fix: add repository url for npm provenance verification #8
Conversation
Signed-off-by: assagman <[email protected]>
Summary of ChangesHello @assagman, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses a critical issue encountered during npm OIDC trusted publishing. By introducing the Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request correctly adds the repository field to package.json to resolve an npm provenance verification error. The change is straightforward and effective. I've added one suggestion to align the repository URL with common conventions for better clarity.
| "license": "MIT", | ||
| "repository": { | ||
| "type": "git", | ||
| "url": "https://github.com/assagman/opencode-toolbox" |
There was a problem hiding this comment.
While the provided URL works, it's a common convention to use the full Git URL ending with .git. This makes it explicit that it's a cloneable repository URL and aligns with examples in the npm documentation.
| "url": "https://github.com/assagman/opencode-toolbox" | |
| "url": "https://github.com/assagman/opencode-toolbox.git" |
There was a problem hiding this comment.
Pull request overview
This PR adds the required repository.url field to package.json to fix npm OIDC trusted publishing provenance verification errors. When publishing with the --provenance flag, npm validates that the package.json repository URL matches the GitHub Actions source repository, and this field was previously missing.
Changes:
- Added
repositoryfield with type "git" and URL pointing to the GitHub repository
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Summary
repository.urlfield to package.jsonProblem
npm OIDC trusted publishing with
--provenancevalidates thatpackage.jsonrepository URL matches the GitHub Actions source repository. Publishing failed with:Fix
Added the required repository field to package.json: