fix: 使用可信任发布

[sj817]

Summary by Sourcery

更新发布工作流，通过 pnpm 以及显式的 Node.js 设置和 npm 升级来发布包，并为更多的包配置在公共 npm registry 上发布。

增强（Enhancements）：

• 为 pm2、test 和 onebot 包配置 publishConfig，以便公开发布到官方 npm registry。

构建（Build）：

• 调整发布的 GitHub Actions 工作流，设置 Node.js 20、升级 npm，并通过 pnpm 发布 core、cli 和 create-karin 包，而不是使用 npm-publish action。

Original summary in English

Summary by Sourcery

Update release workflow to publish packages using pnpm with explicit Node.js setup and npm upgrade, and configure public npm registry publishing for additional packages.

Enhancements:

• Configure publishConfig for pm2, test, and onebot packages to publish publicly to the official npm registry.

Build:

• Adjust release GitHub Actions workflow to set up Node.js 20, upgrade npm, and publish core, cli, and create-karin packages via pnpm instead of the npm-publish action.

Summary by CodeRabbit

• Chores
  • Streamlined release workflow with explicit package publishing commands, replacing automated publish actions for improved control.
  • Added Node.js setup and package version detection to enhance publishing reliability.
  • Configured multiple packages for public npm registry distribution with explicit access settings.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

This PR refactors the GitHub Actions release workflow to replace the npm-publish action with explicit pnpm publish commands, adds Node.js setup and npm update steps, and configures four package.json files with public npm registry publishing settings.

Changes

Cohort / File(s)	Summary
Release Workflow Restructuring .github/workflows/release.yml	Replaces npm-publish action with custom run blocks executing pnpm publish commands; adds Node.js setup (v4) and npm latest installation; extracts package name/version via npm pkg get and writes to GITHUB_OUTPUT for three publish jobs (core, cli, create-karin).
Package Publishing Configuration packages/onebot/package.json, packages/pm2/package.json, packages/test/package.json	Adds publishConfig field to each file with access set to "public" and registry pointing to https://registry.npmjs.org.
Core Package Timestamp packages/core/package.json	Increments timestamp field from 2025-10-08T06:35:20.000Z to 2025-10-08T06:35:20.001Z.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

• GitHub Actions workflow syntax: Verify pnpm publish commands and npm pkg get extraction syntax
• Output capturing: Ensure GITHUB_OUTPUT assignments are correctly formatted across all three publish jobs
• publishConfig consistency: Confirm the registry URL and access level are appropriate and consistent across all modified packages

Poem

🐰 From actions old to commands new,
We publish forth with pnpm true,
Each package dons its public crown,
To registries we'll build our town! 🏰

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix-ci

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fee9269 and 11a804e.

📒 Files selected for processing (5)

• .github/workflows/release.yml (3 hunks)
• packages/core/package.json (1 hunks)
• packages/onebot/package.json (1 hunks)
• packages/pm2/package.json (1 hunks)
• packages/test/package.json (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[sourcery-ai]

审阅者指南

将发布工作流从 JS-DevTools/npm-publish 切换为使用 setup-node 和手动基于 pnpm 的发布，并为多个包配置使用公共 npm registry 的发布设置。

GitHub Actions 中使用 pnpm 发布到 npm registry 的时序图

sequenceDiagram
  actor Maintainer
  participant GitHubWorkflow as GitHub_Workflow
  participant SetupNode as Setup_Node_Action
  participant Pnpm as pnpm_CLI
  participant NpmRegistry as Npm_Registry

