

Minimize secret exposure. Pass CODECOV_TOKEN only to steps that need it (nx-cloud start-ci-run and codecov) rather than in the global env.

Example (outside this hunk):

  • Remove CODECOV_TOKEN from the top-level env.
  • Add env: { CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} } to the two nx-cloud steps and the codecov step.

158-166: Tighten job permissions for snapshot path

issues/pull-requests write aren’t used here. Keep least-privilege: contents: read (or omit), id-token: write.

Apply this diff:

-    permissions:
-      contents: write
-      id-token: write
-      issues: write
-      pull-requests: write
+    permissions:
+      contents: read
+      id-token: write

62-62: Pass CODECOV_TOKEN to nx-cloud step via env (if you scope it down)

If you move CODECOV_TOKEN out of the global env, add it here:

Example (outside this hunk):

- run: pnpm dlx nx-cloud start-ci-run --distribute-on=".nx/workflows/dynamic-changesets.yml" --stop-agents-after="e2e-ci" --with-env-vars="CODECOV_TOKEN"
  env:
    CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

Repeat for the snapshot job’s analogous step.

213-217: Optional: include provenance in the push (changesets) path as well

Ensure pnpm ci:release publishes with provenance too; if not, add NPM_CONFIG_PROVENANCE: true to the changesets step env.

Example (outside this hunk):

- name: publish
  uses: changesets/action@v1
  env:
    HOME: ${{ github.workspace }}
    GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
    NPM_CONFIG_PROVENANCE: true

To verify, search your scripts for --provenance or an .npmrc with provenance=true (the script above checks this).

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 781dca6 and cec2065.

📒 Files selected for processing (2)
  • .github/workflows/publish.yml (3 hunks)
  • .github/workflows/snapshot.yml (0 hunks)
💤 Files with no reviewable changes (1)
  • .github/workflows/snapshot.yml
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: pr
🔇 Additional comments (4)
.github/workflows/publish.yml (4)

6-12: Manual dispatch + branch input wiring: LGTM

Single entry workflow with workflow_dispatch and checkout ref: ${{ inputs.branch }} matches the “one file” trusted‑publisher requirement.

17-27: Explicit input types: LGTM

Adding type: string keeps inputs explicit and future‑proof.

58-58: Registry configured: LGTM

registry-url: https://registry.npmjs.org is correct for publish provenance/OIDC.

196-199: nx-set-shas main branch hint: LGTM

Setting main-branch-name: main is correct for affected calculations on dispatch.

@codecov-commenter
Copy link

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 56.19%. Comparing base (b72ca28) to head (cec2065).
⚠️ Report is 6 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #420   +/-   ##
=======================================
  Coverage   56.19%   56.19%           
=======================================
  Files          32       32           
  Lines        2091     2091           
  Branches      353      353           
=======================================
  Hits         1175     1175           
  Misses        916      916
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions
Copy link
Contributor

Deployed 85bdb75 to https://ForgeRock.github.io/ping-javascript-sdk/pr-420/85bdb75a1e947a992a58ce01b3c2d3e2ca29694d branch gh-pages in ForgeRock/ping-javascript-sdk

@github-actions
Copy link
Contributor

📦 Bundle Size Analysis

📦 Bundle Size Analysis

➖ No Changes

@forgerock/davinci-client - 34.5 KB
@forgerock/sdk-utilities - 4.0 KB
@forgerock/device-client - 9.2 KB
@forgerock/sdk-types - 5.9 KB
@forgerock/protect - 150.1 KB
@forgerock/sdk-oidc - 2.5 KB
@forgerock/sdk-logger - 1.6 KB
@forgerock/storage - 1.4 KB
@forgerock/sdk-request-middleware - 4.4 KB
@forgerock/iframe-manager - 2.4 KB
@forgerock/oidc-client - 23.1 KB

11 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated
  • Current Size: Total gzipped size of all files in the package's dist directory
  • Baseline: Comparison against the latest build from the main branch
  • Files included: All build outputs except source maps and TypeScript build cache
  • Exclusions: .map, .tsbuildinfo, and .d.ts.map files

🔄 Updated automatically on each push to this PR

@ryanbas21 ryanbas21 merged commit b34a61a into main Sep 24, 2025
4 checks passed
@ryanbas21 ryanbas21 deleted the use-trusted-publishers branch September 24, 2025 15:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@cerebrl cerebrl cerebrl approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ryanbas21 @codecov-commenter @cerebrl