Skip to content

ci: publish RC via OIDC, retire token-based rc.yml#111

Merged
technophile-04 merged 2 commits into
mainfrom
rc-oidc-migration
Jun 4, 2026
Merged

ci: publish RC via OIDC, retire token-based rc.yml#111
technophile-04 merged 2 commits into
mainfrom
rc-oidc-migration

Conversation

@technophile-04

@technophile-04 technophile-04 commented Jun 3, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

release.yml already publishes main via OIDC trusted publishing (provenance, published by GitHub Actions since 0.1.6), but rc.yml never got that migration. It still runs the old NPM_TOKEN path — no id-token permission, no registry-url, node 20 — so the RC channel either fails or publishes unsigned token releases while main goes out tokenless. This folds the release-candidate trigger into release.yml and deletes rc.yml.

Concretely

  • release.yml now triggers on release-candidate as well as main. npm trusted publishing is keyed to repo + workflow filename, so reusing release.yml means RC publishes through the publisher npm already trusts — no new npm-side config, no token.
  • Deleted rc.yml. Its token auth predates the OIDC work (last touched in merge release-candidate  #56, before allow permission for oidc #84/gh-actions: add link to repo-url + configure permissions #87 moved main to OIDC). Keeping a second workflow is exactly how it drifted out of sync, so we retire it rather than re-patch it.
  • Pre mode stays per-branch: main cuts normal releases, release-candidate (after changeset pre enter rc) cuts -rc.N versions on the rc dist-tag, leaving latest untouched.

Why

We want a tight loop for shipping pre-release versions to test against scaffold-eth-2 before they reach latest — first use being the squared/edgy redesign (#110), which we want to validate end to end in a real SE-2 app. With this, SE-2 installs @rc and sees changes without affecting anyone on stable.

Cutting an RC (after this merges)

git switch -c release-candidate origin/main
pnpm changeset pre enter rc        # keeps the RC off `latest`
git merge remove-rounded           # bring in the redesign (#110)
pnpm changeset                     # add it here: components + debug-contracts, minor
git push -u origin release-candidate

The changesets action opens a Version Packages PR against release-candidate; merging it publishes the -rc.N via OIDC to the rc tag. Then in SE-2: set both packages to "rc" and pnpm install.

Sanity check the first run with npm dist-tag ls @scaffold-ui/components — the new version should land on rc, with latest unchanged. If pre enter rc was skipped it'd cut a normal release instead, so that's the one thing to confirm.

@vercel

vercel Bot commented Jun 3, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
scaffold-ui-docs Ready Ready Preview, Comment Jun 3, 2026 5:12am
scaffold-ui-example Ready Ready Preview, Comment Jun 3, 2026 5:12am

Request Review

@technophile-04 technophile-04 requested a review from rin-st June 3, 2026 06:51
@rin-st

rin-st commented Jun 3, 2026

Copy link
Copy Markdown
Member

Lgtm, thank you!

@technophile-04 technophile-04 merged commit 824081d into main Jun 4, 2026
3 checks passed
@technophile-04 technophile-04 deleted the rc-oidc-migration branch June 4, 2026 06:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rin-st rin-st rin-st approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@technophile-04 @rin-st