Provide additional params to npm publish

[rszwajko]

Summary by CodeRabbit

• Chores
  • Updated package publishing workflow with enhanced security and distribution practices, including improved authentication and provenance tracking.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The npm publish workflow is updated to publish packages under the @kubevirt-ui-ext scope with provenance and public access settings, while switching authentication from GitHub token to a dedicated npm token (NPM_TOKEN_FOR_KUBEVIRT_UI_EXT).

Changes

Cohort / File(s)	Summary
npm publish workflow \.github/workflows/npm-publish\.yml	Added @kubevirt-ui-ext scope to setup-node step; updated publish command to include --provenance --access public flags; switched publish authentication token from GITHUB_TOKEN to NPM_TOKEN_FOR_KUBEVIRT_UI_EXT

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

• Single workflow file with straightforward configuration parameter updates (scope, token, and publish flags)

Possibly related PRs

• kubevirt-ui/vnc-keymaps#7 — Also updates npm-publish workflow to use @kubevirt-ui-ext scope and NPM_TOKEN_FOR_KUBEVIRT_UI_EXT authentication
• kubevirt-ui/vnc-keymaps#2 — Modifies npm-publish workflow configuration with different token/environment choices for the publish step

Suggested reviewers

• sjd78
• metalice
• upalatucci
• vojtechszocs
• pcbailey

Poem

🐰 A token swap and scope so grand,
npm packages now take a stand,
With provenance true and access wide,
The @kubevirt realm opens with pride!
Publish workflows dance anew! 🎉

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Provide additional params to npm publish' directly and specifically describes the main change: adding parameters (scope, --provenance, --access public) to the npm publish command.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1cf8bc8 and a130de9.

📒 Files selected for processing (1)

• .github/workflows/npm-publish.yml (1 hunks)

🔇 Additional comments (3)

.github/workflows/npm-publish.yml (3)

36-36: Scope parameter correctly aligns with sed package.json replacement.

The scope is properly configured for the scoped npm package and matches the sed command that updates package.json.

---

41-41: npm publish flags align with security best practices and PR objectives.

The --provenance flag creates provenance attestations (security best practice), and --access public makes the package publicly available as intended.

---

43-43: Ensure the NPM_TOKEN_FOR_KUBEVIRT_UI_EXT secret is configured in repository settings before publishing.

This workflow uses a dedicated npm token instead of GITHUB_TOKEN. Before merging, verify:

1. The NPM_TOKEN_FOR_KUBEVIRT_UI_EXT secret exists in the repository settings.
2. The npm token has write permissions for the @kubevirt-ui-ext scope on npm.org.

The workflow will fail at publish time if the secret is missing or lacks proper permissions.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}