Skip to content

chore: bump medusa to 2.13.5 and mikro-orm to 6.4.16 #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dwene merged 2 commits into from
Apr 2, 2026
Merged

chore: bump medusa to 2.13.5 and mikro-orm to 6.4.16 #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d8139e3
chore: bump medusa to 2.13.5 and mikro-orm to 6.4.16
dwene Apr 2, 2026
9f0efb6
ci: add publish workflow with npm trusted publishers
dwene Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
name: Publish Packages

on:
push:
branches: [main]

permissions:
id-token: write
contents: read

jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- uses: actions/setup-node@v4
with:
node-version: "22"
registry-url: "https://registry.npmjs.org"

- name: Enable Corepack (Yarn 4)
run: corepack enable

- name: Install dependencies
run: yarn install --immutable

- name: Build all packages
run: yarn build

- name: Publish changed packages
run: |
publish_if_new() {
local dir=$1
local name=$(node -p "require('./$dir/package.json').name")
local version=$(node -p "require('./$dir/package.json').version")
local published=$(npm view "$name@$version" version 2>/dev/null || echo "")

if [ "$published" = "$version" ]; then
echo "⏭️ $name@$version already published, skipping"
else
echo "📦 Publishing $name@$version..."
npm publish "./$dir" --access public
echo "✅ Published $name@$version"
fi
Comment on lines +31 to +45
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

How to configure npm trusted publishers with GitHub Actions OIDC for npm publish?

💡 Result:

To configure npm trusted publishers with GitHub Actions OIDC for npm publish, follow these steps based on official npm documentation. This eliminates the need for long-lived npm tokens by using short-lived OIDC tokens. ## Prerequisites - npm CLI v11.5.1+ (ideally latest, e.g., npm@11.10.0+ for npm trust command) - Node.js v22.14.0+ - Package must exist on npm (publish once traditionally if new) - GitHub-hosted runners (self-hosted not supported yet) ## Step 1: Configure Trusted Publisher on npmjs.com (Web UI) or CLI For each package: Web UI (Primary method): 1. Go to https://www.npmjs.com/package/YOUR-PACKAGE/settings 2. Find "Trusted Publishing" section. 3. Select "GitHub Actions". 4. Enter: - Owner/Organization: e.g., yourusername or yourorg - Repository: e.g., my-repo - Workflow filename: e.g., publish.yml (exact match, including .yml) - Environment: optional, e.g., npm (must match workflow if used) 5. Save. Each package supports only one trusted publisher. CLI Alternative (npm trust, for bulk or scripting): npm trust github --file=publish.yml --repo=owner/repo --env=npm - Run locally after npm login. - Use --yes to skip prompts. - For bulk: Script loop over packages with 2s sleep to avoid rate limits. - List: npm trust list - Revoke: npm trust revoke --id= Ensure package.json has accurate repository field: "repository": { "type": "git", "url": "git+https://github.com/owner/repo.git" } ## Step 2: Update GitHub Actions Workflow Create/edit .github/workflows/publish.yml (exact filename as configured): yaml name: Publish to npm on: push: tags: ['v*'] # Or release: types: [created] permissions: id-token: write # Critical for OIDC contents: read jobs: publish: runs-on: ubuntu-latest environment: npm # Optional, match npm config steps: - uses: actions/checkout@v6 - uses: actions/setup-node@v6 with: node-version: '24' # 22.14.0+ registry-url: 'https://registry.npmjs.org' - run: npm ci - run: npm run build # If needed - run: npm run test # If needed - run: npm publish --access public # --provenance optional (auto-generated) Key points: - id-token: write permission required. - No NPM_TOKEN secret needed for publish (remove if present). - For private deps install: Use read-only NPM_READ_TOKEN in npm ci env. - --provenance auto-enabled with trusted publishing (generates attestations). ## Step 3: Test and Publish 1. Update version: npm version patch (or minor/major). 2. Push tag: git push origin v1.0.1. 3. Workflow triggers, OIDC token exchanged automatically by npm CLI. ## Troubleshooting - "Unable to authenticate": Verify workflow filename exact match, permissions, npm version. - Update npm in workflow: npm install -g npm@latest. - Check trusted config: npm trust list. - Only GitHub-hosted runners; no self-hosted yet. This setup provides secure, tokenless publishing with provenance attestations.

Citations:

🏁 Script executed:

cat -n .github/workflows/publish.yml

Repository: lambda-curry/medusa-plugins

Length of output: 1911

🏁 Script executed:

node --version
npm --version
# Also check what version of npm comes with Node 22 LTS by checking npm release history

Repository: lambda-curry/medusa-plugins

Length of output: 85

🌐 Web query:

What version of npm is included with Node.js 22?

💡 Result:

Node.js 22 includes npm version 10.5.1 by default in its initial release (22.0.0). Subsequent point releases of Node.js 22 have updated to newer npm versions, such as 10.9.7 in the latest 22.22.2. The version varies by specific Node.js point release within the 22 major version, but starts with npm 10.5.1.

Citations:

Missing NODE_AUTH_TOKEN environment variable — npm publish will fail with Node 22.

