Fix npm provenance metadata and bump version to 0.2.3

[eiei114]

Summary

• bump version to 0.2.3
• add package.json repository/homepage/bugs metadata
• fix npm provenance repository URL mismatch for trusted publishing

Validation

• npm run check

Summary by CodeRabbit

• Documentation

  • Updated README install instructions to pin dependency to 0.2.3.

• Chores

  • Bumped package version to 0.2.3 and added repository, homepage, and bug-report metadata.
  • Updated CI release workflow permissions and added conditional trigger for the publish workflow.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR bumps the package to 0.2.3 and expands package.json metadata (repository, homepage, bugs.url), updates README install pin to 0.2.3, and updates the auto-release GitHub Actions workflow to grant actions: write and trigger publish.yml with the created release tag.

Changes

Version 0.2.3 Release

Layer / File(s)	Summary
Package version bump and README sync package.json, README.md	version -> 0.2.3; added repository, homepage, and bugs.url fields to package.json. README npm install pin changed to 0.2.3.
Release workflow permissions and publish trigger .github/workflows/auto-release.yml	Adds actions: write to workflow permissions and a conditional step that runs gh workflow run publish.yml with the new tag (passes tag as ref and ref input, reusing token).

Sequence Diagram(s)

sequenceDiagram
  participant AutoRelease as Auto-release Workflow
  participant GHCLI as gh CLI
  participant GitHubAPI as GitHub API
  participant PublishWF as publish.yml Workflow

  AutoRelease->>GHCLI: gh release create --tag <tag>
  GHCLI->>GitHubAPI: create release (uses GITHUB_TOKEN)
  AutoRelease->>GHCLI: gh workflow run publish.yml --ref <tag> (pass ref input)
  GHCLI->>GitHubAPI: trigger workflow run for publish.yml with ref=<tag>
  GitHubAPI->>PublishWF: start publish.yml run (with passed ref)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• eiei114/pi-weighted-model-router#2: Modifies auto-release.yml to trigger publish.yml with the release tag; both change the release→publish handoff.
• eiei114/pi-weighted-model-router#4: Also restructures release and publish workflow logic, moving publish responsibilities between workflows.
• eiei114/pi-weighted-model-router#3: Prior version-bump PR that updated README and package.json version pins for an earlier patch.

Poem

🐰 I hopped a tiny version up today,
0.2.3 now leads the way.
Metadata sprouted, workflows set to run,
A queued publish tied to the release tag—fun!
Little changes, tidy and bright, hooray!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: fixing npm provenance metadata and bumping the version to 0.2.3, which aligns with the primary objectives of the pull request.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix-provenance-0-2-3

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

.github/workflows/auto-release.yml (1)

50-56: ⚡ Quick win

Use environment variable to avoid template injection in shell context.

Directly interpolating ${{ steps.check.outputs.tag }} into the run: block is flagged by static analysis for potential command injection. While the risk is low here (the value originates from package.json and requires write access to main), best practice is to pass it via an environment variable, which GitHub Actions properly escapes.

♻️ Proposed fix

       - name: Trigger publish workflow
         if: steps.check.outputs.released == 'true'
-        run: |
-          TAG="${{ steps.check.outputs.tag }}"
-          gh workflow run publish.yml --ref "$TAG" -f ref="$TAG"
+        run: gh workflow run publish.yml --ref "$TAG" -f ref="$TAG"
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG: ${{ steps.check.outputs.tag }}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/auto-release.yml around lines 50 - 56, The run block
currently interpolates `${{ steps.check.outputs.tag }}` directly, which risks
template injection; modify the "Trigger publish workflow" step to pass the tag
via an environment variable (e.g., set env: TAG: ${{ steps.check.outputs.tag }}
or similar) and then reference that env var inside the run script as "$TAG"
(used by the existing TAG variable and gh workflow run command) instead of using
`${{ ... }}` inline; ensure GH_TOKEN remains in env and remove direct template
interpolation from the run body so the shell only sees the escaped environment
variable.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/auto-release.yml:
- Around line 50-56: The run block currently interpolates `${{
steps.check.outputs.tag }}` directly, which risks template injection; modify the
"Trigger publish workflow" step to pass the tag via an environment variable
(e.g., set env: TAG: ${{ steps.check.outputs.tag }} or similar) and then
reference that env var inside the run script as "$TAG" (used by the existing TAG
variable and gh workflow run command) instead of using `${{ ... }}` inline;
ensure GH_TOKEN remains in env and remove direct template interpolation from the
run body so the shell only sees the escaped environment variable.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: e48480c7-4c9a-4eb8-a0ca-df89f726c450

📥 Commits

Reviewing files that changed from the base of the PR and between cf560f8 and 21cace1.

📒 Files selected for processing (1)

• .github/workflows/auto-release.yml