fix: nest semantic-release plugins in release config for OIDC provenance

[Copilot]

User description

The plugins array was at root level in package.json instead of nested under the release key, preventing semantic-release from applying the npm plugin's provenance configuration during OIDC publishing.

Changes

• Moved plugins array from root into release.plugins in package.json

The npm plugin provenance config was already present but not being read:

{
  "release": {
    "branches": ["main", "master"],
    "analyzeCommits": { ... },
    "plugins": [
      // ... other plugins
      [
        "@semantic-release/npm",
        {
          "npmPublish": true,
          "provenance": true
        }
      ]
    ]
  }
}

The workflow file required no changes - OIDC setup from PR #35 (registry-url, id-token: write, removed NPM_TOKEN) was already correct.

Original prompt

Problem

The semantic-release workflow is failing with npm error 401 Unauthorized after switching to OIDC trusted publishing and removing the NPM_TOKEN secret from the repository.

The current workflow at .github/workflows/main.yml still references NPM_TOKEN in the environment variables, and the setup-node action is not properly configured for OIDC authentication with npm registry.

Additionally, the root package.json needs to be configured with semantic-release npm plugin settings to enable provenance publishing.

Required Changes

1. Update .github/workflows/main.yml

In the release job, modify the setup-node step to include registry configuration:

- uses: actions/setup-node@v3
  with:
    node-version: '18'
    registry-url: 'https://registry.npmjs.org'

And remove the NPM_TOKEN reference from the release step environment variables:

- name: release
  run: npx semantic-release
  env:
    GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
    # NPM_TOKEN removed - using OIDC instead

The id-token: write permission is already present from PR #35, which is correct.

2. Configure semantic-release in root package.json

The root package.json needs semantic-release configuration with the npm plugin configured for provenance. Add or update the release configuration:

{
  "release": {
    "branches": ["main"],
    "plugins": [
      "@semantic-release/commit-analyzer",
      "@semantic-release/release-notes-generator",
      "@semantic-release/changelog",
      [
        "@semantic-release/npm",
        {
          "npmPublish": true,
          "provenance": true
        }
      ],
      "@semantic-release/git",
      "@semantic-release/github"
    ]
  }
}

Alternatively, if a .releaserc or .releaserc.json file exists, update it there instead with the same configuration.

Context

• PR [WIP] Fix automated release failures from main branch #35 added OIDC permissions (id-token: write) and configured the template package.json with provenance
• The user has now removed the NPM_TOKEN secret from the repository settings
• The workflow needs to fully transition from token-based auth to OIDC trusted publishing
• Current error: npm error 401 Unauthorized - GET https://registry.npmjs.org/-/whoami

Validation

After these changes:

1. The workflow should authenticate with npm using OIDC instead of a token
2. Packages published will include provenance attestations
3. The semantic-release job should complete successfully on pushes to main branch

This pull request was created from Copilot chat.

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

---

PR Type

Bug fix

---

Description

• Move plugins array from root level into release.plugins object

• Enable semantic-release to properly apply npm plugin OIDC provenance configuration

• Fix npm authentication failure by ensuring plugins are nested under release key

---

Diagram Walkthrough

flowchart LR
  A["package.json root level"] -->|move plugins| B["release.plugins nested"]
  B -->|enables| C["npm OIDC provenance"]
  C -->|fixes| D["401 Unauthorized error"]

Loading

File Walkthrough

Relevant files

Bug fix

package.json Relocate plugins into release configuration object              package.json Moved plugins array from root level into release.plugins nested object Preserved all plugin configurations including npm plugin with provenance: true Maintained semantic-release configuration structure with analyzeCommits and releaseRules Ensures semantic-release reads and applies npm plugin OIDC provenance settings +27/-27

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Commit package.json version bump Add package.json to the assets array in the @semantic-release/git configuration to ensure the version bump is committed to the repository. package.json [213-220] [ "@semantic-release/git", { "assets": [ - "CHANGELOG.md" + "CHANGELOG.md", + "package.json" ] } ], Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical flaw in the release process where the version bump in package.json would not be committed, leading to a discrepancy between the repository and the published package.	High
More

[github-actions]

🎉 This PR is included in version 2.9.3 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