Skip to content

ci(release): repair workflow + migrate npm publish to OIDC Trusted Publishing [HELD: needs npm trusted-publisher setup]#9

Draft
MasonStation wants to merge 3 commits into
mainfrom
ci/release-oidc-trusted-publishing
Draft

ci(release): repair workflow + migrate npm publish to OIDC Trusted Publishing [HELD: needs npm trusted-publisher setup]#9
MasonStation wants to merge 3 commits into
mainfrom
ci/release-oidc-trusted-publishing

Conversation

@MasonStation

Copy link
Copy Markdown
Contributor

Warning

Held back — do not merge yet. Blocked on a one-time manual step on npmjs.com: configure a GitHub-Actions trusted publisher for each of the three packages (@ashlr/stack, @ashlr/stack-core, ashlr-stack-mcp) — org/repo ashlrai/ashlr-stack, workflow file release.yml. Until that's live, OIDC publish can't authenticate. Merging this first would point release.yml at OIDC that isn't configured.

What

Repairs the release pipeline and modernizes npm auth. Two commits:

  1. Repair startup failure — a multi-line git commit -m in the Homebrew-tap job terminated the YAML run: | block scalar early, leaking an Assisted-By stray top-level key. GitHub's schema validator rejected the whole file, so every push since the v0.2 polish produced a 0-second startup failure and the v0.2.0 npm publish never landed (npm stayed at 0.1.1). Collapsed to two -m flags. Also bumps @ashlr/stack(+core,+mcp) 0.2.0 → 0.2.1.
  2. OIDC Trusted Publishing — drops the long-lived NPM_TOKEN (expired, hit EOTP under 2FA) in favor of per-package GitHub-Actions trusted publishers. Adds npm install -g npm@latest (OIDC needs ≥ 11.5.1); keeps provenance. Relies on workflow-level id-token: write (present).

Verification

  • release.yml parses cleanly; top-level keys are only name, on, permissions, concurrency, jobs — the stray Assisted-By key is gone.
  • permissions includes id-token: write.
  • NPM_TOKEN / NODE_AUTH_TOKEN removed (remaining mentions are explanatory comments).

Scope

Split out of the bundled branch fix/interactive-auth-spinner-hang (old PR #7). The CLI flag fix landed in #6; the interactive-auth fix landed in #8. This PR is only the release/CI work and is intentionally held.

🤖 Generated with Claude Code

MasonStation and others added 3 commits June 20, 2026 00:34
fix(ci): repair release workflow startup failure + bump to 0.2.1

The homebrew-tap commit step embedded a multi-line `git commit -m` message
whose blank line + column-0 `Assisted-By:` trailer terminated the YAML
`run: |` block scalar early. That leaked `Assisted-By` as a stray top-level
workflow key — lenient parsers accept it, but GitHub Actions rejects the
unknown key and fails the whole file at startup. Every push since the v0.2
polish has produced a 0-second startup failure, and the v0.2.0 release never
published to npm as a result.

Collapse the message to two `-m` flags so it stays inside the block scalar.
Bump @ashlr/stack(+core,+mcp) 0.2.0 -> 0.2.1 for the next release.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@
ci(release): publish via npm Trusted Publishing (OIDC) instead of a token

npm now recommends Trusted Publishing for CI/CD over long-lived tokens, and
all three packages already exist on npm so per-package trusted publishers can
be configured. This removes the NPM_TOKEN secret entirely — the credential
that expired, risked leaking, and hit EOTP on the v0.2.0 release.

- publish-npm: drop the NPM_TOKEN gate, NODE_AUTH_TOKEN, and npm_otp plumbing
  (publish.sh never accepted --otp anyway — it would have died on the unknown
  arg); add `npm install -g npm@latest` for OIDC support (needs >= 11.5.1);
  keep provenance. Relies on workflow-level id-token: write (already present).
- scripts/publish.sh is unchanged: `npm publish --access public` uses OIDC
  automatically when the trusted publisher is configured.

Requires a one-time GitHub-Actions trusted publisher on each package at
npmjs.com (org/repo = ashlrai/ashlr-stack, workflow file = release.yml).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@vercel

vercel Bot commented Jun 20, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
ashlr-stack Ready Ready Preview, Comment Jun 20, 2026 4:36am

Request Review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant