Skip to content

Remove auto-bump from publish workflow#4

Merged
gitethanwoo merged 1 commit intomainfrom
fix-publish-workflow
Dec 18, 2025
Merged

Remove auto-bump from publish workflow#4
gitethanwoo merged 1 commit intomainfrom
fix-publish-workflow

Conversation

@gitethanwoo
Copy link
Owner

@gitethanwoo gitethanwoo commented Dec 18, 2025

Only publish when version is manually bumped. No more surprise commits.

🤖 Generated with Claude Code

@gitethanwoo @claude
Remove auto-bump from publish workflow
6ba3c4e 
Only publish when version is manually bumped. No more surprise commits.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Dec 18, 2025
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

.github/workflows/publish.yml
Comment on lines 7 to 8
permissions:
id-token: write
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Restore contents permission for checkout

The workflow now grants only id-token: write, which removes the default contents: read when a permissions block is present. actions/checkout@v4 requires contents access, so the publish job will fail immediately with “Resource not accessible by integration” and never reach the build/publish steps.

Useful? React with 👍 / 👎.

@github-actions
Copy link
Contributor

github-actions bot commented Dec 18, 2025

PR Visual

Latest (6ba3c4e):

PR Infographic

View prompt 
# Visual Brief: Release Workflow Hardening

**Effort 1: Intentional Version Management**
*   **Archetype:** Process Flow (Before vs. After)
*   **Diagram:**
    *   **BEFORE:** `Merge to Main` ➔ `Bot: npm version patch` ➔ `Bot: git push` ➔ `npm publish`
    *   **AFTER:** `Manual: package.json version update` ➔ `Merge to Main` ➔ `Version Check` ➔ `npm publish (if new)`
*   **Explanation:** We removed automated bot commits to keep the git history clean and ensure that releases are intentional. The workflow now acts as a gatekeeper that only publishes when it detects a manual version increment.

**Effort 2: Least Privilege Security**
*   **Archetype:** Architecture (Security Perimeter)
*   **Diagram:**
    *   **Workflow Permissions:**
        *   ✅ `id-token: write` (Required for OIDC/npm provenance)
        *   ❌ `contents: write` (**REMOVED**: Repository is now read-only for CI)
*   **Explanation:** By eliminating the need for the workflow to push code back to the repository, we revoked write access to the codebase. This significantly hardens the CI/CD pipeline against potential supply-chain attacks.

**Layout:** 1x2 Grid (Side-by-Side)

IMPORTANT STYLE OVERRIDE: Clean, beautiful, modern professional PowerPoint style.
About

Style: clean | View full size

Generated with pr-visual

@gitethanwoo gitethanwoo merged commit de0ed7d into main Dec 18, 2025
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gitethanwoo