Adjusted based on OpenRouter extensive rework.

Alain Picard · Alain Picard · commit fbd17d9faa31 · 2025-12-28T19:28:55.000Z
Their comments: Latest commit: Upgrade npm to support OIDC Trusted Publishing (OpenRouterTeam#231) npm v10.8.2 (bundled with Node 20.x) predates Trusted Publishing support. npm CLI v11.5.1+ is required for OIDC authentication with --provenance flag. Evidence: CI publish failed with ENEEDAUTH despite id-token: write and correct workflow setup. npm fell back to token auth and found none. Add explicit npm upgrade step before publish to ensure OIDC works. Previous: Migrate npm OIDC (OpenRouterTeam#230) * refactor: migrate to OIDC for npm package publishing Replace token-based authentication with OpenID Connect (OIDC) for enhanced security: - Remove NPM_TOKEN from changesets action environment - Enable automatic provenance generation (NPM_CONFIG_PROVENANCE) - Set NODE_AUTH_TOKEN to empty string to force OIDC authentication - Keep diagnostic step for troubleshooting auth issues This requires configuring npm Trusted Publisher on npmjs.com for the repository. * refactor: restructure publish workflow to support OIDC properly Split changesets/action into versioning-only step and separate publish step to avoid .npmrc token mutation that would block OIDC. This ensures npm uses Trusted Publisher authentication instead of legacy token-based auth. Key changes: - changesets/action now only runs version step (no publish input) - Added OIDC preflight step to scrub any auth tokens from .npmrc before publishing - Separated publish into dedicated step with pnpm changeset-publish - Added post-mortem diagnostics for troubleshooting publish failures The id-token: write permission remains enabled for OIDC token generation. Registry setup and package.json publish script already include provenance. * fix: harden OIDC workflow with publish gate and comprehensive preflight Address three critical risks identified during code review: 1. Gate publish step to run only when no changesets exist - Prevents wasteful runs and log noise when version PR is created - Ensures publish only runs on merge commits (when hasChangesets == 'false') - .github/workflows/publish.yaml:74 2. Harden preflight to scrub all .npmrc locations and auth forms - Iterate over all potential locations: NPM_CONFIG_USERCONFIG, ~/.npmrc, .npmrc - Remove both registry-scoped (_authToken, _auth=) and global (always-auth) forms - Prevents stray .npmrc from blocking OIDC authentication - .github/workflows/publish.yaml:45-52 3. Make whoami check robust with exit code instead of grep - Check npm whoami exit code (0 = logged in, non-zero = not logged in) - Avoids reliance on fragile message matching across npm versions - Verify registry config (including @openrouter scope) - .github/workflows/publish.yaml:62-71 4. Enhance post-mortem diagnostics - Log registry configuration for both global and @openrouter scope - Redact .npmrc contents to aid forensics without exposing secrets - Check all three potential .npmrc locations - .github/workflows/publish.yaml:92-101 With these changes, the workflow is hardened against OIDC authentication failures. * refine: use extended regex patterns for comprehensive .npmrc token scrubbing Improve sed patterns to handle edge cases in token removal: - Registry-scoped tokens: Allow optional whitespace around = sign sed -i -E '/\/\/registry\.npmjs\.org\/:(_authToken|_auth)\s*=/d' - Global tokens: Match _authToken or _auth anywhere on a line with leading whitespace sed -i -E '/^\s*(_authToken|_auth)\s*=/d' - Global always-auth: Case-insensitive with optional spacing sed -i -E '/^\s*[Aa]lways-[Aa]uth\s*=/d' This closes the gap where npm could treat whitespace-padded or variant token lines as a signal to use legacy token auth instead of OIDC. Extended regex (-E) enables more flexible matching without sacrificing readability. Addresses edge case identified during workflow review.
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -1,32 +1,100 @@
-name: Publish package
+name: Release
 on:
-  release:
-    types: [published]
-  workflow_dispatch: {}
+  push:
+    branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+
+permissions: {}
+
 jobs:
-  build:
+  release:
+    name: Release
     runs-on: ubuntu-latest
+    timeout-minutes: 30
     permissions:
-      contents: read
-      packages: write
+      contents: write
       id-token: write
+      pull-requests: write
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v4
+      - uses: actions/setup-node@v4
         with:
           node-version: "24.x"
           registry-url: "https://registry.npmjs.org"
           scope: "@alpic80"
-      - uses: pnpm/action-setup@v4
-      - run: pnpm install --frozen-lockfile
-      - run: pnpm typecheck
-      - run: pnpm build
-      - name: Publish to npm
+          cache: pnpm
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+      - name: Upgrade npm for OIDC support
+        run: npm install -g npm@latest
+      - name: Create Release Pull Request or Publish
+        id: changesets
+        uses: changesets/action@v1
+        with:
+          version: pnpm changeset-version
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: OIDC preflight - scrub .npmrc and verify registry
         run: |
-          if [ "${{ github.event.release.prerelease }}" = "true" ]; then
-            NODE_AUTH_TOKEN="" pnpm publish --provenance --access public --no-git-checks --tag beta
+          echo "=== OIDC Preflight ==="
+
+          # Remove auth tokens from all potential .npmrc locations to ensure OIDC is used
+          for npmrc in "$NPM_CONFIG_USERCONFIG" ~/.npmrc .npmrc; do
+            if [ -n "$npmrc" ] && [ -f "$npmrc" ]; then
+              echo "Cleaning $npmrc of any existing auth tokens..."
