{{ message }}
feat: trusted publishers#41
Merged
Merged
Conversation
There was a problem hiding this comment.
Pull request overview
Enables trusted (OIDC) npm publishing for engine-specific NativeScript Android runtime packages by adding a dedicated GitHub Actions workflow and introducing per-engine package metadata, alongside script updates to resolve versions/tags per target.
Changes:
- Added
npm_trusted_release.ymlworkflow to build and publish per-engine packages (with matrix support and provenance). - Updated helper scripts to resolve current version and npm dist-tag based on an engine “target” package.
- Added package scaffolding (README/package.json/LICENSE) for each engine package under
packages/.
Reviewed changes
Copilot reviewed 25 out of 25 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/get-npm-tag.js | Resolves version by target package and computes npm dist-tag from semver prerelease. |
| scripts/get-next-version.js | Resolves current version by target package for prerelease version generation. |
| packages/android-v8/README.md | Adds engine-package README for V8. |
| packages/android-v8/package.json | Adds package metadata for @nativescript/android-v8. |
| packages/android-v8/LICENSE | Adds Apache-2.0 license file for the V8 package. |
| packages/android-shermes/README.md | Adds engine-package README for Static Hermes. |
| packages/android-shermes/package.json | Adds package metadata for @nativescript/android-shermes. |
| packages/android-shermes/LICENSE | Adds Apache-2.0 license file for the shermes package. |
| packages/android-quickjs/README.md | Adds engine-package README for QuickJS. |
| packages/android-quickjs/package.json | Adds package metadata for @nativescript/android-quickjs. |
| packages/android-quickjs/LICENSE | Adds Apache-2.0 license file for the QuickJS package. |
| packages/android-quickjs-ng/README.md | Adds engine-package README for QuickJS-ng. |
| packages/android-quickjs-ng/package.json | Adds package metadata for @nativescript/android-quickjs-ng. |
| packages/android-quickjs-ng/LICENSE | Adds Apache-2.0 license file for the QuickJS-ng package. |
| packages/android-primjs/README.md | Adds engine-package README for PrimJS. |
| packages/android-primjs/package.json | Adds package metadata for @nativescript/android-primjs. |
| packages/android-primjs/LICENSE | Adds Apache-2.0 license file for the PrimJS package. |
| packages/android-jsc/README.md | Adds engine-package README for JavaScriptCore. |
| packages/android-jsc/package.json | Adds package metadata for @nativescript/android-jsc. |
| packages/android-jsc/LICENSE | Adds Apache-2.0 license file for the JSC package. |
| packages/android-hermes/README.md | Adds engine-package README for Hermes. |
| packages/android-hermes/package.json | Adds package metadata for @nativescript/android-hermes. |
| packages/android-hermes/LICENSE | Adds Apache-2.0 license file for the Hermes package. |
| LICENSE | Updates repository license text. |
| .github/workflows/npm_trusted_release.yml | Adds trusted (OIDC) build + publish workflow for engine packages with matrix support. |
Comments suppressed due to low confidence (1)
scripts/get-next-version.js:37
currentVersionis only checked for truthiness, but not validated as a semver string. If it’s non-empty but invalid,setPreRelease()will throw when it tries to accessparsed.majorfrom anullparse result. Validating semver early gives a clearer failure mode.
const currentVersion = resolveCurrentVersion();
if (!currentVersion) {
throw new Error("Invalid current version");
}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
30
to
+34
| function validateNpmTag(version) { | ||
| const parsed = semver.parse(version); | ||
| return ( | ||
| parsed.prerelease.length === 0 || /^[a-zA-Z]+$/.test(parsed.prerelease[0]) | ||
| parsed.prerelease.length === 0 || | ||
| (typeof parsed.prerelease[0] === "string" && |
Comment on lines
+196
to
+199
| # Stamp the package identity into the root package.json so Gradle bakes the | ||
| # correct name + version straight into the dist tarball. | ||
| npm pkg set name="$PACKAGE_NAME" version="$NPM_VERSION" | ||
|
|
Comment on lines
+1
to
+4
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Trusted NPM releases of Android engine packages.