ci: enable trusted publishing

[JounQin]

https://docs.npmjs.com/trusted-publishers

---

Important

Enable trusted publishing by upgrading npm and streamlining configurations in CI/CD workflows.

• CI/CD Workflows:
  • Upgrade npm to latest version in release.yml for trusted publishing.
  • Remove obsolete environment configuration from Node.js setup in release.yml.
  • Streamline publish step configuration in release.yml.
• Misc:
  • Update Node.js version to 24.5 in ci.yml due to issue #59480.
  • No user-facing changes.

^{This description was created by for 6e3eb34. You can customize this summary. It will automatically update as commits are pushed.}

---

Summary by CodeRabbit

• Chores

  • Added an npm upgrade step to the release workflow.
  • Removed an obsolete SKIP_YARN_COREPACK_CHECK environment entry from Node.js setup.
  • Updated CI matrix to replace Node.js 24 with 24.5 (note/comment added).
  • Removed provenance and token settings from the publish/release step.

• Notes

  • No user-facing changes.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1a0abf0

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Updated GitHub Actions workflows: added an "Upgrade npm" step in the release workflow, removed an env var from Node.js setup and removed NPM provenance/token settings from the release publish step; adjusted the CI matrix by replacing Node.js 24 with 24.5 and adding a comment referencing Node.js issue #59480.

Changes

Cohort / File(s)	Summary of changes
Release workflow updates .github/workflows/release.yml	Added a step that runs npm install -g npm@latest after the Node.js LTS setup; removed the env entry SKIP_YARN_COREPACK_CHECK: 1 from the Node.js setup step; removed NPM_CONFIG_PROVENANCE: true and removed the NPM_TOKEN: ${{ secrets.NPM_TOKEN }} declaration from the "Create Release Pull Request or Publish to npm" step.
CI matrix update .github/workflows/ci.yml	Replaced Node.js 24 with 24.5 in the test matrix and added a comment referencing Node.js issue #59480 above the 24.5 entry.

Sequence Diagram(s)

sequenceDiagram
  participant Repo as Repository
  participant Runner as GitHub Actions Runner
  participant Registry as npm Registry

  Repo->>Runner: Trigger release workflow
  Runner->>Runner: Setup Node.js (LTS)
  Runner->>Runner: Upgrade npm (npm install -g npm@latest)
  Runner->>Runner: Build / prepare release
  Runner->>Registry: Publish package (no NPM_TOKEN configured)
  Registry-->>Runner: Publish response

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• chore(deps): update all dependencies #270 — Modifies the same workflow files (.github/workflows/release.yml, .github/workflows/ci.yml), likely related.

Poem

A rabbit hopped into CI light,
Upgraded npm to make things right,
Trimmed the old envs and token thread,
Tests now chase a newer spread.
Thump—release burrow full of flight. 🐇✨

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch JounQin-patch-1

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/eslint-plugin-import-x@419

commit: 1a0abf0

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to 42b48c9 in 1 minute and 16 seconds. Click for details.

• Reviewed 24 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 2 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. .github/workflows/release.yml:29

• Draft comment:
  Removal of SKIP_YARN_COREPACK_CHECK:1 was done without explanation. Confirm that upgrading npm now obviates that workaround and add a comment referencing the GitHub issue for context.
• Reason this comment was not posted:
  Comment was not on a location in the diff, so it can't be submitted as a review comment.

2. .github/workflows/release.yml:53

• Draft comment:
  Setting NPM_TOKEN to an empty string disables npm auth. Verify this is intentional for trusted publishing and add a clarifying comment so future maintainers understand the rationale.
• Reason this comment was not posted:
  Decided after close inspection that this draft comment was likely wrong and/or not actionable: usefulness confidence = 10% vs. threshold = 50% The comment asks for verification and explanation, which violates our rules. It's asking the author to confirm their intention and add documentation. While the suggestion might be well-intentioned, we should trust that the author knows what they're doing with npm authentication in their release workflow. Maybe understanding npm authentication is critical for security, and having clear documentation about intentionally disabled auth could prevent future security issues? While documentation is good, our rules explicitly state not to ask authors to verify their intentions or add explanatory comments. The change is likely intentional given it's in a release workflow. Delete the comment as it violates our rules by asking for verification and additional documentation.

