ci: Use Docker container for npm-publish workflow

[data-coasys]

Summary

Use the same Docker image that CircleCI uses for the npm-publish job in GitHub Actions.

Problem

The npm-publish job was failing with:

node-pre-gyp ERR! stack Error: 404 status code downloading tarball 
https://github.com/mattrglobal/node-bbs-signatures/releases/download/0.11.0/node-v108-linux-x64.tar.gz

The @mattrglobal/node-bbs-signatures package doesn't have pre-built binaries for Node 18 (v108 ABI).

Solution

Use the coasys/ad4m-ci-linux Docker image (same as CircleCI) which has all dependencies pre-installed and configured.

Changes

• publish.yml: npm-publish job now uses Docker container
• publish_staging.yml: npm-publish job now uses Docker container

Notes

This uses the same pinned image SHA that CircleCI uses for consistency.

Summary by CodeRabbit

• Chores
  • Moved publishing to a containerized pipeline for more reliable, consistent releases.
  • Simplified workflow and build setup by removing redundant tool-install steps.
  • Improved prerelease detection logic for accurate tagging.
  • Publish process now handles multiple artifacts and platform-specific release assets and ensures packages are published with public access.

[coderabbitai]

📝 Walkthrough

Walkthrough

GitHub Actions publish workflows were containerized (using a Docker image), removed explicit Node.js/pnpm/Go/Deno setup steps, changed prerelease detection to look for a hyphen in versions, and consolidated dependency install and npm-publish steps with an NPM_TAG decision and public package visibility.

Changes

Cohort / File(s)

Summary

Publishing Workflows ​.github/workflows/publish.yml, ​.github/workflows/publish_staging.yml

Switched jobs to run on ubuntu-latest inside a specified container image. Removed explicit actions/setup-node, pnpm/action-setup, Go/Deno and other OS dependency install steps. Prerelease detection now checks for - in the version. Consolidated install and publish steps, added NPM_TAG (next/latest) decision and set package visibility to public; replaced raw publish commands with npm-publish action usage across multiple packages.

Sequence Diagram(s)

sequenceDiagram
    participant GH as GitHub Actions
    participant Container as Container (coasys/ad4m-ci-linux)
    participant Runner as Job Steps
    participant Registry as npm Registry

    GH->>Container: start job in container
    Container->>Runner: run checkout, read package versions
    Runner->>Runner: detect prerelease? (version contains "-")
    alt prerelease
        Runner->>Runner: set NPM_TAG = next
    else stable
        Runner->>Runner: set NPM_TAG = latest
    end
    Runner->>Runner: pnpm install --no-frozen-lockfile
    Runner->>Runner: set package visibility to public (core packages)
    Runner->>Registry: publish packages with NPM_TAG & public access
    Registry-->>Runner: publish results
    Runner-->>GH: job completes

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 I hopped into a container bright,

Removed old steps and trimmed the night,
Dashes tell if releases play,
Tags set true and packages sway,
A tiny rabbit cheers the CI light.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and specifically describes the main change: using Docker containers for the npm-publish workflow across both publish.yml and publish_staging.yml files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/publish-workflow-docker

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[lucksus]

Using our docker image, we can remove setup steps in the workflow, no?

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/publish_staging.yml (1)

393-400: ⚠️ Potential issue | 🟡 Minor

Prerelease detection is incomplete — only matches literal "prerelease" substring.

The check [[ $STRING == *"prerelease"* ]] fails to catch pre-release versions using other common semantic versioning identifiers. Project history shows versions like 0.11.2-dev.4 and 0.11.2-dev.3, which would not match. If such a version is released, it will be incorrectly tagged as latest instead of next, overwriting stable releases.

Fix to match any semantic versioning pre-release suffix:

Proposed fix

-          if [[ $STRING == *"prerelease"* ]]; then
+          if [[ $STRING == *-* ]]; then

🧹 Nitpick comments (5)

docs/CNAME (1)

1-1: Unrelated change bundled in a CI-focused PR.

This CNAME file for GitHub Pages (docs.ad4m.dev) is unrelated to the npm-publish Docker container fix. Consider splitting it into a separate PR for cleaner git history and easier reverts.

.github/workflows/publish_staging.yml (1)

402-406: --no-frozen-lockfile weakens reproducibility in CI.

Using --no-frozen-lockfile allows pnpm to modify the lockfile during install, meaning the published artifacts may not match what was tested locally. This was likely added because the container's pnpm version differs from what generated the lockfile.

If the mismatch is only a pnpm version issue, consider aligning the pnpm version in the container or using --no-frozen-lockfile only as a documented workaround with a comment explaining why.

.github/workflows/publish.yml (3)

393-400: Same fragile prerelease detection as in publish_staging.yml.

On the main branch, it's worth questioning whether a prerelease version should ever be published. If main is strictly for production releases, this check may be unnecessary — or it could be turned into a safeguard that fails the job instead of silently publishing to next.

Same concern as in the staging workflow: matching only the literal "prerelease" substring is narrow.

---

402-406: --no-frozen-lockfile concern applies here as well.

Same as the staging workflow — this weakens reproducibility guarantees for production publishes to npm. A comment explaining the rationale would help future maintainers.

---

380-478: Near-identical npm-publish job duplicated across publish.yml and publish_staging.yml.

The npm-publish job definition is almost identical between the two workflow files. Consider extracting it into a reusable workflow to reduce maintenance burden and avoid drift.

[lucksus]

is --no-frozen-lockfile the right thing for release builds? I don't think so.

[data-coasys]

Addressed the CodeRabbit feedback:

1. Prerelease detection fixed - Now uses *-* pattern to catch versions like 0.11.2-dev.4 (not just literal "prerelease")
2. Removed unrelated CNAME - Split out the docs configuration

The setup steps (Node.js, pnpm, Go, Deno) were already removed in the previous commit - the Docker container has everything pre-installed.

Ready for re-review! 🚀

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.github/workflows/publish.yml:
- Around line 402-406: The workflow uses pnpm install with --no-frozen-lockfile
in the "Install deps" and "Install core dependencies" steps which allows
publishing with untested dependency versions; change both steps to use the
CI-safe --frozen-lockfile flag (or remove the explicit flag to use the default
frozen behavior) and, if you intentionally need relaxed resolution, add a short
comment explaining why and where the lockfile will be updated instead of
allowing silent resolution differences.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/publish.yml (1)

424-478: ⚠️ Potential issue | 🟠 Major

Upgrade JS-DevTools/npm-publish@v1 to @v3 or @v4.

v1 runs on Node 12, which GitHub Actions removed from runners on August 14, 2023. These publish steps will fail on current runners. v4 is the current major version; v3 is also stable.

The breaking changes in v2+ do not affect this code: v1's check-version and greater-version-only inputs were removed (the code doesn't use them), and output handling changed, but these particular publish steps only use token, package, tag, and access, which remain compatible. See the migration guide for details if you use other inputs.

Example diff for one publish step

      - name: Publish core
-       uses: JS-DevTools/npm-publish@v1
+       uses: JS-DevTools/npm-publish@v3
        with:
          token: ${{ secrets.COASYS_NPM_TOKEN }}
          package: core/package.json
          tag: ${{ env.NPM_TAG }}
          access: public

🧹 Nitpick comments (1)

.github/workflows/publish_staging.yml (1)

402-406: Consider using --frozen-lockfile to enforce reproducible builds.

The commit message states the intent is reproducible builds by using exact lockfile dependencies, but plain pnpm install can still update the lockfile if versions drift. Use --frozen-lockfile to make the install fail if pnpm-lock.yaml is out of sync, which is the standard CI best practice.

♻️ Suggested diff

      - name: Install deps
-       run: pnpm install
+       run: pnpm install --frozen-lockfile

      - name: Install core dependencies
-       run: cd ./core && pnpm install
+       run: cd ./core && pnpm install --frozen-lockfile