ci/changesets provenance

[LGLabGreg]

Summary by CodeRabbit

• Chores
  • Updated CI/CD configuration to enable security provenance tracking for package releases.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
reactqrcode-com	Ready	Preview	Comment	Nov 9, 2025 10:30am

[coderabbitai]

Walkthrough

This pull request adds a new changeset entry documenting patch-level updates for '@lglab/react-qr-code' and 'reactqrcode.com' packages, and configures the release workflow to enable NPM provenance verification by setting the NPM_CONFIG_PROVENANCE environment variable.

Changes

Cohort / File(s)	Summary
Changeset Entry .changeset/puny-squids-play.md	New changeset file documenting patch-level updates for '@lglab/react-qr-code' and 'reactqrcode.com' with provenance metadata
Release Workflow Configuration .github/workflows/release.yml	Added NPM_CONFIG_PROVENANCE: true environment variable to the "Create Release Pull Request or Publish to npm" step

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• Next #272: Adds a changeset recording patch updates for the same packages (@lglab/react-qr-code and reactqrcode.com), making it a direct sibling change.
• ci: changesets version #55: Modifies both .changeset entries for @lglab/react-qr-code and the release workflow, including complementary NPM configuration changes.
• fix: .com version #116: Adds changeset entries addressing patches for the reactqrcode.com package, sharing the same downstream artifact.

Poem

🐰 A changeset hops into view,
With provenance marked true and true,
The release workflow now knows the score,
Trust and tracing forevermore! ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci/changesets provenance' is directly related to the main changes: adding provenance configuration to the CI/CD workflow and creating a changeset entry with provenance markers.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/changesets-provenance

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.changeset/puny-squids-play.md (1)

1-6: Consider expanding the changeset description for clarity.

The changeset description "ci:changset provenance" is quite terse and doesn't explain the purpose of the change. Consider updating it to provide more context for users reading the changelog—e.g., what provenance verification means and why it's being enabled.

Example:

-ci:changset provenance
+Enable NPM provenance verification for package releases, providing cryptographic proof of package origin.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 6f3733f and d078d58.

📒 Files selected for processing (2)

• .changeset/puny-squids-play.md (1 hunks)
• .github/workflows/release.yml (1 hunks)

🧰 Additional context used

🪛 LanguageTool

.changeset/puny-squids-play.md

[grammar] ~1-~1: Il y a peut-être une erreur ici
Context: --- '@lglab/react-qr-code': patch 'reactqrcode.com': patch --- ci:changset provenance

(QB_NEW_FR)

---

[typographical] ~6-~6: Une espace est requise.
Context: ...: patch 'reactqrcode.com': patch --- ci:changset provenance

(DEUX_POINTS_ESPACE)

🔇 Additional comments (1)

.github/workflows/release.yml (1)

48-48: Correct environment variable configuration.

The NPM_CONFIG_PROVENANCE: true setting is correctly added to the release workflow. This enables NPM's provenance verification feature, which provides cryptographic attestation of package origin during publishing—a security best practice for package authenticity.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix typo in changeset description.

Line 6 contains "changset" which should be "changeset".

-ci:changset provenance
+ci:changeset provenance

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	ci:changset provenance
	ci:changeset provenance

🧰 Tools

🪛 LanguageTool

[typographical] ~6-~6: Une espace est requise.
Context: ...: patch 'reactqrcode.com': patch --- ci:changset provenance

(DEUX_POINTS_ESPACE)

🤖 Prompt for AI Agents

In .changeset/puny-squids-play.md around line 6, the changeset description
contains a typo "changset"; update that word to the correct spelling "changeset"
so the line reads "ci:changeset provenance".