Add npm publishing for npx lstk

[silv-io]

Adds automatic npm publishing via evg4b/goreleaser-npm-publisher-action. This enables users to run the CLI directly with npx lstk without any installation.

GoReleaser's native npm publisher is a Pro-only feature. The evg4b/goreleaser-npm-publisher-action is an open-source alternative that works the same way. It reads GoReleaser's output and creates npm packages that download the correct binary for the user's platform during postinstall.

Changes

• Add Node.js setup step to release job
• Add goreleaser-npm-publisher-action to publish npm packages after GoReleaser builds

After merge

1. Tag a release to trigger the first npm publish (this will claim the lstk name)
2. Test: npx lstk version

Related

FLC-464

[coderabbitai]

📝 Walkthrough

Walkthrough

The CI workflow adds Node.js setup and NPM publishing steps to the GoRelease Release job, enabling automated package publication to the NPM registry with metadata and authentication.

Changes

Cohort / File(s)	Summary
CI Workflow Enhancement .github/workflows/ci.yml	Added Node.js 20 setup via actions/setup-node@v4 and NPM package publishing via evg4b/goreleaser-npm-publisher-action@v1 with NPM token, license, description, and keywords configuration.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• carole-lavillonniere

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add npm publishing for npx lstk' accurately describes the main change—adding npm publishing functionality to enable npx usage.
Description check	✅ Passed	The description clearly explains the purpose, implementation approach, and post-merge steps related to adding npm publishing to the project.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch silv-io/flc-464

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/ci.yml (1)

169-169: Pin the third-party publisher action to a full commit SHA.

The action evg4b/goreleaser-npm-publisher-action@v1 uses a moving tag reference, which poses a supply-chain risk in a release pipeline. For hardened security posture, pin to an immutable commit SHA.

🔒 Suggested hardening

      - name: Publish to NPM
-       uses: evg4b/goreleaser-npm-publisher-action@v1
+       uses: evg4b/goreleaser-npm-publisher-action@<FULL_COMMIT_SHA> # v1

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml at line 169, The workflow uses a moving tag
"evg4b/goreleaser-npm-publisher-action@v1" which is a supply-chain risk; replace
that reference with a pinned immutable commit SHA (e.g.,
evg4b/goreleaser-npm-publisher-action@<full-commit-sha>) in the uses line, by
finding the uses entry that mentions evg4b/goreleaser-npm-publisher-action@v1
and updating it to the full commit SHA from the action's repository.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/ci.yml:
- Line 169: The workflow uses a moving tag
"evg4b/goreleaser-npm-publisher-action@v1" which is a supply-chain risk; replace
that reference with a pinned immutable commit SHA (e.g.,
evg4b/goreleaser-npm-publisher-action@<full-commit-sha>) in the uses line, by
finding the uses entry that mentions evg4b/goreleaser-npm-publisher-action@v1
and updating it to the full commit SHA from the action's repository.

---

ℹ️ Review info

Configuration used: Repository UI (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1cccd38 and 657f4e1.

📒 Files selected for processing (1)

• .github/workflows/ci.yml