|
54 | 54 |
|
55 | 55 | - uses: actions/setup-node@v4 |
56 | 56 | with: |
57 | | - node-version: "22" |
| 57 | + node-version: "24" |
58 | 58 | registry-url: "https://registry.npmjs.org" |
59 | 59 |
|
60 | 60 | - name: Install dependencies |
|
69 | 69 | - name: Format check |
70 | 70 | run: bun run format:check |
71 | 71 |
|
72 | | - # npm whoami does NOT support OIDC trusted publishing — it only |
73 | | - # works with a static token. We keep NODE_AUTH_TOKEN here so this |
74 | | - # pre-publish sanity check still works. The actual publish step |
75 | | - # authenticates via OIDC (no token needed). |
76 | | - - name: Verify npm auth |
77 | | - run: npm whoami --registry=https://registry.npmjs.org/ |
78 | | - env: |
79 | | - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
80 | | - |
81 | 72 | - name: Resolve version |
82 | 73 | id: version |
83 | 74 | run: bun script/version.ts |
@@ -145,117 +136,6 @@ jobs: |
145 | 136 | echo "::warning::Could not verify $VERSION on the registry after 60s of polling. The publish step itself reported success; verification is informational only and the workflow will continue to the tag/release steps." |
146 | 137 | exit 0 |
147 | 138 |
|
148 | | - # Reconcile npm dist-tags.latest after a dev publish. On the very |
149 | | - # first publish of a new package, npm auto-assigns `latest` to |
150 | | - # whatever version was published, regardless of `--tag dev`. That |
151 | | - # leaves end users running plain `npm install <pkg>` getting a |
152 | | - # prerelease, which trips OpenClaw's prerelease guard with a |
153 | | - # confusing error. |
154 | | - # |
155 | | - # This step runs ONLY for dev-channel publishes, and ONLY when |
156 | | - # `latest` currently points at a prerelease version. It tries to |
157 | | - # repoint `latest` to the highest existing stable. If no stable |
158 | | - # exists yet (the pre-stable phase, i.e. before the first |
159 | | - # `channel=latest` release), it emits a warning and exits 0. |
160 | | - # |
161 | | - # Like the verify step above, this is INFORMATIONAL only — |
162 | | - # it never fails the workflow and never blocks tag/release. |
163 | | - # npm dist-tag add is a write operation NOT covered by OIDC |
164 | | - # trusted publishing (OIDC only covers npm publish). Still |
165 | | - # needs the static token. |
166 | | - - name: Reconcile latest dist-tag (dev publishes) |
167 | | - if: steps.publish.outcome == 'success' && steps.version.outputs.channel == 'dev' |
168 | | - env: |
169 | | - VERSION: ${{ steps.version.outputs.version }} |
170 | | - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
171 | | - run: | |
172 | | - set -euo pipefail |
173 | | - PKG="@kilocode/openclaw-security-advisor" |
174 | | -
|
175 | | - # Read dist-tags via the registry HTTP endpoint (faster |
176 | | - # propagation than `npm view` which has a separate cache layer |
177 | | - # and can return stale data for 30-90s after a publish). |
178 | | - # Retry up to 3x with 5s backoff in case the dist-tags entry |
179 | | - # itself hasn't propagated yet. |
180 | | - fetch_latest_dist_tag() { |
181 | | - curl -s "https://registry.npmjs.org/-/package/$PKG/dist-tags" 2>/dev/null | node -e ' |
182 | | - let s = ""; |
183 | | - process.stdin.on("data", d => s += d); |
184 | | - process.stdin.on("end", () => { |
185 | | - try { console.log(JSON.parse(s).latest || ""); } |