The workflow uses Node 22, which includes npm 10.x. npm trusted publishers auto-authentication requires npm 11.5.1+, so the id-token: write permission alone is insufficient. Without NODE_AUTH_TOKEN, the publish step will fail.

Add the missing environment variable or upgrade npm to 11.5.1+ to use OIDC-based trusted publishers.

🔧 Option A: Add NODE_AUTH_TOKEN (works with npm 10.x) 
       - name: Publish changed packages
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
🔧 Option B: Upgrade npm to enable OIDC trusted publishers (removes token dependency) 
       - uses: actions/setup-node@v4
         with:
           node-version: "22"
+          npm-version: "11"
           registry-url: "https://registry.npmjs.org"

Then add --provenance for supply chain attestations:

               npm publish "./$dir" --access public
+              npm publish "./$dir" --access public --provenance
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- name: Publish changed packages
run: |
publish_if_new() {
local dir=$1
local name=$(node -p "require('./$dir/package.json').name")
local version=$(node -p "require('./$dir/package.json').version")
local published=$(npm view "$name@$version" version 2>/dev/null || echo "")
if [ "$published" = "$version" ]; then
echo "⏭️ $name@$version already published, skipping"
else
echo "📦 Publishing $name@$version..."
npm publish "./$dir" --access public
echo "✅ Published $name@$version"
fi
- name: Publish changed packages
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: |
publish_if_new() {
local dir=$1
local name=$(node -p "require('./$dir/package.json').name")
local version=$(node -p "require('./$dir/package.json').version")
local published=$(npm view "$name@$version" version 2>/dev/null || echo "")
if [ "$published" = "$version" ]; then
echo "⏭️ $name@$version already published, skipping"
else
echo "📦 Publishing $name@$version..."
npm publish "./$dir" --access public
echo "✅ Published $name@$version"
fi
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish.yml around lines 31 - 45, The publish step's
publish_if_new function calls npm publish but running on Node 22 (npm 10.x)
requires a NODE_AUTH_TOKEN; either set NODE_AUTH_TOKEN in the workflow
environment for the publish step (so npm publish within publish_if_new can
authenticate) or upgrade npm to >=11.5.1 before running publish to use OIDC
trusted publishers; if you upgrade, remove the token and add the --provenance
flag to the npm publish invocation to emit supply-chain attestations.

}

# SDK first (other plugins may depend on it)
publish_if_new packages/plugins-sdk

# Then plugins
publish_if_new plugins/product-reviews
publish_if_new plugins/braintree-payment
publish_if_new plugins/webhooks
Comment on lines +32 to +54
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Add error handling to fail the workflow if publishing fails.

The script lacks set -e and proper error handling. If npm publish fails for any package (e.g., authentication error, network issue), the workflow continues and may report success even though publishing failed.

🔧 Proposed fix to add error handling 
       - name: Publish changed packages
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
+          set -e
+
           publish_if_new() {
             local dir=$1
             local name=$(node -p "require('./$dir/package.json').name")
             local version=$(node -p "require('./$dir/package.json').version")
             local published=$(npm view "$name@$version" version 2>/dev/null || echo "")
 
             if [ "$published" = "$version" ]; then
               echo "⏭️  $name@$version already published, skipping"
             else
               echo "📦 Publishing $name@$version..."
-              npm publish "./$dir" --access public
+              npm publish "./$dir" --access public --provenance
               echo "✅ Published $name@$version"
             fi
           }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
run: |
publish_if_new() {
local dir=$1
local name=$(node -p "require('./$dir/package.json').name")
local version=$(node -p "require('./$dir/package.json').version")
local published=$(npm view "$name@$version" version 2>/dev/null || echo "")
if [ "$published" = "$version" ]; then
echo "⏭️ $name@$version already published, skipping"
else
echo "📦 Publishing $name@$version..."
npm publish "./$dir" --access public
echo "✅ Published $name@$version"
fi
}
# SDK first (other plugins may depend on it)
publish_if_new packages/plugins-sdk
# Then plugins
publish_if_new plugins/product-reviews
publish_if_new plugins/braintree-payment
publish_if_new plugins/webhooks
run: |
set -e
publish_if_new() {
local dir=$1
local name=$(node -p "require('./$dir/package.json').name")
local version=$(node -p "require('./$dir/package.json').version")
local published=$(npm view "$name@$version" version 2>/dev/null || echo "")
if [ "$published" = "$version" ]; then
echo "⏭️ $name@$version already published, skipping"
else
echo "📦 Publishing $name@$version..."
npm publish "./$dir" --access public --provenance
echo "✅ Published $name@$version"
fi
}
# SDK first (other plugins may depend on it)
publish_if_new packages/plugins-sdk
# Then plugins
publish_if_new plugins/product-reviews
publish_if_new plugins/braintree-payment
publish_if_new plugins/webhooks
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish.yml around lines 32 - 54, The publish script lacks
shell error handling so failed npm publishes can be ignored; update the workflow
run step to enable strict error checking (e.g., set -euo pipefail) and modify
the publish_if_new function to check npm publish exit status (or use &&/||) and
exit non‑zero on failure, ensuring any error from the npm publish command causes
the job to fail; reference the publish_if_new function and the npm publish
"./$dir" --access public invocation when adding these checks.

Loading