Skip to content

Commit d508336

Browse files
joaoh82claude
andauthored
docs(release-secrets): document sqlrite-notes trusted publisher + Repository-field gotcha (SQLR-13) (#157)
The sqlrite-notes npm trusted publisher had its Repository field set to the package's npmjs access-page URL instead of the bare repo name, so the OIDC subject claim (repo:joaoh82/rust_sqlite:environment:release) never matched the record and every publish-notes-example run failed with "OIDC token exchange error - package not found". It only surfaced once #156 made the release idempotent and a re-dispatch finally attempted the first-ever sqlrite-notes publish. - §3c: mark the trusted publisher resolved (first shipped at 0.11.0) and add a gotcha callout — set Repository to exactly `rust_sqlite`, no owner prefix, no URL. - §3b: strengthen the canonical Repository-field note to warn against pasting a URL (not just the owner-prefixed form), pointing at §3c. Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent f3d80eb commit d508336

1 file changed

Lines changed: 24 additions & 2 deletions

File tree

docs/release-secrets.md

Lines changed: 24 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -163,8 +163,12 @@ For each placeholder you just published:
163163
3. **Add publisher**:
164164
- **Publisher**: GitHub Actions
165165
- **Organization or user**: `joaoh82`
166-
- **Repository**: `rust_sqlite` *(repo basename, not
167-
`joaoh82/rust_sqlite` — npm prepends the owner field)*
166+
- **Repository**: `rust_sqlite` *(repo basename only — not
167+
`joaoh82/rust_sqlite` (npm prepends the owner field), and
168+
definitely not a full URL like the package's
169+
`npmjs.com/package/…/access` page. Pasting that URL into this
170+
field is exactly what silently broke the `sqlrite-notes`
171+
publish — see §3c.)*
168172
- **Workflow filename**: `release.yml` *(basename, not
169173
`.github/workflows/release.yml`)*
170174
- **Environment**: `release` *(case-sensitive — must match the
@@ -233,6 +237,24 @@ and amend the repo per the note above.
233237
**Verify**: status flips from "pending" to "active" after the
234238
first successful CI publish.
235239

240+
**Status (resolved — SQLR-13, June 2026):** `sqlrite-notes` is
241+
configured and publishing via OIDC; it shipped its first real version
242+
at `0.11.0`.
243+
244+
> **Gotcha that bit us (SQLR-13):** the trusted-publisher **Repository**
245+
> field had been set to the package's npmjs access-page URL
246+
> (`https://www.npmjs.com/package/sqlrite-notes/access`) instead of the
247+
> bare repo name. The OIDC subject claim the workflow sends is
248+
> `repo:joaoh82/rust_sqlite:environment:release`, so it didn't match the
249+
> record, and every `publish-notes-example` run failed with `OIDC token
250+
> exchange error - package not found` (npm's misleading 404 for "no
251+
> trusted publisher matches your token's claims"). This surfaced only
252+
> when [#156](https://github.com/joaoh82/rust_sqlite/pull/156) made the
253+
> release idempotent and a re-dispatch finally *attempted* the
254+
> first-ever `sqlrite-notes` publish — before that, the wave had always
255+
> died earlier and never reached this job. **Fix:** Edit the publisher
256+
> and set Repository to exactly `rust_sqlite` — no owner prefix, no URL.
257+
236258
---
237259

238260
## 4. GitHub `release` environment

0 commit comments

Comments
 (0)