feat(npm): add token-less publishing with trustedPublishing flag

[SavelevMatthew]

Summary by CodeRabbit

• New Features

  • Added a trustedPublishing option for npm publishing, allowing setup to continue without an npm token when enabled.

• Chores

  • Broadened mono-pub peer dependency compatibility to accept both v1 and v2 across packages.
  • Bumped several dependency/dev-dependency versions for stability.
  • Made npm config application conditional so config is only applied when present.
  • CI: added Node.js 24.x to test/build matrix.
  • Added a release-notes category for dependency changes.

• Bug Fixes

  • Improved error messaging to include stringified response data for certain API failures.

[coderabbitai]

Walkthrough

Broadened mono-pub peer dependency ranges across packages, added a trustedPublishing config and adjusted npm setup/publish behavior, bumped several dev/dependencies, added Node.js 24.x to CI, and small code/typing and error formatting tweaks.

Changes

Cohort / File(s)	Summary
Peer dependency updates packages/commit-analyzer/package.json, packages/git/package.json, packages/github/package.json, packages/npm/package.json	Changed peerDependencies.mono-pub from "1.x" to `"^1.0.0
Dependency/version bumps packages/github/package.json, packages/mono-pub/package.json, packages/git/package.json, packages/npm/package.json	Bumped various deps/devDeps: lodash, @types/lodash, tmp/@types/tmp, and tmp versions updated in multiple package.json files.
NPM package logic & config packages/npm/src/index.ts, packages/npm/package.json	Added trustedPublishing: boolean to MonoPubNpmConfig (default false); setup now permits missing NPM_TOKEN when trustedPublishing is true; publish omits --userconfig unless the npm config file exists and adjusts env passed to the npm process.
Publish tooling / release notes bin/publish.js	Added deps release-note type and set trustedPublishing: true in the npm plugin options used by the release/publish script.
Typing clarity packages/git/src/index.ts	Added explicit readonly tagFormat: string annotation on MonoPubGit class property.
Error message formatting packages/github/src/utils.ts	Stringified response.data in two error messages to ensure proper error text for non-200 responses when extracting PR commits.
CI matrix .github/workflows/nodejs.packages.ci.yml	Added Node.js 24.x to the test/build matrix to expand CI coverage.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant CLI as "mono-pub CLI"
  participant FS as "FileSystem"
  participant NPM as "npm (registry/cli)"

  CLI->>CLI: read config (trustedPublishing?)
  CLI->>FS: check for npmrc file
  alt trustedPublishing = true
    CLI->>NPM: run publish without NPM_TOKEN (env = {}) and omit --userconfig if no npmrc
  else trustedPublishing = false
    CLI->>FS: read NPM_TOKEN from env
    alt npmrc exists
      CLI->>NPM: run publish with --userconfig <file> and env {NPM_TOKEN}
    else
      CLI->>NPM: run publish without --userconfig and env {NPM_TOKEN}
    end
  end
  NPM-->>CLI: publish result

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• ci(global): refactor Github actions and bump TurboRepo version #17: Overlaps CI workflow Node.js matrix updates.
• refactor(global): update eslint to flat configs #24: Related changes touching packages/git and typings modifications.
• ci(global): introduce semgrep code scan #23: Related CI/workflow edits and adjacent repository automation changes.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat(npm): add token-less publishing with trustedPublishing flag' accurately describes the main feature addition in the pull request - the new trustedPublishing flag that enables token-less npm publishing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/peerDeps

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

packages/npm/src/index.ts (1)

93-99: Consider documenting the trustedPublishing option.

The JSDoc for npm() doesn't describe the new trustedPublishing flag. Users might benefit from documentation explaining when to use this option (e.g., with GitHub Actions OIDC for token-less publishing) and that it should typically be combined with provenance: true.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/npm/src/index.ts` around lines 93 - 99, Update the JSDoc for the
exported npm() factory to document the new trustedPublishing flag on the config
object: describe what trustedPublishing does, when to use it (e.g., GitHub
Actions OIDC token-less publishing), and note the recommended pairing with
provenance: true; reference the npm(config?: Partial<MonoPubNpmConfig>)
signature and the MonoPubNpm class so consumers know the flag is passed into
that implementation and how it affects publishing behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@packages/npm/src/index.ts`:
- Around line 93-99: Update the JSDoc for the exported npm() factory to document
the new trustedPublishing flag on the config object: describe what
trustedPublishing does, when to use it (e.g., GitHub Actions OIDC token-less
publishing), and note the recommended pairing with provenance: true; reference
the npm(config?: Partial<MonoPubNpmConfig>) signature and the MonoPubNpm class
so consumers know the flag is passed into that implementation and how it affects
publishing behavior.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 146633c6-8a9d-4bbe-9e67-602e1440a8b6

📥 Commits

Reviewing files that changed from the base of the PR and between 2c61fa5 and 317b2d4.

