Skip to content

Commit 0581920

Browse files
AlexMikhalevclaude
andcommitted
fix(ci): use OIDC provenance and skip napi prepublish
- Add --provenance flag for OIDC trusted publishing - Add --ignore-scripts to skip napi prepublish (avoids release creation) - Remove debug token output Terraphim AI Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
1 parent 060f8e1 commit 0581920

1 file changed

Lines changed: 4 additions & 11 deletions

File tree

.github/workflows/publish-bun.yml

Lines changed: 4 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -452,23 +452,16 @@ jobs:
452452
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
453453
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
454454
run: |
455-
# Debug: verify token is set (shows first/last 4 chars only)
456-
if [[ -n "$NODE_AUTH_TOKEN" ]]; then
457-
echo "NODE_AUTH_TOKEN is set: ${NODE_AUTH_TOKEN:0:8}...${NODE_AUTH_TOKEN: -4}"
458-
else
459-
echo "ERROR: NODE_AUTH_TOKEN is not set!"
460-
exit 1
461-
fi
462-
463455
if [[ "${{ inputs.dry_run }}" == "true" ]]; then
464456
echo "Dry run mode - checking package only"
465-
npm publish --dry-run --access public --tag ${{ steps.strategy.outputs.npm_tag }}
457+
npm publish --dry-run --access public --tag ${{ steps.strategy.outputs.npm_tag }} --provenance --ignore-scripts
466458
else
467459
echo "Publishing @terraphim/autocomplete to npm (Bun-compatible)"
468460
echo "Tag: ${{ steps.strategy.outputs.npm_tag }}"
469461
470-
# Publish with appropriate tag (GITHUB_TOKEN needed for napi prepublish)
471-
npm publish --access public --tag ${{ steps.strategy.outputs.npm_tag }}
462+
# Publish with provenance for OIDC trusted publishing
463+
# --ignore-scripts skips napi prepublish which tries to create GitHub releases
464+
npm publish --access public --tag ${{ steps.strategy.outputs.npm_tag }} --provenance --ignore-scripts
472465
473466
echo "Package published successfully! (Bun users can install with: bun add @terraphim/autocomplete)"
474467
fi

0 commit comments

Comments
 (0)