  Maintainer ->> GitHubWorkflow: push_tag_or_trigger_release
  GitHubWorkflow ->> SetupNode: configure_Node_js_20_and_npm_registry
  SetupNode -->> GitHubWorkflow: node_environment_ready
  GitHubWorkflow ->> GitHubWorkflow: update_global_npm_to_latest
  GitHubWorkflow ->> Pnpm: pnpm_publish_in_package_directory
  Pnpm ->> NpmRegistry: publish_tarball_with_publishConfig_registry
  NpmRegistry -->> Pnpm: publish_result
  Pnpm -->> GitHubWorkflow: exit_code_and_logs
  GitHubWorkflow ->> GitHubWorkflow: read_name_and_version_with_npm_pkg_get
  GitHubWorkflow ->> GitHubWorkflow: set_step_outputs_for_release_summary
  GitHubWorkflow -->> Maintainer: report_release_status

Loading

发布工作流中基于 pnpm 的包发布步骤流程图

flowchart TD
  Start[Start_publish_step]
  SetupNode[Setup_Node_js_20_and_registry]
  UpdateNpm[Update_global_npm_to_latest]
  CdPackage[Change_directory_to_target_package]
  PnpmPublish[Run_pnpm_publish]
  ReadName[Read_package_name_with_npm_pkg_get]
  ReadVersion[Read_package_version_with_npm_pkg_get]
  SetOutputs[Write_name_and_version_to_GitHub_outputs]
  End[End_publish_step]

  Start --> SetupNode --> UpdateNpm --> CdPackage --> PnpmPublish --> ReadName --> ReadVersion --> SetOutputs --> End

Loading

文件级变更

变更	详情	文件
重构 GitHub Actions 发布工作流，使其使用 setup-node 和 pnpm publish，而不是 JS-DevTools/npm-publish。	为 core、cli 和 create-karin 的发布任务添加一个 Node.js 20 的设置步骤，并配置 npmjs.org registry。 在发布前添加一个步骤，将全局 npm 升级到最新版本。 用 shell 脚本替换 JS-DevTools/npm-publish@v3 action，这些脚本会 cd 到对应的包目录并运行 pnpm publish。 在发布后通过 npm pkg get 获取包名和版本，并写入 GITHUB_OUTPUT 供后续步骤使用。	.github/workflows/release.yml
通过 publishConfig 配置各包以在主 npm registry 上公开发布。	在 pm2 的 package.json 中添加 publishConfig，设置 access=public 和 registry=https://registry.npmjs.org。 在 test 的 package.json 中添加 publishConfig，设置 access=public 和 registry=https://registry.npmjs.org。 在 onebot 的 package.json 中添加 publishConfig，设置 access=public 和 registry=https://registry.npmjs.org，并将其从 exports 块中移出。	packages/pm2/package.json packages/test/package.json packages/onebot/package.json

---

提示与命令

与 Sourcery 交互

• 触发新的审阅： 在 pull request 中评论 @sourcery-ai review。
• 继续讨论： 直接回复 Sourcery 的审阅评论。
• 从审阅评论生成 GitHub issue： 回复 Sourcery 的审阅评论，请求从该评论创建 issue。你也可以在审阅评论下回复 @sourcery-ai issue 来从该评论创建一个 issue。
• 生成 pull request 标题： 在 pull request 标题的任意位置写上 @sourcery-ai 以随时生成标题。你也可以在 pull request 中评论 @sourcery-ai title 来（重新）生成标题。
• 生成 pull request 摘要： 在 pull request 正文的任意位置写上 @sourcery-ai summary，即可在该位置生成 PR 摘要。你也可以在 pull request 中评论 @sourcery-ai summary 来在任意时间（重新）生成摘要。
• 生成审阅者指南： 在 pull request 中评论 @sourcery-ai guide，即可在任意时间（重新）生成审阅者指南。
• 一次性解决所有 Sourcery 评论： 在 pull request 中评论 @sourcery-ai resolve，即可将所有 Sourcery 评论标记为已解决。如果你已经处理了所有评论且不想再看到它们，这会非常有用。
• 一次性忽略所有 Sourcery 审阅： 在 pull request 中评论 @sourcery-ai dismiss，即可忽略所有现有的 Sourcery 审阅。特别适合你想从头开始一次新的审阅时——别忘了再评论 @sourcery-ai review 以触发新的审阅！

自定义你的体验

访问你的 控制台 以：

• 启用或禁用审阅功能，例如 Sourcery 自动生成的 pull request 摘要、审阅者指南等。
• 更改审阅语言。
• 添加、移除或编辑自定义审阅指令。
• 调整其他审阅设置。

获取帮助

• 如有问题或反馈，请联系我们的支持团队。
• 访问我们的文档以获取详细指南和信息。
• 关注我们在 X/Twitter、LinkedIn 或 GitHub 上的账号，与 Sourcery 团队保持联系。

Original review guide in English

Reviewer's Guide

Switches the release workflow from JS-DevTools/npm-publish to a manual pnpm-based publish using setup-node and configures publish settings for several packages to use the public npm registry.

Sequence diagram for GitHub Actions pnpm publish to npm registry

sequenceDiagram
  actor Maintainer
  participant GitHubWorkflow as GitHub_Workflow
  participant SetupNode as Setup_Node_Action
  participant Pnpm as pnpm_CLI
  participant NpmRegistry as Npm_Registry

  Maintainer ->> GitHubWorkflow: push_tag_or_trigger_release
  GitHubWorkflow ->> SetupNode: configure_Node_js_20_and_npm_registry
  SetupNode -->> GitHubWorkflow: node_environment_ready
  GitHubWorkflow ->> GitHubWorkflow: update_global_npm_to_latest
  GitHubWorkflow ->> Pnpm: pnpm_publish_in_package_directory
  Pnpm ->> NpmRegistry: publish_tarball_with_publishConfig_registry
  NpmRegistry -->> Pnpm: publish_result
  Pnpm -->> GitHubWorkflow: exit_code_and_logs
  GitHubWorkflow ->> GitHubWorkflow: read_name_and_version_with_npm_pkg_get
  GitHubWorkflow ->> GitHubWorkflow: set_step_outputs_for_release_summary
  GitHubWorkflow -->> Maintainer: report_release_status

Loading

Flow diagram for pnpm-based package publish step in release workflow

flowchart TD
  Start[Start_publish_step]
  SetupNode[Setup_Node_js_20_and_registry]
  UpdateNpm[Update_global_npm_to_latest]
  CdPackage[Change_directory_to_target_package]
  PnpmPublish[Run_pnpm_publish]
  ReadName[Read_package_name_with_npm_pkg_get]
  ReadVersion[Read_package_version_with_npm_pkg_get]
  SetOutputs[Write_name_and_version_to_GitHub_outputs]
  End[End_publish_step]

  Start --> SetupNode --> UpdateNpm --> CdPackage --> PnpmPublish --> ReadName --> ReadVersion --> SetOutputs --> End

Loading

File-Level Changes

Change	Details	Files
Refactor GitHub Actions release workflow to use setup-node and pnpm publish instead of JS-DevTools/npm-publish.	Add a Node.js 20 setup step with npmjs.org registry configuration for core, cli, and create-karin publish jobs. Add a step to globally upgrade npm to the latest version before publishing. Replace JS-DevTools/npm-publish@v3 action with shell scripts that cd into the respective package directories and run pnpm publish. Populate GITHUB_OUTPUT with package name and version via npm pkg get after publish for downstream steps.	.github/workflows/release.yml
Configure packages to publish publicly to the main npm registry via publishConfig.	Add publishConfig with access=public and registry=https://registry.npmjs.org to pm2 package.json. Add publishConfig with access=public and registry=https://registry.npmjs.org to test package.json. Add publishConfig with access=public and registry=https://registry.npmjs.org to onebot package.json, moving it out of the exports block.	packages/pm2/package.json packages/test/package.json packages/onebot/package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[gemini-code-assist]

Summary of Changes

Hello @sj817, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

此拉取请求旨在通过在多个模块的 package.json 文件中添加标准化的 publishConfig 字段，来修复和规范包的发布流程。此更改确保了这些包能够以公共访问权限发布到 npm 官方注册表，从而提高发布的一致性和可靠性。

