Skip to content

Document npm trusted publishing prerequisites #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
plutoless wants to merge 1 commit into
base: main
Choose a base branch
from
+4 −1
Open

Document npm trusted publishing prerequisites #26

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions AGENTS.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -258,6 +258,7 @@ packaging/npm/
6. Smoke-tests the published wrapper with `npx --yes agoraio-cli@<tag> --version` (retry/backoff for registry propagation)

**Prerequisites:**
- npm package names already exist on the registry before relying on trusted publishing.
- npm **Trusted Publisher** configured on each package (`agoraio-cli` and all `agoraio-cli-*`), pointing at repo `AgoraIO/cli` and workflow `release.yml`.
- `id-token: write` workflow permission (already set in `release.yml`) — required for trusted publishing and provenance.

Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ Earlier entries pre-date this convention and only carry their version's compare

### Fixed

- Clarify that npm release publishing uses trusted publishing only and requires every npm package to exist before release automation runs.
- Update GoReleaser Cosign signing to emit `checksums.txt.sigstore.json` with `--bundle`, matching Cosign's current bundle-based signing flow.

## [0.2.2] - 2026-05-26
Expand Down
3 changes: 2 additions & 1 deletion RELEASING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ The release workflow (`.github/workflows/release.yml`) then:
- Publishes the six per-platform packages with `npm publish --provenance`
- Publishes the wrapper package (`agoraio-cli`) with `npm publish --provenance`
- Runs a post-publish smoke test: `npx --yes agoraio-cli@<tag> --version` with retry/backoff to handle registry propagation
- Authenticates via [npm trusted publishing](https://docs.npmjs.com/trusted-publishers/) (OIDC from GitHub Actions — no `NPM_TOKEN` secret)
- Authenticates only via [npm trusted publishing](https://docs.npmjs.com/trusted-publishers/) (OIDC from GitHub Actions)
- Requires `id-token: write` workflow permission (already set in `release.yml`)

3. **Apt repository** job (triggered by the published release):
Expand Down Expand Up @@ -63,6 +63,7 @@ The release workflow exposes a `workflow_dispatch` trigger that runs the npm pub

Before tagging the first real release that ships npm, confirm:

- [ ] Each npm package exists on npm. Trusted publishing can only be configured after the package exists.
- [ ] Each npm package has a **Trusted Publisher** configured on [npmjs.com](https://www.npmjs.com) (Package → Settings → Trusted Publisher → GitHub Actions):
- Repository: `AgoraIO/cli`
- Workflow filename: `release.yml`
Expand Down
Loading