Build releases for npm registry

[rszwajko]

Bump version to 1.0.0.

Summary by CodeRabbit

• Chores
  • Bumped package version to 1.0.0 - first stable release.
  • Updated distribution workflow to publish to npm registry alongside existing GitHub Packages distribution.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The PR updates the npm publishing workflow to support dual publishing targets: npm registry and GitHub Packages. It renames the GitHub Packages job, introduces a new npm registry publishing job with NPM_TOKEN authentication, and updates npm install commands with additional flags across both paths.

Changes

Cohort / File(s)	Summary
Workflow restructuring for dual publishing .github/workflows/npm-publish.yml	Renames build job to buildForGitHubPackages, updates npm install to npm clean-install --verbose --ignore-scripts --no-audit, and adds new parallel buildForNpm job that publishes to npmjs.org using NPM_TOKEN secret.
Version bump package.json	Version updated from 0.0.3 to 1.0.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

• Verify NPM_TOKEN secret is properly configured in repository settings
• Confirm npm registry URLs and authentication scopes are correctly targeted
• Validate that both parallel publishing paths don't conflict or cause duplicate releases

Possibly related PRs

• PR #2: Modifies the same npm publish workflow and install steps, likely an earlier attempt or related refactor
• PR #5: Updates package.json version field (0.0.2→0.0.3), part of version bump progression
• PR #4: Modifies package.json version field for version management

Suggested reviewers

• metalice
• upalatucci
• sjd78

Poem

🐰 Hop, skip, and a bound,
Two registries, now spun 'round,
npm and GitHub, side by side,
Version one point oh with pride!
Publishing flows, dual and bright, 🎉

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'Build releases for npm registry' accurately reflects the main changes: introducing npm registry publishing alongside existing GitHub Packages flow and updating to version 1.0.0.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 68b9069 and b60a6de.

📒 Files selected for processing (2)

• .github/workflows/npm-publish.yml (2 hunks)
• package.json (1 hunks)

🔇 Additional comments (5)

package.json (1)

3-3: Version bump to 1.0.0 looks good.

This aligns with the PR objectives and the expanded dual-publishing strategy (npm + GitHub Packages).

.github/workflows/npm-publish.yml (4)

26-40: Verify NPM_TOKEN is configured as a repository secret.

The new buildForNpm job publishes to npmjs.org using secrets.NPM_TOKEN. This secret must be configured in the repository settings, or the workflow will fail at the publish step with an authentication error.

Please confirm that NPM_TOKEN is added as a repository secret in GitHub Settings > Secrets and variables > Actions. This should be your npm access token with publish permissions.

Optionally, you can add error handling to make failures more visible:

       - run: npm publish
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        if: env.NODE_AUTH_TOKEN != ''

This ensures the job fails explicitly if the token is missing.

---

6-40: Dual-publishing strategy is well-structured.

The workflow cleanly separates GitHub Packages and npm registry publishing into parallel jobs with appropriate registry URLs and authentication tokens. The architecture is sound.

---

6-6: Verify the job name change doesn't break existing CI/CD rules.

The job rename from build to buildForGitHubPackages could break branch protection rules, required status checks, or other CI/CD automation that references the old build job name. Confirm:

1. No branch protection rules require a status check named build
2. No other GitHub Actions workflows reference the old build job name
3. No external CI/CD systems depend on the build job name

---

21-21: Verify whether --ignore-scripts breaks artifact generation in the publish workflow.

Using --ignore-scripts in npm-publish.yml skips lifecycle hooks including prepare and prepublishOnly. If the package uses prepare to compile or build artifacts that must be included in the published tarball, or prepublishOnly for pre-publish validation, this flag will prevent those steps from running, potentially publishing an incomplete or unvalidated package.

Confirm that:

1. package.json does not define prepare, prepublishOnly, prepack, or other relevant lifecycle scripts
2. Any required builds or validations are explicitly defined as separate workflow steps (not relying on npm lifecycle hooks)

Also applies to: lines 36

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}