📒 Files selected for processing (5)

• packages/commit-analyzer/package.json
• packages/git/package.json
• packages/github/package.json
• packages/npm/package.json
• packages/npm/src/index.ts

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/github/src/utils.ts (1)

74-80: ⚠️ Potential issue | 🔴 Critical

Bug: Checking wrong response variable after getCommit call.

Line 78 checks response.status (from listCommits) instead of commitResponse.status (from getCommit). Similarly, line 79 references response.data instead of commitResponse.data. This means errors from the getCommit call are never caught, and if the condition were triggered, it would show data from the wrong API call.

🐛 Proposed fix

             const commitResponse = await octokit.repos.getCommit({
                 ...repoInfo,
                 ref: sha,
             })
-            if (response.status !== 200) {
-                throw new Error(`Could not fetch commit info. Details: ${JSON.stringify(response.data)}`)
+            if (commitResponse.status !== 200) {
+                throw new Error(`Could not fetch commit info. Details: ${JSON.stringify(commitResponse.data)}`)
             }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/github/src/utils.ts` around lines 74 - 80, The check after the
octokit.repos.getCommit call is using the wrong variable (`response`) from the
prior listCommits call; update the status/data checks to use the
`commitResponse` returned by `getCommit` (i.e., test `commitResponse.status !==
200` and reference `commitResponse.data` in the error message) so errors from
`getCommit` are correctly detected and logged; ensure this change is applied in
the block that calls `getCommit` where `commitResponse` is defined.

🧹 Nitpick comments (1)

packages/npm/src/index.ts (1)

76-90: Consider coupling trustedPublishing with provenance validation.

The publish logic correctly handles the environment and config file conditionally. When trustedPublishing: true, passing an empty env object to execa allows npm to use the ambient OIDC credentials from GitHub Actions.

One consideration: trusted publishing is typically used alongside --provenance since both leverage the same OIDC infrastructure. If a user enables trustedPublishing: true but forgets provenance: true, publishing will work but miss the attestation benefit.

Consider either:

• Logging a warning if trustedPublishing is enabled without provenance
• Documenting that these options are complementary

💡 Optional: Add a warning for missing provenance

In the constructor or setup method:

 constructor(config?: Partial<MonoPubNpmConfig>) {
     setGracefulCleanup()
     const tmpDir = dirSync()
     this.npmConfigFile = path.join(tmpDir.name, '.npmrc')
     this.config = { ...DEFAULT_NPM_CONFIG, ...config }
+    if (this.config.trustedPublishing && !this.config.provenance) {
+        console.warn('trustedPublishing is enabled without provenance. Consider enabling provenance for build attestations.')
+    }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/npm/src/index.ts` around lines 76 - 90, When trustedPublishing is
enabled but provenance is not, emit a clear warning so users know they are
missing attestation; before calling execa in the publish flow (the block that
builds args/env and invokes execa('npm', args, { cwd: runDir, env })), detect
this.config.trustedPublishing === true && !this.config.provenance and call the
logger (e.g., this.logger.warn or processLogger.warn) with a concise message
explaining that trustedPublishing works best with --provenance and recommending
enabling provenance; alternatively place the same check in the
constructor/initialization path to surface the warning earlier.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@packages/github/src/utils.ts`:
- Around line 74-80: The check after the octokit.repos.getCommit call is using
the wrong variable (`response`) from the prior listCommits call; update the
status/data checks to use the `commitResponse` returned by `getCommit` (i.e.,
test `commitResponse.status !== 200` and reference `commitResponse.data` in the
error message) so errors from `getCommit` are correctly detected and logged;
ensure this change is applied in the block that calls `getCommit` where
`commitResponse` is defined.

---

Nitpick comments:
In `@packages/npm/src/index.ts`:
- Around line 76-90: When trustedPublishing is enabled but provenance is not,
emit a clear warning so users know they are missing attestation; before calling
execa in the publish flow (the block that builds args/env and invokes
execa('npm', args, { cwd: runDir, env })), detect this.config.trustedPublishing
=== true && !this.config.provenance and call the logger (e.g., this.logger.warn
or processLogger.warn) with a concise message explaining that trustedPublishing
works best with --provenance and recommending enabling provenance; alternatively
place the same check in the constructor/initialization path to surface the
warning earlier.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 698b9507-82dd-47a4-ab3a-2a99e2b72c42

📥 Commits

Reviewing files that changed from the base of the PR and between d1c7f0b and a7732af.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (8)

• bin/publish.js
• packages/git/package.json
• packages/git/src/index.ts
• packages/github/package.json
• packages/github/src/utils.ts
• packages/mono-pub/package.json
• packages/npm/package.json
• packages/npm/src/index.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/npm/package.json