Skip to content

Update publish flow and add dependency-age check (PLAYBACK-348, BROWSE-451) #76

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 6 commits into
base: main
Choose a base branch
from
Open

Update publish flow and add dependency-age check (PLAYBACK-348, BROWSE-451) #76

wants to merge 6 commits into from

Conversation

@LukeBBC
Copy link
Contributor

@LukeBBC LukeBBC commented Nov 19, 2025

Summary of changes:

  • Update publish flow to use

@bbc/[email protected] publish:safe
SAFE_PUBLISH=1 node ./scripts/guard-publish.js

Restored package.json private:true and add .npmrc for security

  • Add DependencyAge check to PR CI pipeline

Tickets:

@LukeBBC LukeBBC requested a review from Copilot November 19, 2025 14:45
Copilot AI reviewed Nov 19, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements a secure publish flow and adds dependency age checking to the CI pipeline. The changes prevent accidental package publishing by introducing a guard script and enforcing stricter npm configurations.

  • Introduces a guard script that requires explicit environment variable to publish, with automatic cleanup of package.json state
  • Updates package.json to be private by default and pins Node.js version to 22.18.0
  • Adds .npmrc configuration for enhanced security and reproducibility

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
scripts/guard-publish.js New guard script that enforces safe publishing workflow with automatic state restoration
package.json Sets package to private, updates Node.js version constraint, reorganizes test scripts, and adds safe publish command
.npmrc Adds npm configuration for exact versions, script safety, and engine enforcement

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shahp07 shahp07 shahp07 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LukeBBC @shahp07