fix: updates release workflow

[pandeymangg]

updates release workflow to use node 24.x for OIDC

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coderabbitai]

Walkthrough

The .github/workflows/release.yml workflow file was updated with two main changes. The Node.js setup step was renamed and its version was upgraded from 22.x to 24.x. The npm publish step was modified to remove the --provenance flag and retain only the --access public flag. These changes affect how the release workflow installs dependencies and publishes packages. A total of 3 lines were added and 3 lines were removed.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change—updating the release workflow to use a newer Node.js version.
Description check	✅ Passed	The description is directly related to the changeset, explaining the purpose of updating the release workflow to Node.js 24.x for OIDC.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

Tip

Issue Planner is now in beta. Read the docs and try it out! Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

26-30: Upgrade actions/setup-node from v4.1.0 to v6.2.0 for explicit Node.js 24.x support and recent security updates.

Node.js 24.x became Active LTS on October 28, 2025, making the version bump appropriate. However, v4.1.0 was released October 24, 2024—predating Node.js 24's May 6, 2025 release. While the action can resolve Node.js 24 via its fallback mechanism, the current stable version is v6.2.0 (January 15, 2026), which includes explicit Node 24.x support and recent dependency updates.

Suggested update

-      - name: Setup Node.js
-        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
+      - name: Setup Node.js
+        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version: 24.x
           registry-url: "https://registry.npmjs.org"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 26 - 30, The workflow pins
actions/setup-node to an old commit (uses:
actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af) which predates Node
24 support; update the uses line to the current stable tag (uses:
actions/setup-node@v6.2.0) while preserving node-version: 24.x and registry-url:
"https://registry.npmjs.org" so the job explicitly uses v6.2.0 of the action
with the existing Node.js setting and registry configuration.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yml:
- Line 49: The npm publish step currently drops the --provenance flag which
weakens supply-chain guarantees; update the publish invocation (the command that
runs npm publish --access public) to include the --provenance option so the
workflow emits a provenance attestation (e.g., change the npm publish command to
include --provenance) while keeping the existing id-token: write OIDC
permissions intact.
- Around line 46-49: The "Publish to npm" workflow step is missing
authentication; either ensure npm "trusted publishing" via OIDC is configured
for this package on npmjs.com or pass NODE_AUTH_TOKEN into the Publish to npm
step; specifically, update the Publish to npm step (the job step named "Publish
to npm") to set NODE_AUTH_TOKEN from a repository secret (e.g.,
secrets.NPM_TOKEN) when using actions/setup-node with a registry-url, or
alternatively confirm and document that OIDC/granular token trust for this
package is configured so the step can run without NODE_AUTH_TOKEN.

---

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 26-30: The workflow pins actions/setup-node to an old commit
(uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af) which
predates Node 24 support; update the uses line to the current stable tag (uses:
actions/setup-node@v6.2.0) while preserving node-version: 24.x and registry-url:
"https://registry.npmjs.org" so the job explicitly uses v6.2.0 of the action
with the existing Node.js setting and registry configuration.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n .github/workflows/release.yml

Repository: formbricks/react-native

Length of output: 1622

---

🏁 Script executed:

# Check if there's any npm configuration or documentation about trusted publishing
fd -type f -name "package.json" packages/react-native | head -5

Repository: formbricks/react-native

Length of output: 237

---

🏁 Script executed:

# Search for any references to NODE_AUTH_TOKEN or npm auth in the repo
rg "NODE_AUTH_TOKEN|npm.*auth|publishConfig" --type json --type yaml --type yml

Repository: formbricks/react-native

Length of output: 94

---

🏁 Script executed:

# Check if there are any other workflow files that might show npm auth setup patterns
git ls-files ".github/workflows/" | xargs grep -l "publish\|npm" 2>/dev/null

Repository: formbricks/react-native

Length of output: 183

---

🏁 Script executed:

# Check package.json in packages/react-native
cat packages/react-native/package.json

Repository: formbricks/react-native

Length of output: 1788

---

🏁 Script executed:

# Search for NODE_AUTH_TOKEN in all workflow files
rg "NODE_AUTH_TOKEN" .github/workflows/

Repository: formbricks/react-native

Length of output: 49

---

🏁 Script executed:

# Search for npm auth or publishConfig in the codebase
rg "publishConfig|npm auth|OIDC" --multiline

Repository: formbricks/react-native

Length of output: 49

---

Missing authentication for npm publish — add NODE_AUTH_TOKEN or confirm npm trusted publishing is configured.

The publish step has no NODE_AUTH_TOKEN env var set. When registry-url is configured in actions/setup-node, it generates an .npmrc expecting NODE_AUTH_TOKEN. The workflow declares permissions: id-token: write # Required for OIDC, indicating OIDC intent, but npm trusted publishing requires explicit per-package configuration on npmjs.com and will not work without it. Publishing will fail unless one of these is true:

1. npm trusted publishing (OIDC granular tokens) is configured for this package on npmjs.com, or
2. NODE_AUTH_TOKEN is explicitly passed:

      - name: Publish to npm
        run: |
          cd packages/react-native
          npm publish --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Confirm which authentication method is intended and ensure it is properly configured.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml around lines 46 - 49, The "Publish to npm"
workflow step is missing authentication; either ensure npm "trusted publishing"
via OIDC is configured for this package on npmjs.com or pass NODE_AUTH_TOKEN
into the Publish to npm step; specifically, update the Publish to npm step (the
job step named "Publish to npm") to set NODE_AUTH_TOKEN from a repository secret
(e.g., secrets.NPM_TOKEN) when using actions/setup-node with a registry-url, or
alternatively confirm and document that OIDC/granular token trust for this
package is configured so the step can run without NODE_AUTH_TOKEN.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Dropping --provenance removes a supply chain security guarantee.

npm package provenance cryptographically links a published package to its source repository and the specific GitHub Actions build that produced it — enabling consumers to verify the package wasn't tampered with between source and registry. The id-token: write permission (Line 4) is still present in this workflow, meaning OIDC is still available and --provenance would continue to work alongside OIDC-based authentication. Removing provenance is a security posture regression that the PR description ("use Node.js 24.x for OIDC authentication") does not justify.

Consider restoring the flag:

🛡️ Restore provenance attestation

-          npm publish --access public
+          npm publish --provenance --access public

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	npm publish --access public
	npm publish --provenance --access public

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 49, The npm publish step currently
drops the --provenance flag which weakens supply-chain guarantees; update the
publish invocation (the command that runs npm publish --access public) to
include the --provenance option so the workflow emits a provenance attestation
(e.g., change the npm publish command to include --provenance) while keeping the
existing id-token: write OIDC permissions intact.