|
1 | 1 | name: Publish to npm |
2 | 2 |
|
3 | | -# We intentionally use npm publish (not bun publish) for releases because npm currently |
4 | | -# provides the trusted publishing OIDC + provenance path used by this workflow. |
| 3 | +# We intentionally use npm publish (not bun publish) for releases because npm handles |
| 4 | +# workspace-aware publishing and registry auth reliably. |
5 | 5 | # Bun remains the package manager/build tool in this repo; npm is used only for final |
6 | | -# registry publication security guarantees. |
| 6 | +# registry publication. |
7 | 7 |
|
8 | 8 | on: |
9 | 9 | workflow_call: |
|
31 | 31 | needs: [build-binaries] |
32 | 32 | permissions: |
33 | 33 | contents: read |
34 | | - id-token: write # Required so npm can verify GitHub OIDC identity and issue provenance attestations. |
35 | 34 | steps: |
36 | 35 | - uses: actions/checkout@v6 |
37 | 36 | with: |
@@ -135,52 +134,53 @@ jobs: |
135 | 134 | packages/cli-node-linux-arm64-musl \ |
136 | 135 | packages/core \ |
137 | 136 | packages/cli-node; do |
138 | | - echo "Dry-run publishing ${pkg} with npm provenance" |
139 | | - npm publish --workspace "${pkg}" --dry-run --access public --provenance >/dev/null |
| 137 | + echo "Dry-run publishing ${pkg}" |
| 138 | + npm publish --workspace "${pkg}" --dry-run --access public >/dev/null |
140 | 139 | done |
141 | 140 |
|
142 | 141 | - name: Build Node packages |
143 | 142 | run: | |
144 | 143 | bun run --cwd packages/cli-node build |
145 | 144 |
|
146 | | - - name: Verify OIDC environment for npm trusted publishing |
147 | | - run: | |
148 | | - set -euo pipefail |
149 | | -
|
150 | | - if [[ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" || -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ]]; then |
151 | | - echo "Error: GitHub OIDC token environment is unavailable." |
152 | | - echo "Ensure this job has permissions.id-token=write and runs on a GitHub-hosted runner." |
153 | | - exit 1 |
154 | | - fi |
155 | | -
|
156 | | - echo "OIDC environment detected for npm trusted publishing." |
157 | | -
|
158 | | - # Use npm publish with --provenance so npm can generate attestations from this |
159 | | - # workflow's OIDC identity. With trusted publishing, npm uses OIDC for auth. |
160 | | - # --provenance preserves explicit attestation intent for this release path. |
161 | 145 | - name: Publish @opencode-cloud/cli-node-darwin-arm64 |
162 | | - run: npm publish --workspace packages/cli-node-darwin-arm64 --access public --provenance |
| 146 | + run: npm publish --workspace packages/cli-node-darwin-arm64 --access public |
| 147 | + env: |
| 148 | + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
163 | 149 |
|
164 | 150 | - name: Publish @opencode-cloud/cli-node-darwin-x64 |
165 | | - run: npm publish --workspace packages/cli-node-darwin-x64 --access public --provenance |
| 151 | + run: npm publish --workspace packages/cli-node-darwin-x64 --access public |
| 152 | + env: |
| 153 | + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
166 | 154 |
|
167 | 155 | - name: Publish @opencode-cloud/cli-node-linux-x64 |
168 | | - run: npm publish --workspace packages/cli-node-linux-x64 --access public --provenance |
| 156 | + run: npm publish --workspace packages/cli-node-linux-x64 --access public |
| 157 | + env: |
| 158 | + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
169 | 159 |
|
170 | 160 | - name: Publish @opencode-cloud/cli-node-linux-arm64 |
171 | | - run: npm publish --workspace packages/cli-node-linux-arm64 --access public --provenance |
| 161 | + run: npm publish --workspace packages/cli-node-linux-arm64 --access public |
| 162 | + env: |
| 163 | + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
172 | 164 |
|
173 | 165 | - name: Publish @opencode-cloud/cli-node-linux-x64-musl |
174 | | - run: npm publish --workspace packages/cli-node-linux-x64-musl --access public --provenance |
| 166 | + run: npm publish --workspace packages/cli-node-linux-x64-musl --access public |
| 167 | + env: |
| 168 | + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
175 | 169 |
|
176 | 170 | - name: Publish @opencode-cloud/cli-node-linux-arm64-musl |
177 | | - run: npm publish --workspace packages/cli-node-linux-arm64-musl --access public --provenance |
| 171 | + run: npm publish --workspace packages/cli-node-linux-arm64-musl --access public |
| 172 | + env: |
| 173 | + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
178 | 174 |
|
179 | 175 | - name: Publish @opencode-cloud/core |
180 | | - run: npm publish --workspace packages/core --access public --provenance |
| 176 | + run: npm publish --workspace packages/core --access public |
| 177 | + env: |
| 178 | + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
181 | 179 |
|
182 | 180 | - name: Publish opencode-cloud |
183 | | - run: npm publish --workspace packages/cli-node --access public --provenance |
| 181 | + run: npm publish --workspace packages/cli-node --access public |
| 182 | + env: |
| 183 | + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
184 | 184 |
|
185 | 185 | - name: Summary |
186 | 186 | run: | |
|
0 commit comments