186 | | - catch { console.log(""); } |
187 | | - }); |
188 | | - ' || echo "" |
189 | | - } |
190 | | -
|
191 | | - LATEST="" |
192 | | - for attempt in 1 2 3; do |
193 | | - LATEST=$(fetch_latest_dist_tag) |
194 | | - if [ -n "$LATEST" ]; then |
195 | | - break |
196 | | - fi |
197 | | - if [ "$attempt" -lt 3 ]; then |
198 | | - echo " dist-tags query attempt $attempt/3 returned empty, retrying in 5s..." |
199 | | - sleep 5 |
200 | | - fi |
201 | | - done |
202 | | - echo "Current dist-tags.latest: ${LATEST:-<unset>}" |
203 | | -
|
204 | | - # If `latest` is empty or already a stable version (no `-`), |
205 | | - # there's nothing to reconcile. |
206 | | - case "$LATEST" in |
207 | | - "") |
208 | | - echo "::notice::dist-tags.latest is unset; nothing to reconcile" |
209 | | - exit 0 |
210 | | - ;; |
211 | | - *-*) |
212 | | - : # prerelease — fall through to reconciliation |
213 | | - ;; |
214 | | - *) |
215 | | - echo "::notice::dist-tags.latest is already a stable version ($LATEST); nothing to reconcile" |
216 | | - exit 0 |
217 | | - ;; |
218 | | - esac |
219 | | -
|
220 | | - # Find the highest stable version on the registry. Handles |
221 | | - # both shapes of `npm view ... versions --json`: a string for |
222 | | - # single-version packages, an array for multi-version. |
223 | | - HIGHEST_STABLE=$(npm view "$PKG" versions --json 2>/dev/null | node -e ' |
224 | | - let s = ""; |
225 | | - process.stdin.on("data", d => s += d); |
226 | | - process.stdin.on("end", () => { |
227 | | - try { |
228 | | - const data = JSON.parse(s); |
229 | | - const arr = Array.isArray(data) ? data : [data]; |
230 | | - const stable = arr.filter(x => typeof x === "string" && !x.includes("-")); |
231 | | - if (!stable.length) process.exit(42); |
232 | | - stable.sort((a, b) => a.localeCompare(b, undefined, { numeric: true })); |
233 | | - console.log(stable[stable.length - 1]); |
234 | | - } catch { |
235 | | - process.exit(43); |
236 | | - } |
237 | | - }); |
238 | | - ') || HIGHEST_STABLE="" |
239 | | -
|
240 | | - if [ -z "$HIGHEST_STABLE" ]; then |
241 | | - echo "::warning::No stable version of $PKG exists on the registry yet. npm auto-assigned dist-tags.latest to the just-published dev version ($LATEST) because --tag dev alone cannot prevent it on a first publish. Users must opt in to the dev channel explicitly: 'openclaw plugins install $PKG@dev' or 'npm install $PKG@dev'. This is expected and non-fatal until the first stable (channel=latest) release ships, at which point this step will repoint latest automatically." |
242 | | - exit 0 |
243 | | - fi |
244 | | -
|
245 | | - echo "Highest stable on registry: $HIGHEST_STABLE — repointing latest..." |
246 | | - for i in 1 2 3; do |
247 | | - if npm dist-tag add "$PKG@$HIGHEST_STABLE" latest; then |
248 | | - echo "::notice::Repointed dist-tags.latest from $LATEST to $HIGHEST_STABLE" |
249 | | - exit 0 |
250 | | - fi |
251 | | - if [ "$i" -lt 3 ]; then |
252 | | - echo " attempt $i/3 failed, retrying in 5s..." |
253 | | - sleep 5 |
254 | | - fi |
255 | | - done |
256 | | - echo "::warning::Failed to repoint dist-tags.latest to $HIGHEST_STABLE after 3 attempts. Manual fix: npm dist-tag add $PKG@$HIGHEST_STABLE latest" |
257 | | - exit 0 |
258 | | -
|
259 | 139 | - name: Configure git identity |
260 | 140 | if: steps.publish.outcome == 'success' |
261 | 141 | run: | |
|
0 commit comments