Conversation
|
🧪 Testing To try out this version of the SDK, run: Expires at: Mon, 09 Mar 2026 18:16:34 GMT |
stainless-app
bot
force-pushed
the
release-please--branches--main--changes--next--components--sdk
branch
from
3e6fdb9 to
2a8f691
Compare
stainless-app
bot
force-pushed
the
release-please--branches--main--changes--next--components--sdk
branch
from
2a8f691 to
6a8bd0c
Compare
|
🤖 Release is at https://github.com/kernel/kernel-node-sdk/releases/tag/v0.32.0 🌻 |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
| # Publish with the appropriate tag | ||
| yarn publish --tag "$TAG" | ||
| export npm_config_registry='https://registry.npmjs.org' | ||
| ../oidc/node_modules/.bin/npm publish --tag "$TAG" |
There was a problem hiding this comment.
Missing --provenance flag breaks OIDC npm publishing
High Severity
The npm publish command is missing the --provenance flag required for OIDC-based authentication. When NPM_TOKEN is not set, the script falls through to OIDC mode but the publish command on line 70 doesn't include --provenance. Without this flag, npm won't use the OIDC token for authentication, causing the publish to fail with an authentication error. The comment on line 65 says "Install OIDC compatible npm version" but the actual publish command doesn't enable OIDC authentication.
| if [ -z "${NPM_TOKEN}" ]; then | ||
| errors+=("The NPM_TOKEN secret has not been set. Please set it in either this repository's secrets or your organization secrets") | ||
| fi | ||
|
|
There was a problem hiding this comment.
Release environment check script now performs no validation
Low Severity
The check-release-environment script now creates an empty errors array, checks if it has elements (it never will), and always outputs "The environment is ready to push releases!" without validating anything. This is dead code that provides false assurance. The release doctor workflow still invokes this script expecting it to catch configuration issues, but it will always succeed regardless of the actual environment state. The script either needs OIDC-related checks or removal.
1 participant
Automated Release PR
0.32.0 (2026-02-07)
Full Changelog: v0.31.2...v0.32.0
Features
Chores
This pull request is managed by Stainless's GitHub App.
The semver version number is based on included commit messages. Alternatively, you can manually set the version number in the title of this pull request.
For a better experience, it is recommended to use either rebase-merge or squash-merge when merging this pull request.
🔗 Stainless website
📚 Read the docs
🙋 Reach out for help or questions
Note
Medium Risk
Changes the release/publish pipeline and authentication method for npm publishing, which can break releases if misconfigured. SDK type change is additive and low risk.
Overview
Bumps the SDK release to
0.32.0(manifest,package.json,src/version.ts, and changelog) and refreshes generated stats/spec metadata.Publishing is switched to support npm OIDC: GitHub Actions now requests
id-tokenpermission, the workflows stop injectingNPM_TOKEN,bin/check-release-environmentno longer requires a token, andbin/publish-npmcan publish via OIDC (falling back toNPM_TOKENwhen not running in Actions) using an OIDC-compatiblenpmbinary.The auth models add an optional
can_reauth_reasonfield on bothAuthAgentandManagedAuthto explain why automatic re-auth is or isn’t possible.Written by Cursor Bugbot for commit 6a8bd0c. This will update automatically on new commits. Configure here.