ci: fix oidc publishing (#441)

Vadman97 · web-flow · commit 26a5c9fdc9ff · 2026-03-27T13:14:58.000-05:00
## Summary `yarn npm publish` does not support oidc. ## How did you test this change?  ## Are there any deployment considerations?   --- > [!NOTE] > **Medium Risk** > Changes the release publishing path from `yarn publish` to per-workspace `npm publish`, which can impact automated releases if workspace filtering, tags, or error handling behave differently. > > **Overview** > Switches the publish script from `yarn publish` to `npm publish` so releases can use npm's native OIDC authentication (including `--provenance`). > > The script now enumerates publishable `@launchdarkly/*` workspaces (excluding internal packages and examples), applies an optional `prerelease` dist-tag, and tolerates "already published" errors to support partial retry runs. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit bdb6629. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>
diff --git a/scripts/publish-npm.sh b/scripts/publish-npm.sh
@@ -1,11 +1,44 @@
 #!/bin/bash -ex
+
+# Publishes @launchdarkly/* npm packages using the npm CLI.
+# Uses npm's native OIDC support for authentication (requires npm >= 11.5.1).
+
 if $LD_RELEASE_IS_DRYRUN ; then
   echo "Doing a dry run of publishing."
-else
-  if $LD_RELEASE_IS_PRERELEASE ; then
-    echo "Publishing with prerelease tag."
-    yarn publish --tag prerelease || { echo "npm publish failed" >&2; exit 1; }
-  else
-    yarn publish || { echo "npm publish failed" >&2; exit 1; }
-  fi
-fi
+  exit 0
+fi
+
+# Get the list of publishable @launchdarkly workspaces from yarn,
+# excluding the root workspace and internal-only packages.
+WORKSPACES=$(yarn workspaces list --json | \
+  node -e "
+    const lines = require('fs').readFileSync('/dev/stdin','utf8').trim().split('\n');
+    const exclude = new Set(['@launchdarkly/observability-sdk', '@launchdarkly/observability-shared']);
+    for (const line of lines) {
+      const {name, location} = JSON.parse(line);
+      if (name.startsWith('@launchdarkly/') && !exclude.has(name) && !location.includes('/example')) {
+        console.log(location);
+      }
+    }
+  ")
+
+TAG_ARGS=""
+if $LD_RELEASE_IS_PRERELEASE ; then
+  echo "Publishing with prerelease tag."
+  TAG_ARGS="--tag prerelease"
+fi
+
+for workspace in $WORKSPACES; do
+  echo "Publishing $workspace..."
+  # npm returns 403 when a version is already published. Tolerate this to allow
+  # partial retries (matching the old yarn --tolerate-republish behavior).
+  OUTPUT=$(npm publish "./$workspace" --access public --provenance $TAG_ARGS 2>&1) || {
+    if echo "$OUTPUT" | grep -q "You cannot publish over the previously published versions"; then
+      echo "Already published $workspace, skipping."
+    else
+      echo "$OUTPUT" >&2
+      echo "npm publish failed for $workspace" >&2
+      exit 1
+    fi
+  }
+done
