ci(npm): switch publish-npm.yml to OIDC Trusted Publishing#94
Merged
Conversation
Replace the legacy preview/NPM_TOKEN publish workflow with a manual, token-less publish to the npm `latest` dist-tag using npm Trusted Publishing. The npm Trusted Publisher for @klickd/core is bound to this exact workflow file path, so the filename is preserved. - workflow_dispatch only; no tag/release/push triggers - id-token: write + contents: read for short-lived OIDC credentials - Node 24 via setup-node with registry-url and package-manager-cache: false - upgrades npm to a version that supports Trusted Publishing - guards published version against package.json and rejects pre-releases - runs install + test + build + tarball/pack verification before publish - publishes with `npm publish --access public` (no NODE_AUTH_TOKEN) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Rewrites
.github/workflows/publish-npm.ymlfrom the legacy preview/NPM_TOKENworkflow into a manual, token-less npm Trusted Publishing (OIDC) workflow that publishes@klickd/coreto the npmlatestdist-tag.The npm Trusted Publisher for
@klickd/coreis configured against this exact workflow file path, so the filename is intentionally preserved (.github/workflows/publish-npm.yml).What changed
workflow_dispatchonly — no tag/release/push triggers; never creates a tag or GitHub Release.permissions: id-token: write+contents: read. Nosecrets.NPM_TOKEN/NODE_AUTH_TOKEN.actions/setup-nodewithregistry-url: https://registry.npmjs.organdpackage-manager-cache: false.package.jsonversion equals theexpected_versioninput (default4.0.3) and is not a pre-release (preview/alpha/beta/rc/-), since this publishes tolatest.npm install->npm test->npm run build->npm run verify:tarball(CJS+ESM smoke test) -> starter-skills presence +npm packcontent checks.npm publish --tag latest --access publicvia OIDC.Notes on related workflows
This file is now the canonical
latestpublisher. The olderpublish-npm-latest.ymlandpublish-npm-4.0.3.ymlstill exist and useNPM_TOKEN; they are left untouched per the constraint that onlypublish-npm.ymlmay change. Since the Trusted Publisher is bound to this filename, this is the workflow to use going forward. No version bump was made — the package remains4.0.3.Install path
packages/@klickd/corehas no committed lockfile and is not an npm workspace, so the established install path (npm install) is retained rather thannpm ci.Testing
Ran locally inside
packages/@klickd/core:npm install(pass)npm test(pass)npm run build(pass)npm run verify:tarballCJS + ESM (pass)npm pack --dry-runstarter-skills content check (pass)No publish, tag, release, or secret was touched.
🤖 Generated with Claude Code