infra: enable trusted publishing

[Shinigami92]

closes #27

Summary by CodeRabbit

• Chores
  • CI workflow now triggers when pull requests are labeled.
  • Pipeline updated to upgrade npm to the latest version before installing dependencies.
  • Pinned the changesets action to a specific, stable revision to ensure consistent releases.
  • Simplified release step environment configuration by removing unused variables.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3fd7750

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Updated the GitHub Actions release workflow to add an "Update npm" step before installing dependencies, change the changesets action reference to a specific commit, and remove NPM_TOKEN and NPM_CONFIG_PROVENANCE from the publish step environment while keeping GITHUB_TOKEN.

Changes

Cohort / File(s)	Summary
GitHub Actions release workflow .github/workflows/release.yml	Added an "Update npm" step (npm install -g npm@latest) before dependency installation; updated uses for changesets/action to a specific commit (e0145ed...) with # v1.5.3 annotation; removed NPM_CONFIG_PROVENANCE and NPM_TOKEN from the publish step env, retained GITHUB_TOKEN.

Sequence Diagram(s)

sequenceDiagram
  participant Dev as Developer (labels PR)
  participant GH as GitHub Actions (release.yml)
  participant Registry as npm Registry

  Dev->>GH: Label PR / trigger workflow
  GH->>GH: Update npm (npm install -g npm@latest)
  GH->>GH: Install dependencies
  GH->>Registry: Publish using GITHUB_TOKEN / OIDC (no NPM_TOKEN)

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Assessment against linked issues

Objective	Addressed	Explanation
Switch to trusted publishing for npm (#27)	❓	No workflow changes shown to enable OIDC, id-token permission, or trusted publisher mapping; only removal of NPM_TOKEN and provenance.

Poem

Thump-thump, I hop and tweak the flow,
npm's updated, on with the show.
Tokens trimmed, I trust the sky,
Releases bounce — a carrot-sky hi! 🥕

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch infra-enable-trusted-publishing

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

Coverage Report

Status	Category	Percentage	Covered / Total
🔴	Lines	6.15% (🎯 90%) 🟰 ±0%	35 / 569
🔴	Statements	6.15% (🎯 90%) 🟰 ±0%	35 / 569
🔴	Functions	38.23% (🎯 90%) 🟰 ±0%	13 / 34
🔴	Branches	54.16% (🎯 85%) 🟰 ±0%	13 / 24

File Coverage

File	Stmts	Branches	Functions	Lines	Uncovered Lines
Unchanged Files
examples/cat-rest-api/src/app.ts	100%	100%	100%	100%
examples/cat-rest-api/src/main.ts	0%	0%	0%	0%	1-8
examples/cat-rest-api/src/cats/cat.controller.ts	0%	0%	0%	0%	1-81
examples/cat-rest-api/src/cats/cat.dto.ts	0%	100%	100%	0%	3-13
examples/cat-rest-api/src/natives/native.controller.ts	0%	0%	0%	0%	1-17
packages/core/src/auralis.ts	8.96%	100%	25%	8.96%	84-89, 93-168, 172-286, 290-291, 294-318, 321-344
packages/core/src/index.ts	0%	100%	100%	0%	2-17
packages/core/src/decorators/controller.decorator.ts	0%	100%	100%	0%	2-30
packages/core/src/decorators/delete.decorator.ts	0%	0%	0%	0%	1-8
packages/core/src/decorators/get.decorator.ts	0%	0%	0%	0%	1-8
packages/core/src/decorators/http-method.decorator.ts	0%	100%	100%	0%	2-36
packages/core/src/decorators/patch.decorator.ts	0%	0%	0%	0%	1-8
packages/core/src/decorators/path-variable.decorator.ts	0%	100%	100%	0%	2-29
packages/core/src/decorators/post.decorator.ts	0%	0%	0%	0%	1-8
packages/core/src/decorators/put.decorator.ts	0%	0%	0%	0%	1-8
packages/core/src/decorators/request-body.decorator.ts	0%	100%	100%	0%	2-32
packages/core/src/decorators/request.decorator.ts	0%	100%	100%	0%	2-32
packages/core/src/decorators/response.decorator.ts	0%	100%	100%	0%	2-32
packages/core/src/decorators/rest-controller.decorator.ts	0%	100%	100%	0%	2-33
packages/core/src/errors/auralis-response.error.ts	27.77%	0%	0%	27.77%	7-9, 12-21
packages/core/src/errors/internal-server-response.error.ts	57.14%	100%	0%	57.14%	5-7
packages/core/src/errors/not-found-response.error.ts	57.14%	100%	0%	57.14%	5-7
packages/core/src/factories/auralis.factory.ts	0%	0%	0%	0%	1-12
packages/core/src/utilities/constructor.util.ts	100%	100%	100%	100%
packages/core/src/utilities/param-names.util.ts	0%	0%	0%	0%	1-11
packages/core/src/utilities/registry.util.ts	0%	100%	100%	0%	2-29

Generated in workflow #65 for commit 3fd7750 by the Vitest Coverage Report Action

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (1)

.github/workflows/release.yml (1)

54-56: Re-enable provenance to attach SLSA metadata to npm publishes

You removed NPM_CONFIG_PROVENANCE. While OIDC auth enables trusted publishing without NPM_TOKEN, you still need provenance enabled to embed build provenance in the package. The safest way is to set the npm config via env so all internal npm publish invocations inherit it.

Apply this diff:

         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true

Alternatively, ensure your publish command includes --provenance or run a prior step npm config set provenance true.

🧹 Nitpick comments (3)

.github/workflows/release.yml (3)

7-9: Guard PR-labeled runs to a specific label to avoid unintended releases

Triggering on any label event can fire this workflow frequently. If the intent is to only act on a specific release label, add a job-level guard.

Apply this diff to restrict the job to either pushes (main) or PRs labeled with "release":

 jobs:
   release:
     name: Release
+    if: ${{ github.event_name == 'push' || (github.event_name == 'pull_request' && github.event.action == 'labeled' && github.event.label.name == 'release') }}
     runs-on: ubuntu-latest

---

40-43: Pin npm to a minimum version instead of floating to latest

Using npm@latest harms reproducibility and may introduce breaking changes unexpectedly. Since trusted publishing requires a minimum npm version, pin to a semver range that satisfies it.

Apply this diff:

-      - name: Update npm
-        run: npm install -g npm@latest
+      - name: Update npm
+        run: npm install -g npm@^11.5.1

---

34-39: Set npm registry in setup-node for trusted publishing

Explicitly configuring the npm registry ensures the CLI talks to the public npm registry and sets auth appropriately in the environment. This is a common prerequisite in trusted publisher setups.

Apply this diff:

       - name: Setup Node.js LTS
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: lts/*
           cache: pnpm
+          registry-url: 'https://registry.npmjs.org'
+          always-auth: true

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between f5b8ba3 and ae65b32.

📒 Files selected for processing (1)

• .github/workflows/release.yml (2 hunks)

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

37-40: Pin npm to a minimum version instead of using latest.

Using npm@latest makes the workflow fragile to upstream breaking changes. Since the comment states “Ensure npm 11.5.1 or later,” pin to a caret range and log the version.

Apply this diff:

-      # Ensure npm 11.5.1 or later is installed
-      - name: Update npm
-        run: npm install -g npm@latest
+      # Ensure npm 11.5.1 or later is installed
+      - name: Update npm
+        run: |
+          npm i -g npm@^11.5.1
+          npm --version

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between ae65b32 and 3fd7750.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

🔇 Additional comments (2)

.github/workflows/release.yml (2)

46-46: Good: Pinning changesets/action to a specific commit.

Pinning to the v1.5.3 commit hash improves supply-chain security and reproducibility. LGTM.

---

44-53: Publish step uses npm CLI via Changesets – no updates needed

Verified that your workflow’s publish: pnpm release invokes the root release script (pnpm build && changeset publish), and changeset publish shells out to npm publish by default. Trusted Publishing’s OIDC token will be applied as expected.