trusted publisher for prod sdk

[roymiloh]

No description provided.

[claude]

Claude finished @roymiloh's task —— View job

---

PR Review: Trusted Publisher for Production SDK

Review Checklist:

• Analyze the workflow file changes
• Assess code quality and best practices
• Check for potential bugs or issues
• Evaluate performance considerations
• Review security concerns
• Consider test coverage implications

Summary

This PR removes the NODE_AUTH_TOKEN environment variable from the npm publish step in the manual publish workflow, which appears to be a migration to npm's trusted publishing feature.

Detailed Review

🔍 Changes Analysis

The PR removes these 2 lines from .github/workflows/manual-publish.yml:

env:
  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

✅ Code Quality and Best Practices

• Good: Adopting trusted publishing is a modern best practice for npm package publishing
• Good: The change aligns with the preview-publish workflow which also doesn't use NODE_AUTH_TOKEN
• Concern: The PR lacks a description explaining the change and its implications

🐛 Potential Bugs or Issues

• Critical: The workflow is missing id-token: write permission which is required for OIDC-based trusted publishing
• Issue: Without proper permissions, the npm publish command will fail with authentication errors
• Note: The main-publish workflow still uses NODE_AUTH_TOKEN, creating inconsistency across workflows

🚀 Performance Considerations

• No performance impact - this is an authentication mechanism change

🔒 Security Concerns

• Positive: Trusted publishing is more secure than using long-lived secrets
• Positive: Eliminates the need to store and rotate npm tokens
• Risk: The incomplete setup could cause production publish failures

🧪 Test Coverage

• No test-related changes needed for this authentication update

📋 Recommendations

1. Add required permissions to enable trusted publishing:

   permissions:
     contents: write
     packages: write
     id-token: write  # Required for OIDC authentication

2. Verify npm package configuration:

   • Ensure your npm package has trusted publishing configured at npmjs.com
   • The GitHub repository and workflow name must match the trusted publisher configuration

3. Consider updating all workflows:

   • For consistency, migrate main-publish.yml to trusted publishing as well
   • Document the authentication strategy in the repository

4. Add PR description explaining:

   • Why this change is being made
   • Confirmation that trusted publishing is configured on npm
   • Any testing that was performed

🚨 Action Required

This PR will likely fail to publish without the id-token: write permission. Please add the missing permission before merging to avoid breaking the manual publish workflow.

[github-actions]

🚀 Package Preview Available!

---

Install this PR's preview build with npm:

npm i @base44-preview/sdk@0.8.4-pr.51.71041fc

Prefer not to change any import paths? Install using npm alias so your code still imports @base44/sdk:

npm i "@base44/sdk@npm:@base44-preview/sdk@0.8.4-pr.51.71041fc"

Or add it to your package.json dependencies:

{
  "dependencies": {
    "@base44/sdk": "npm:@base44-preview/sdk@0.8.4-pr.51.71041fc"
  }
}

• 📦 Preview Package: @base44-preview/sdk@0.8.4-pr.51.71041fc
• 🔗 View this commit on GitHub

---

_{Preview published to npm registry — try new features instantly!}

[claude]

Claude finished @roymiloh's task —— View job

---

PR Review: Trusted Publisher for Production SDK

Review Checklist:

• Read and analyze the workflow file changes
• Check for repo-specific guidelines (CLAUDE.md)
• Review code quality and best practices
• Identify potential bugs or issues
• Evaluate performance considerations
• Assess security concerns
• Consider test coverage implications
• Provide comprehensive feedback

Summary

This PR removes the NODE_AUTH_TOKEN environment variable from the npm publish step and deletes the main-publish.yml workflow, appearing to migrate to npm's trusted publishing feature. However, the implementation is incomplete and will fail.

Critical Issues Found 🚨

1. Missing Required Permission

The manual-publish.yml workflow lacks the critical id-token: write permission required for OIDC-based trusted publishing:

permissions:
  contents: write
  packages: write
  # MISSING: id-token: write  ← Required for trusted publishing

Without this permission, the npm publish command will fail with authentication errors.

2. Inconsistent Implementation

• The preview-publish.yml workflow already has id-token: write permission (line 212)
• This inconsistency suggests the manual workflow wasn't properly updated

3. Deleted main-publish.yml

The PR deletes the entire main-publish.yml file (119 lines). Was this intentional? This might remove automated publishing capabilities.

Code Quality Assessment

✅ Good Practices

• Moving to trusted publishing is a security best practice
• Eliminates need for long-lived npm tokens

❌ Issues

• No PR description explaining the changes
• Incomplete migration leaving the workflow broken
• No verification that trusted publishing is configured on npm

Security Considerations 🔒

Positive

• Trusted publishing is more secure than token-based auth
• Reduces secret rotation overhead
• Limits token exposure

Risks

• Broken publish workflow could block releases
• Missing configuration steps not documented

Performance & Test Coverage

• No performance impact (authentication change only)
• No test coverage changes needed

Recommended Actions

1. Fix the permission in manual-publish.yml:

permissions:
  contents: write
  packages: write
  id-token: write  # Add this line

2. Verify npm configuration:

   • Ensure @base44/sdk package has trusted publishing enabled on npmjs.com
   • GitHub repository and workflow names must match npm configuration

3. Add PR description explaining:

   • Why main-publish.yml was deleted
   • Confirmation that npm trusted publishing is configured
   • Any manual testing performed

4. Consider keeping automation:

   • If main-publish.yml provided automated releases, consider updating it instead of deleting

Conclusion

This PR will break the manual publish workflow without the id-token: write permission. Please add the missing permission and verify npm configuration before merging.