diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 11e29c6..199f011 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -1,9 +1,8 @@ name: Release # Publish to npm + cut a GitHub Release when a version tag is pushed. -# Flow: bump package.json → merge to main → `git tag v0.1.5 && git push --tags`. -# Auth via OIDC trusted publishing (no NPM_TOKEN); requires id-token: write -# and the GitHub Actions trusted publisher registered on the npm package. +# Flow: bump package.json → merge to main → `git tag vX.Y.Z && git push origin vX.Y.Z`. +# Auth via repo secret NPM_TOKEN (automation token with publish + bypass-2FA). on: push: tags: ['v*.*.*'] @@ -11,7 +10,6 @@ on: permissions: contents: write # cut the GitHub Release - id-token: write # mint the OIDC token for npm trusted publishing jobs: publish: @@ -34,10 +32,6 @@ jobs: - name: Install run: bun install --frozen-lockfile - # Trusted publishing needs npm >= 11.5.1; Node 20 ships npm 10.x. - - name: Upgrade npm for trusted publishing - run: npm install -g npm@latest - # The prepublishOnly gate runs the full test suite, which includes # pre-commit-hook.test.ts — that asserts the hook is installed. - name: Install git hooks @@ -55,10 +49,10 @@ jobs: # `npm publish` runs prepublishOnly (build + tests + gen:check + compat + # migrations) before uploading, so the gate is enforced here too. - # Auth is via OIDC (id-token: write above) — no token env needed. - # Provenance is attached automatically when publishing over OIDC. - name: Publish to npm run: npm publish --access public + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Create GitHub Release if: github.event_name == 'push' diff --git a/CHANGELOG.md b/CHANGELOG.md index e9e1a63..f889d94 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,9 +11,6 @@ All notable changes to Rig are documented here. The format follows ### Added - `rig ` now suggests the closest command ("Did you mean `rig serve`?"), and maps agent names to `install` (`rig claude` → `rig install claude`). -### Changed -- Release workflow publishes to npm via **OIDC trusted publishing** (signed provenance, no `NPM_TOKEN` secret). Requires a trusted publisher registered on the npm package. - ## [0.1.5] - 2026-05-26 ### Added