Workflow ID: wflow_YUfIdBbm5ue17OKj

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[codacy-production]

Coverage summary from Codacy

See diff coverage on Codacy

Coverage variation	Diff coverage
✅ +0.00% (target: -1.00%)	✅ ∅

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (d0a7816)	3722	3561	95.67%
Head commit (1a0abf0)	3722 (+0)	3561 (+0)	95.67% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#419)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

See your quality gate settings    Change summary preferences

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.10%. Comparing base (d0a7816) to head (1a0abf0).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #419   +/-   ##
=======================================
  Coverage   96.10%   96.10%           
=======================================
  Files          96       96           
  Lines        4952     4952           
  Branches     1862     1837   -25     
=======================================
  Hits         4759     4759           
  Misses        192      192           
  Partials        1        1           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

33-35: Pin npm to a minimum trusted-publishing-capable version instead of latest.

Upgrading to npm@latest can introduce volatility. For npm Trusted Publishers, you only need a recent 10.x. Pin to a safe minimum to keep builds reproducible.

Apply:

-      - name: Upgrade npm
-        run: npm install -g npm@latest
+      - name: Upgrade npm
+        run: npm install -g npm@^10.8.0

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between d0a7816 and 42b48c9.

📒 Files selected for processing (1)

• .github/workflows/release.yml (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (20)

• GitHub Check: Codacy Static Code Analysis
• GitHub Check: Lint and Test with Node.js 20 and ESLint 9 on windows-latest
• GitHub Check: Lint and Test with Node.js 18 and ESLint 8.56 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 22 and ESLint 8.56 on ubuntu-latest
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (actions)
• GitHub Check: Lint and Test with Node.js lts/* and ESLint 9 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js lts/* and ESLint 9 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 22 and ESLint 8 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 9 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 22 and ESLint 8.56 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 8 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 22 and ESLint 9 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 8.56 on windows-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 8.56 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 18 and ESLint 8.56 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 18 and ESLint 8 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 22 and ESLint 8.56 on macos-latest
• GitHub Check: Lint and Test with Node.js 18 and ESLint 8.56 on macos-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 8.56 on macos-latest

🔇 Additional comments (1)

.github/workflows/release.yml (1)

52-53: Confirmed: changeset publish uses npm CLI
We’ve verified that your release script ("clean-pkg-json && changeset publish") does not invoke yarn npm publish or any Yarn-based publish plugin. By default, Changesets calls the npm CLI under the hood, so removing NPM_TOKEN and relying on OIDC is correct.

Optional: if you’d like package provenance, add to your package.json:

{
  "publishConfig": {
    "provenance": true
  }
}

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed 6e3eb34 in 57 seconds. Click for details.

• Reviewed 14 lines of code in 1 files
• Skipped 0 files when reviewing.
• Skipped posting 1 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

1. .github/workflows/ci.yml:25

• Draft comment:
  Replaced Node 24 with 24.5 per nodejs/node#59480. Confirm this minor version meets your CI requirements.
• Reason this comment was not posted:
  Confidence changes required: 33% <= threshold 50% None

Workflow ID: wflow_kueOZ8qjVgI0zSOG

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

24-25: Good pin; quote or use 24.5.x to avoid YAML coercion and ease future patch uptake

Pinning to Node 24.5 with a link to the upstream issue is sensible. Two small nits:

• Quote the version (or use 24.5.x) so YAML doesn’t treat it as a float and to make intent clear.
• Optional: make the comment explicit that this is temporary and should be reverted to 24 when the issue is resolved.

Apply this diff:

-          # https://github.com/nodejs/node/issues/59480
-          - 24.5
+          # Temporary pin due to https://github.com/nodejs/node/issues/59480 — revert to '24' once resolved
+          - "24.5.x"

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 42b48c9 and 6e3eb34.

