Remove cache in publish workflow

[andrew-fleming]

The PR proposes to inline the minimal required setup steps for publishing to avoid cache poisoning risk

Summary by CodeRabbit

• Chores
  • Improved release workflow infrastructure with explicit Node.js configuration and enhanced dependency management practices to ensure more consistent and reproducible package builds during the release process.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c14346a3-c723-45e1-9874-1104c5416dda

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

The release-publish workflow now explicitly bootstraps Node.js tooling: corepack is enabled, actions/setup-node is pinned and configured to read .nvmrc, and yarn install --immutable replaces the previous environment setup action to ensure consistent dependency resolution before package build and publish.

Changes

Release workflow environment setup

Layer / File(s)	Summary
Bootstrap Node.js and dependencies for release workflow .github/workflows/release-publish.yml	Corepack is enabled, actions/setup-node (pinned version) loads the Node.js version from .nvmrc, and yarn install --immutable installs dependencies with locked versions, replacing the prior generic environment setup step.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• OpenZeppelin/compact-tools#87: Introduces the same corepack/setup-node + yarn install --immutable workflow changes to the release-publish pipeline.

Suggested labels

enhancement

Suggested reviewers

• pepebndc

Poem

🐰 A workflow springs forth, clean and bright,
With corepack and Node aligned just right,
Yarn's immutable lock ensures no stray,
Release pipelines flow the proper way! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Remove cache in publish workflow' accurately describes the main change: removing cache from the publish workflow and replacing it with explicit setup steps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/release-publish.yml (1)

106-106: Update actions/setup-node pin if you want the latest releases.

• SHA 395ad3262231945c25e8478fd5baf05154b1d79f corresponds to actions/setup-node@v6.1.0.
• Latest released version is actions/setup-node@v6.4.0 (released 2026-04-20); consider repinning to the v6.4.0 SHA if you want the newest fixes.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-publish.yml at line 106, Update the pinned
actions/setup-node reference so it uses the v6.4.0 release instead of the v6.1.0
SHA: locate the uses:
actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f entry and replace
the pinned ref with the v6.4.0 release (either by using
actions/setup-node@v6.4.0 or the corresponding v6.4.0 commit SHA) to pick up the
latest fixes.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/release-publish.yml:
- Around line 102-108: Move the "Enable corepack" step to run after the
actions/setup-node step so corepack is initialized against the Node.js version
specified by node-version-file ".nvmrc"; specifically, reorder the workflow so
the actions/setup-node@... (the step using node-version-file: ".nvmrc") runs
first and then run the "Enable corepack" step (run: corepack enable) immediately
after it to ensure corepack shims target the correct Node.js installation.

---

Nitpick comments:
In @.github/workflows/release-publish.yml:
- Line 106: Update the pinned actions/setup-node reference so it uses the v6.4.0
release instead of the v6.1.0 SHA: locate the uses:
actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f entry and replace
the pinned ref with the v6.4.0 release (either by using
actions/setup-node@v6.4.0 or the corresponding v6.4.0 commit SHA) to pick up the
latest fixes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 9e136bd4-4ca2-46ae-8a36-5064575170a4

📥 Commits

Reviewing files that changed from the base of the PR and between 9ed94fa and 02cf28a.

📒 Files selected for processing (1)

• .github/workflows/release-publish.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Reorder: enable corepack AFTER Node.js setup.

Enabling corepack before actions/setup-node means corepack is configured against the runner's pre-installed Node.js. When the workflow then switches to the Node.js version specified in .nvmrc, the corepack shims may reference the wrong Node.js installation, potentially causing version mismatches or inconsistent package manager behavior in a security-sensitive release workflow.

🔧 Proposed fix: swap the step order

-      - name: Enable corepack
-        run: corepack enable
-
       - name: Setup Node.js
         uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version-file: ".nvmrc"
+
+      - name: Enable corepack
+        run: corepack enable

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Enable corepack
	run: corepack enable
	- name: Setup Node.js
	uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
	with:
	node-version-file: ".nvmrc"
	- name: Setup Node.js
	uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
	with:
	node-version-file: ".nvmrc"
	- name: Enable corepack
	run: corepack enable

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release-publish.yml around lines 102 - 108, Move the
"Enable corepack" step to run after the actions/setup-node step so corepack is
initialized against the Node.js version specified by node-version-file ".nvmrc";
specifically, reorder the workflow so the actions/setup-node@... (the step using
node-version-file: ".nvmrc") runs first and then run the "Enable corepack" step
(run: corepack enable) immediately after it to ensure corepack shims target the
correct Node.js installation.

[son-oz]

@andrew-fleming @0xisk actions/setup-node#1549