chore: normaliza repository url #927
Conversation
|
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
tenphi
had a problem deploying
to
Canary package in NPM
GitHub Actions
Failure
🧪 Storybook is successfully deployed!
|
🏋️ Size limit report
Click here if you want to find out what is changed in this build |
tenphi
had a problem deploying
to
Canary package in NPM
GitHub Actions
Failure
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Bug: Release workflow lacks OIDC auth after token deletion
The release workflow deletes the .npmrc auth token but doesn't configure OIDC/provenance for changeset publish. The canary publish correctly uses --provenance flag (line 94), but the release workflow relies on changeset publish which won't use OIDC without either NPM_CONFIG_PROVENANCE=true environment variable or a modified publish command. Since the auth token is deleted and NPM_TOKEN is not set, the release publish may fail with authentication errors.
.github/workflows/publish.yml#L160-L168
cube-ui-kit/.github/workflows/publish.yml
Lines 160 to 168 in c263cad
The GitHub environment name must match exactly between the workflow and npmjs.com trusted publisher config. Since we document leaving environment empty on npmjs.com, the workflow should not use an environment either.
| - name: Verify npm version and OIDC availability | ||
| run: | | ||
| echo "npm version: $(npm --version)" | ||
| echo "OIDC available: ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL != '' }}" |
There was a problem hiding this comment.
Bug: OIDC availability check always evaluates to false
The OIDC verification step uses ${{ env.ACTIONS_ID_TOKEN_REQUEST_URL != '' }} to check OIDC availability, but this will always evaluate to false. The ACTIONS_ID_TOKEN_REQUEST_URL is a runtime environment variable injected by GitHub Actions infrastructure, not accessible via the workflow's env context (which only includes variables defined in env: blocks). To check this variable, shell syntax like $ACTIONS_ID_TOKEN_REQUEST_URL must be used instead of the expression context. The diagnostic output will always show "OIDC available: false" regardless of actual OIDC availability, providing misleading information during troubleshooting.
Additional Locations (1)
📦 NPM canary releaseDeployed canary version 0.0.0-canary-1e090a8. |
| env: | ||
| NODE_OPTIONS: --max-old-space-size=4096 | ||
| outputs: | ||
| published: ${{ steps.changesets.outputs.published }} |
There was a problem hiding this comment.
Bug: Missing fallback for published output may skip Chromatic
The old workflow had a defensive fallback ${{ jobs.publish-release.outputs.published || 'false' }} ensuring that if the published output wasn't set, it would default to 'false'. The new code directly passes ${{ steps.changesets.outputs.published }} without this fallback. If the changesets action fails to set the output for any reason, needs.publish-release.outputs.published would be empty, causing the condition == 'false' to evaluate to false, and deploy-chromatic-release would silently be skipped instead of running as expected when no release was published.
Note
Move to npm Trusted Publishing (OIDC), consolidate canary/release into a single publish workflow, adjust PR CI, and update docs; also normalize repository URL.
publish.ymlnow handles canary (on PR) and releases (on push tomain), adds OIDC auth/provenance, concurrency control, and Chromatic deploy on non-publish pushes.pull-request.ymlnow runs tests/lint and Chromatic staging; adds a no-opbuild-canary-statusto satisfy checks. Canary publish moved intopublish.yml.main.yml(release workflow) deleted..github/PUBLISHING.mdwith trusted publishing setup, benefits, troubleshooting, and workflow consolidation details.repository.urltogit+https://....Written by Cursor Bugbot for commit 9adeca4. This will update automatically on new commits. Configure here.