ci: remove redundant npmpublish.yml (semantic-release is the publish path)

[JohnMcLear]

Follow-up to #38 (Qodo finding). npmpublish.yml published to npm on release: created using the now-dead NPM_TOKEN.

It's redundant: the semantic-release job in test-and-release.yml already publishes to npm (via OIDC, with provenance — confirmed by the 1.2.2 publish) and creates the GitHub Release. semantic-release makes that release with GITHUB_TOKEN, which by design doesn't trigger other workflows, so npmpublish.yml never fires in the automated flow. On a manual release it would either double-publish or fail on the expired token.

Deleting it leaves semantic-release as the single, OIDC-authenticated publish path — no stored token anywhere.

🤖 Generated with Claude Code

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Remove redundant npmpublish.yml workflow file

✨ Enhancement

Walkthroughs

Description

• Remove redundant npm publish workflow file
• Consolidate publishing to semantic-release only
• Eliminate dead NPM_TOKEN secret dependency
• Ensure single OIDC-authenticated publish path

Diagram

flowchart LR
  A["npmpublish.yml<br/>release:created trigger"] -->|"DELETED"| B["semantic-release<br/>single publish path"]
  C["NPM_TOKEN<br/>dead secret"] -->|"REMOVED"| D["OIDC auth<br/>only method"]

Loading

File Changes

1. .github/workflows/npmpublish.yml ⚙️ Configuration changes +0/-18

Delete redundant npm publish workflow

• Deleted entire workflow file that published to npm on release creation
• Removed redundant publishing logic using expired NPM_TOKEN
• Consolidates npm publishing to semantic-release workflow only
• Eliminates double-publish risk and token expiration issues

.github/workflows/npmpublish.yml

---

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0)

1. Manual release publish removed 🐞 Bug ☼ Reliability

Description

Deleting .github/workflows/npmpublish.yml removes the only workflow that ran on `release:
created`, so creating a GitHub Release manually will no longer trigger an npm publish. This can
leave a GitHub Release without a corresponding npm publish unless the release is produced via the
Test and Release (semantic-release) push-to-main flow.

Code

.github/workflows/npmpublish.yml[L3-6]

Evidence

After removing npmpublish.yml (the only workflow that was triggered on release: created), the
remaining workflows are triggered by push/pull_request, workflow_run, or workflow_call
only—none listen to GitHub Release creation events.

.github/workflows/test-and-release.yml[3-9]
.github/workflows/automerge.yml[5-10]
.github/workflows/backend-tests.yml[4-6]
.github/workflows/frontend-tests.yml[5-7]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
With `npmpublish.yml` removed, there is no longer any workflow that reacts to `release: created`. Manual GitHub UI releases will therefore not publish to npm.

## Issue Context
`Test and Release` runs `semantic-release` on pushes to main/master, but it is not triggered by GitHub Release creation events.

## Fix Focus Areas
Choose one (based on intended release process):
- If manual GitHub Releases should still publish to npm, add an `on: release` path that runs the publish/release logic (either by extending `test-and-release.yml` or reintroducing a minimal workflow that calls the same release job).
- If manual releases are intentionally unsupported, document this explicitly (e.g., in `CONTRIBUTING.md`) to prevent creating GitHub Releases that won't be published.

### Code pointers
- .github/workflows/test-and-release.yml[1-37]
- CONTRIBUTING.md[1-60]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

[JohnMcLear]

@qodo This is the intended behavior change, not a regression. Publishing is owned by semantic-release on the push-to-main flow: it derives the version from conventional commits, publishes to npm via OIDC, and creates the GitHub Release itself. Manual GitHub Releases aren't part of this project's process — and because semantic-release creates releases with GITHUB_TOKEN (which doesn't trigger other workflows), npmpublish.yml never fired in the real flow anyway. A single OIDC publish path is the goal; there's no scenario here that leaves a release unpublished.

[qodo-code-review]

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →