Fix: [AEA-5986] - Fix publish fame library (#77)

originalphil · web-flow · commit aac5b797ee19 · 2026-03-05T10:40:28.000Z
## Summary

- Routine Change

### Details

Only include pypi plugin for semantic release when pypi_publish is
passed to tag-release as true.
diff --git a/.trivyignore.yaml b/.trivyignore.yaml
@@ -4,15 +4,6 @@ vulnerabilities:
       - "package-lock.json"
     statement: downstream dependency for tar - waiting for new npm release
     expired_at: 2026-06-01
-  - id: CVE-2026-25128
-    statement: fast-xml-parser vulnerability accepted as risk - dependency of aws-sdk/client-dynamodb
-    expired_at: 2026-03-01
-  - id: CVE-2026-25547
-    statement: isaacs/brace-expansion vulnerability accepted as risk - dependency of semantic-release
-    expired_at: 2026-03-01
-  - id: CVE-2026-0775
-    statement: npm vulnerability accepted as risk - dependency of semantic-release
-    expired_at: 2026-03-01
   - id: CVE-2026-26996
     statement: minimatch vulnerability accepted as risk
     expired_at: 2026-06-01
@@ -25,3 +16,6 @@ vulnerabilities:
   - id: CVE-2026-26960
     statement: tar vulnerability accepted as risk
     expired_at: 2026-06-01
+  - id: GHSA-qffp-2rhf-9h96
+    statement: tar vulnerability accepted as risk - dependency of npm (multiple)
+    expired_at: 2026-06-01
diff --git a/release.config.cjs b/release.config.cjs
@@ -76,13 +76,14 @@ module.exports = {
                 pkgRoot: subpackage
             }
         ]),
-        [
-            "semantic-release-pypi",
-            {
-                pypiPublish: pypiPublish,
-                repoToken: pypiToken
-            }
-        ],
+        ...(pypiPublish ? [
+            [
+                "semantic-release-pypi",
+                {
+                    repoToken: pypiToken
+                }
+            ]
+        ] : []),
         [
             "@semantic-release/github",
             {