+              # Remove registry-scoped tokens (allow optional whitespace around =)
+              sed -i -E '/\/\/registry\.npmjs\.org\/:(_authToken|_auth)\s*=/d' "$npmrc"
+              # Remove global tokens in any form
+              sed -i -E '/^\s*(_authToken|_auth)\s*=/d' "$npmrc"
+              # Remove global always-auth (case-insensitive, allow spacing)
+              sed -i -E '/^\s*[Aa]lways-[Aa]uth\s*=/d' "$npmrc"
+            fi
+          done
+          # Verify npm connectivity
+          echo "Testing npm registry connectivity..."
+          npm ping || exit 1
+          # Verify no token is active (should fail for OIDC to work)
+          echo "Verifying no auth token is configured..."
+          if npm whoami >/dev/null 2>&1; then
+            echo "⚠ Warning: npm whoami succeeded without OIDC token"
           else
-            NODE_AUTH_TOKEN="" pnpm publish --provenance --access public --no-git-checks
+            echo "✓ Confirmed: npm whoami failed (OIDC will be used)"
           fi
+          echo ""
+          echo "Registry configuration:"
+          npm config get registry
+          npm config get @alpic80:registry || echo "  (no @alpic80 scope override)"
+      - name: Publish with OIDC
+        if: steps.changesets.outputs.hasChangesets == 'false'
+        run: pnpm changeset-publish
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Post-mortem diagnostics
+        if: failure()
+        run: |
+          echo "=== Post-mortem Diagnostics ==="
+          echo "Versions:"
+          echo "  Node: $(node --version)"
+          echo "  npm: $(npm --version)"
+          echo "  pnpm: $(pnpm --version)"
+          echo ""
+          echo "Registry configuration:"
+          echo "  registry: $(npm config get registry)"
+          echo "  @alpic80 scope: $(npm config get @alpic80:registry || echo '(inherited from global)')"
+          echo ""
+          echo ".npmrc files status:"
+          for npmrc in "$NPM_CONFIG_USERCONFIG" ~/.npmrc .npmrc; do
+            if [ -n "$npmrc" ] && [ -f "$npmrc" ]; then
+              echo "  $npmrc:"
+              echo "    Lines: $(wc -l < "$npmrc")"
+              echo "    Auth lines: $(grep -c "_auth\|_token" "$npmrc" || echo "0")"
+              echo "    Content (redacted):"
+              sed 's/\(_auth[^=]*=\).*/\1***REDACTED***/g; s/\(_token[^=]*=\).*/\1***REDACTED***/g' "$npmrc" | sed 's/^/      /'
+            fi
+          done
+          echo ""
+          echo "Package availability:"
+          npm view @alpic80/ai-sdk-provider@latest version 2>&1 || echo "  (could not fetch)"
diff --git a/.npmrc b/.npmrc
diff --git a/package.json b/package.json
@@ -2,6 +2,12 @@
   "name": "@alpic80/rivet-ai-sdk-provider",
   "version": "2.0.5",
   "license": "Apache-2.0",
+  "pnpm": {
+    "overrides": {
+      "glob": ">=10.5.0 <11",
+      "js-yaml": "^3.14.2"
+    }
+  },
   "sideEffects": false,
   "main": "./dist/index.js",
   "module": "./dist/index.mjs",
@@ -20,23 +26,34 @@
     "test": "pnpm test:node && pnpm test:edge",
     "test:edge": "vitest --config vitest.edge.config.ts --run",
     "test:node": "vitest --config vitest.node.config.ts --run",
-    "test:e2e": "vitest --config vitest.e2e.config.ts --run"
+    "test:e2e": "vitest --config vitest.e2e.config.ts --run",
+    "changeset": "changeset",
+    "changeset-version": "changeset version",
+    "changeset-publish": "pnpm build && pnpm test && changeset publish --provenance"
   },
   "exports": {
     "./package.json": "./package.json",
     ".": {
       "types": "./dist/index.d.ts",
       "import": "./dist/index.mjs",
       "require": "./dist/index.js"
+    },
+    "./internal": {
+      "types": "./dist/internal/index.d.ts",
+      "import": "./dist/internal/index.mjs",
+      "module": "./dist/internal/index.mjs",
+      "require": "./dist/internal/index.js"
     }
   },
   "devDependencies": {
     "@ai-sdk/provider": "2.0.0",
     "@ai-sdk/provider-utils": "3.0.12",
-    "@biomejs/biome": "2.2.6",
+    "@biomejs/biome": "2.3.7",
+    "@changesets/changelog-github": "0.5.1",
+    "@changesets/cli": "2.29.7",
     "@edge-runtime/vm": "5.0.0",
     "@types/node": "24.8.1",
-    "ai": "5.0.76",
+    "ai": "5.0.104",
     "dotenv": "17.2.3",
     "tsup": "8.5.0",
     "typescript": "5.9.3",
@@ -56,7 +73,8 @@
   },
   "homepage": "https://github.com/castortech/rivet-ai-sdk-provider",
   "repository": {
-    "url": "https://github.com/castortech/rivet-ai-sdk-provider"
+		"type": "git",
+    "url": "git+https://github.com/castortech/rivet-ai-sdk-provider.git"
   },
   "bugs": {
     "url": "https://github.com/castortech/rivet-ai-sdk-provider/issues"