Highlights

• 配置发布设置: 为 packages/onebot、packages/pm2 和 packages/test 模块的 package.json 文件添加了 publishConfig 字段，以明确控制包的发布行为。
• 确保公共访问: 所有受影响的 package.json 文件中的 publishConfig 都将 access 设置为 public，确保这些包在发布到 npm registry 时是公开可用的。
• 指定发布注册表: 通过在 publishConfig 中明确指定 registry 为 https://registry.npmjs.org，统一了包的发布目标。

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/release.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[sourcery-ai]

你好——我已经查看了你的修改，这里有一些反馈：

• 新的 pnpm publish 步骤不再传递 secrets.NPM_TOKEN（或 NODE_AUTH_TOKEN）作为认证信息，因此在发布私有包或带 scope 的包时可能会失败；建议在这些步骤中导出 NODE_AUTH_TOKEN=${{ secrets.NPM_TOKEN }}（或等效的 npmrc 配置）。
• 现在三个 release 任务中都重复了 setup-node 和 npm install -g npm@latest 这两个步骤；建议将它们提取到一个共享的 job/模板中，或者使用 matrix 来减少重复，让 workflow 更容易维护。

给 AI 代理的提示

Please address the comments from this code review:

## Overall Comments
- The new `pnpm publish` steps no longer pass `secrets.NPM_TOKEN` (or `NODE_AUTH_TOKEN`) as auth, so the publish may fail for private or scoped packages; consider exporting `NODE_AUTH_TOKEN=${{ secrets.NPM_TOKEN }}` (or equivalent npmrc config) in those steps.
- The three release jobs now each duplicate the `setup-node` and `npm install -g npm@latest` steps; consider extracting these into a shared job/template or using a matrix to reduce duplication and keep the workflow easier to maintain.

---

Sourcery 对开源项目是免费的——如果你喜欢我们的评审，请考虑分享一下 ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{帮我变得更有用！请在每条评论上点 👍 或 👎，我会根据你的反馈改进后续评审。}

Original comment in English

Hey there - I've reviewed your changes - here's some feedback:

• The new pnpm publish steps no longer pass secrets.NPM_TOKEN (or NODE_AUTH_TOKEN) as auth, so the publish may fail for private or scoped packages; consider exporting NODE_AUTH_TOKEN=${{ secrets.NPM_TOKEN }} (or equivalent npmrc config) in those steps.
• The three release jobs now each duplicate the setup-node and npm install -g npm@latest steps; consider extracting these into a shared job/template or using a matrix to reduce duplication and keep the workflow easier to maintain.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The new `pnpm publish` steps no longer pass `secrets.NPM_TOKEN` (or `NODE_AUTH_TOKEN`) as auth, so the publish may fail for private or scoped packages; consider exporting `NODE_AUTH_TOKEN=${{ secrets.NPM_TOKEN }}` (or equivalent npmrc config) in those steps.
- The three release jobs now each duplicate the `setup-node` and `npm install -g npm@latest` steps; consider extracting these into a shared job/template or using a matrix to reduce duplication and keep the workflow easier to maintain.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[gemini-code-assist]

Code Review

这个 PR 旨在通过添加 publishConfig 来将 onebot、pm2 和 test 这三个包发布到公共 npm registry，这是一个很好的改进。然而，审查中发现了一些需要注意的问题。首先，pm2 和 test 包的名称非常通用，在 npm 上已经存在非常流行的同名包，这会导致发布失败；建议将这些包的名称加上作用域（例如 @karinjs/pm2）。其次，所有三个被修改的 package.json 文件末尾都缺少一个换行符，这不符合通用的文件格式约定，建议修正。请查看具体的审查评论以获取详细信息。

[github-actions]

你可以通过以下命令安装该版本：

pnpm add https://pkg.pr.new/KarinJS/Karin/node-karin@11a804e -w