ci/publish: node 24 + OIDC trusted publishing; drop EOL node 18#23
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds a RELEASING.md guide outlining the release process for the npm package and updates package.json to require Node.js version 20 or higher. Feedback on the release guide suggests adding a warning about manual publishing limitations, as npm OIDC trusted publishing might restrict manual publishing or fail to generate secure build provenance.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| 3. `gh release create vX.Y.Z --generate-notes` — triggers the publish (the tag alone does not). | ||
| 4. CI installs, tests, builds, and publishes. Verify with `npm view icechunk-js version`. | ||
|
|
||
| Manual fallback: `npm ci && npm run build && npm publish --access public`. |
There was a problem hiding this comment.
With npm OIDC trusted publishing enabled, manual publishing via npm publish may be restricted by npm's security settings (which often require publishing exclusively via CI/provenance). Additionally, manual publishing will not generate the secure build provenance. Consider adding a warning note about this limitation.
1 participant
NPM_TOKEN; provenance kept). Also fixes the workflow, which had never successfully published.engines.node >=20.closes #4