Skip to content

ci(npm): switch publish-npm.yml to OIDC Trusted Publishing#94

Merged
Davincc77 merged 1 commit into
mainfrom
chore/publish-npm-trusted-publishing
May 30, 2026
Merged

ci(npm): switch publish-npm.yml to OIDC Trusted Publishing#94
Davincc77 merged 1 commit into
mainfrom
chore/publish-npm-trusted-publishing

Conversation

@Davincc77

Copy link
Copy Markdown
Owner

Summary

Rewrites .github/workflows/publish-npm.yml from the legacy preview/NPM_TOKEN workflow into a manual, token-less npm Trusted Publishing (OIDC) workflow that publishes @klickd/core to the npm latest dist-tag.

The npm Trusted Publisher for @klickd/core is configured against this exact workflow file path, so the filename is intentionally preserved (.github/workflows/publish-npm.yml).

What changed

  • Trigger: workflow_dispatch only — no tag/release/push triggers; never creates a tag or GitHub Release.
  • Auth: short-lived OIDC credentials via permissions: id-token: write + contents: read. No secrets.NPM_TOKEN / NODE_AUTH_TOKEN.
  • Node: Node 24 via actions/setup-node with registry-url: https://registry.npmjs.org and package-manager-cache: false.
  • npm: upgrades npm to a version that supports Trusted Publishing before publishing.
  • Version guard: refuses to publish unless package.json version equals the expected_version input (default 4.0.3) and is not a pre-release (preview/alpha/beta/rc/-), since this publishes to latest.
  • Pre-publish verification: npm install -> npm test -> npm run build -> npm run verify:tarball (CJS+ESM smoke test) -> starter-skills presence + npm pack content checks.
  • Publish: npm publish --tag latest --access public via OIDC.

Notes on related workflows

This file is now the canonical latest publisher. The older publish-npm-latest.yml and publish-npm-4.0.3.yml still exist and use NPM_TOKEN; they are left untouched per the constraint that only publish-npm.yml may change. Since the Trusted Publisher is bound to this filename, this is the workflow to use going forward. No version bump was made — the package remains 4.0.3.

Install path

packages/@klickd/core has no committed lockfile and is not an npm workspace, so the established install path (npm install) is retained rather than npm ci.

Testing

Ran locally inside packages/@klickd/core:

  • npm install (pass)
  • npm test (pass)
  • npm run build (pass)
  • npm run verify:tarball CJS + ESM (pass)
  • npm pack --dry-run starter-skills content check (pass)
  • Workflow YAML validated with yaml.safe_load (pass)

No publish, tag, release, or secret was touched.

🤖 Generated with Claude Code

Replace the legacy preview/NPM_TOKEN publish workflow with a manual,
token-less publish to the npm `latest` dist-tag using npm Trusted
Publishing. The npm Trusted Publisher for @klickd/core is bound to this
exact workflow file path, so the filename is preserved.

- workflow_dispatch only; no tag/release/push triggers
- id-token: write + contents: read for short-lived OIDC credentials
- Node 24 via setup-node with registry-url and package-manager-cache: false
- upgrades npm to a version that supports Trusted Publishing
- guards published version against package.json and rejects pre-releases
- runs install + test + build + tarball/pack verification before publish
- publishes with `npm publish --access public` (no NODE_AUTH_TOKEN)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@Davincc77 Davincc77 merged commit d160ec9 into main May 30, 2026
3 checks passed
@Davincc77 Davincc77 deleted the chore/publish-npm-trusted-publishing branch May 30, 2026 11:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants