Skip to content

CLOUDPLAT-3217: add npm publish workflow#169

Closed
haseebehsan wants to merge 4 commits into
masterfrom
CLOUDPLAT-3217-oidc-npm-publish
Closed

CLOUDPLAT-3217: add npm publish workflow#169
haseebehsan wants to merge 4 commits into
masterfrom
CLOUDPLAT-3217-oidc-npm-publish

Conversation

@haseebehsan

@haseebehsan haseebehsan commented Jun 17, 2026
edited by atlassian Bot
Loading

Copy link
Copy Markdown

Jira: CLOUDPLAT-3217

Changes

  • .github/workflows/npm-release.yml: New workflow_dispatch workflow that publishes to npm and creates a GitHub release.
  • package.json: Added publishConfig: { access: "public" } for the scoped package. Bumped version to 9.4.2.
  • CONTRIBUTING.md: Documents the release process — bump version, update CHANGELOG, merge PR, trigger workflow from Actions.

Note

This PR is blocked on mapbox/gha-public being made public. The reusable workflow referenced in npm-release.yml will not be accessible to this repo until gha-public is a public repository.

@haseebehsan haseebehsan added the ai AI coding agents co-authored the code label Jun 17, 2026
@haseebehsan haseebehsan requested a review from a team as a code owner June 17, 2026 09:23
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 17, 2026
View reviewed changes
Comment thread .github/workflows/npm-release.yml Fixed
@ox-security

ox-security Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown

OX Security Logo

Successfully scanned changes introduced in a pull request into master from CLOUDPLAT-3217-oidc-npm-publish.

Internal scan identifier: f653eff0-8842-4352-b6dd-5002c68a74dc.

Total issues Blocking issues Scan status
1 0 ✔️
Category Issues
CI/CD Posture 1

See all issues found during this scan in the OX Security Application.

Detailed information
Issue #1
NameUnpinned Reusable Workflow • GitHub Actions
StatusNew
EnforcementMonitor
SeverityHigh
CategoryCI/CD Posture
Source toolsOX CI/CD Posture
RecommendationPin reusable workflows to a full-length commit SHA (40 characters) instead of a tag or branch. Example: uses: org/repo/.github/workflows/build.yml@a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0
1 aggregation
FileMatch
.github/workflows/npm-release.ymluses: mapbox/gha-public/.github/workflows/workflow-npm-oidc-publish.yml@main

@haseebehsan haseebehsan mentioned this pull request Jun 17, 2026
Closed
ryndaniels
ryndaniels reviewed Jun 17, 2026
View reviewed changes
Comment thread CONTRIBUTING.md
@haseebehsan

haseebehsan commented Jun 18, 2026

Copy link
Copy Markdown
Author

closing in favor or automatically created PR #170

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ryndaniels ryndaniels ryndaniels approved these changes

+1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

ai AI coding agents co-authored the code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@haseebehsan @ryndaniels @github-advanced-security