📒 Files selected for processing (1)

• .github/workflows/ci.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (20)

• GitHub Check: Codacy Static Code Analysis
• GitHub Check: Lint and Test with Node.js 18 and ESLint 9 on windows-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 9 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 9 on windows-latest
• GitHub Check: Lint and Test with Node.js 24.5 and ESLint 8.56 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 24.5 and ESLint 8 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 18 and ESLint 8.56 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 22 and ESLint 8 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 22 and ESLint 9 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 22 and ESLint 8.56 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 8.56 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 18 and ESLint 9 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 9 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 8 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 8.56 on macos-latest
• GitHub Check: Lint and Test with Node.js 18 and ESLint 8 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 8 on macos-latest
• GitHub Check: Lint and Test with Node.js 24.5 and ESLint 8.56 on macos-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 9 on macos-latest
• GitHub Check: Lint and Test with Node.js 18 and ESLint 8 on macos-latest

[coderabbitai]

Actionable comments posted: 0

🔭 Outside diff range comments (1)

.github/workflows/release.yml (1)

44-53: Enable Provenance for Trusted Publishing

Your release path (yarn release → clean-pkg-json && changeset publish) doesn’t pass the --provenance flag or set NPM_CONFIG_PROVENANCE, so npm Trusted Publishing under OIDC may fail. Please update your workflow to include provenance:

• File: .github/workflows/release.yml (lines 44–53)

         - name: Create Release Pull Request or Publish to npm
           id: changesets
           uses: changesets/action@v1
           with:
             commit: 'chore: release eslint-plugin-import-x'
             title: 'chore: release eslint-plugin-import-x'
             publish: yarn release
           env:

•        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  

•        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  

•        NPM_CONFIG_PROVENANCE: true
  

Alternatively, adjust your release script in package.json to invoke npm publish with --provenance. This guarantees that provenance metadata is recorded during the publish step.

♻️ Duplicate comments (1)

.github/workflows/release.yml (1)

44-53: Removing NPM_TOKEN aligns with Trusted Publishers; no need to set it to an empty string.

Agree with dropping NPM_TOKEN entirely to avoid _authToken=undefined churn in Changesets. This matches prior feedback.

🧹 Nitpick comments (2)

.github/workflows/release.yml (2)

33-35: Make npm upgrade deterministic (pin version or use Corepack) instead of floating latest.

Using npm@latest can introduce nondeterministic CI behavior when npm releases new versions. Prefer pinning to a supported major/minor that satisfies Trusted Publishers, or activate it via Corepack for this job scope.

Apply one of the following diffs:

Option A — pin a major for stability:

-      - name: Upgrade npm
-        run: npm install -g npm@latest
+      - name: Upgrade npm
+        run: npm install -g npm@10

Option B — activate with Corepack (scoped to the job, avoids global mutation):

-      - name: Upgrade npm
-        run: npm install -g npm@latest
+      - name: Upgrade npm
+        run: |
+          corepack enable
+          corepack prepare npm@10 --activate

---

46-46: Pin changesets/action to a commit SHA for supply-chain hardening.

Other actions are pinned; changesets/action@v1 isn’t. Pin to a known-good commit SHA to match your pinning policy.

Example (replace HASH with the desired commit SHA):

-        uses: changesets/action@v1
+        uses: changesets/action@<PINNED_COMMIT_SHA>

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 6e3eb34 and 1a0abf0.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (21)

• GitHub Check: Codacy Static Code Analysis
• GitHub Check: Lint and Test with Node.js lts/* and ESLint 9 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 8.56 on windows-latest
• GitHub Check: Lint and Test with Node.js 18 and ESLint 8.56 on windows-latest
• GitHub Check: Lint and Test with Node.js 22 and ESLint 8 on windows-latest
• GitHub Check: Lint and Test with Node.js 18 and ESLint 9 on windows-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 9 on windows-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 8.56 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 22 and ESLint 8 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 9 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 22 and ESLint 9 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 8 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 22 and ESLint 8.56 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 18 and ESLint 8.56 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 18 and ESLint 9 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 18 and ESLint 8 on ubuntu-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 8 on macos-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 9 on macos-latest
• GitHub Check: Lint and Test with Node.js 18 and ESLint 8.56 on macos-latest
• GitHub Check: Lint and Test with Node.js 22 and ESLint 8.56 on macos-latest
• GitHub Check: Lint and Test with Node.js 20 and ESLint 8.56 on macos-latest

🔇 Additional comments (1)

.github/workflows/release.yml (1)

12-16: Good: OIDC permission is correctly configured for npm Trusted Publishing

id-token: write is present at the workflow level. This is required for npm Trusted Publishers. No action needed.