Fix release job: install devDependencies for semantic-release plugins

[Copilot]

User description

The release job fails with "Cannot find module '@semantic-release/changelog'" because npm ci --only=production skips devDependencies where all semantic-release plugins are installed.

Changes

• Remove --only=production flag from npm install in .github/workflows/main.yml line 57

# Before
run: npm ci --ignore-engines --only=production --audit false

# After  
run: npm ci --ignore-engines --audit false

This ensures semantic-release plugins (@semantic-release/changelog, @semantic-release/git, @semantic-release/npm, etc.) are available when npx semantic-release runs.

Original prompt

Problem

The CI workflow is failing on the main branch with the following error:

Error: Cannot find module '@semantic-release/changelog'

Root Cause

In the .github/workflows/main.yml file, the release job installs dependencies with:

- name: install dependencies
  run: npm ci --ignore-engines --only=production --audit false

The --only=production flag skips devDependencies. However, semantic-release and all its plugins (@semantic-release/changelog, @semantic-release/git, @semantic-release/npm, etc.) are installed as devDependencies in package.json.

When npx semantic-release runs, it cannot find the required plugin modules because they were never installed.

Solution Required

Modify the .github/workflows/main.yml file in the release job to remove the --only=production flag so that devDependencies (including all semantic-release plugins) are installed.

Change line 57 from:

run: npm ci --ignore-engines --only=production --audit false

To:

run: npm ci --ignore-engines --audit false

This will ensure all semantic-release plugins defined in the release.plugins configuration in package.json are properly installed before running semantic-release.

Files to Modify

• .github/workflows/main.yml (line 57)

This pull request was created from Copilot chat.

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

---

PR Type

Bug fix

---

Description

• Remove --only=production flag from npm ci command

• Ensures semantic-release devDependencies are installed

• Fixes release job module not found errors

---

Diagram Walkthrough

flowchart LR
  A["npm ci with --only=production"] -->|skips devDependencies| B["semantic-release plugins missing"]
  B -->|causes| C["Cannot find module error"]
  D["Remove --only=production flag"] -->|installs all dependencies| E["semantic-release plugins available"]
  E -->|enables| F["Release job succeeds"]

Loading

File Walkthrough

	Relevant files
Bug fix	main.yml Remove production-only flag from npm install                          .github/workflows/main.yml Removed --only=production flag from npm ci command in release job Changed from npm ci --ignore-engines --only=production --audit false to npm ci --ignore-engines --audit false Allows devDependencies including semantic-release plugins to be installed +1/-1

---

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	DevDependency supply-chain risk Description: Removing --only=production causes devDependencies to be installed in the release job, increasing supply-chain and CI compromise risk (e.g., a malicious/compromised devDependency with preinstall/postinstall scripts could execute during npm ci and affect the release process). main.yml [57-57] Referred Code run: npm ci --ignore-engines --audit false - name: release
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Security	Enable security auditing for dependencies Remove the --audit false flag from the npm ci command to re-enable security audits for all dependencies. This is especially important in a release workflow that handles secrets and now installs devDependencies. .github/workflows/main.yml [57] -run: npm ci --ignore-engines --audit false +run: npm ci --ignore-engines Apply / Chat Suggestion importance[1-10]: 9 __ Why: This is a critical security suggestion to re-enable dependency auditing in a release workflow that handles secrets, which is crucial after adding devDependencies.	High
General	Ensure devDependencies installation Add NPM_CONFIG_PRODUCTION: false to the environment variables for the install dependencies step to explicitly ensure devDependencies are installed. .github/workflows/main.yml [57] run: npm ci --ignore-engines --audit false +env: + NPM_CONFIG_PRODUCTION: false Apply / Chat Suggestion importance[1-10]: 3 __ Why: The suggestion to explicitly set NPM_CONFIG_PRODUCTION: false adds robustness, but it's likely redundant as removing --only=production from the npm ci command is usually sufficient.	Low
	Switch to --no-audit flag Replace the --audit false flag with the more idiomatic --no-audit flag in the npm ci command for better clarity and consistency. .github/workflows/main.yml [57] -npm ci --ignore-engines --audit false +npm ci --ignore-engines --no-audit [To ensure code accuracy, apply this suggestion manually] Suggestion importance[1-10]: 2 __ Why: This is a minor stylistic suggestion with no functional impact; while --no-audit might be more idiomatic, --audit false is also a valid and clear way to disable npm audits.	Low
More

[github-actions]

🎉 This PR is included in version 2.9.3 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