Skip to content

ci(satp-hermes): stop publishing to npmjs; GPR-only + idempotent#4539

Merged
RafaelAPB merged 1 commit into
mainfrom
ci/satp-hermes-npm-idempotent-publish
Jul 4, 2026
Merged

ci(satp-hermes): stop publishing to npmjs; GPR-only + idempotent#4539
RafaelAPB merged 1 commit into
mainfrom
ci/satp-hermes-npm-idempotent-publish

Conversation

@ryjones

@ryjones ryjones commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

The satp npm workflow published to npmjs.org with a legacy NPM_TOKEN that now 401s. npm moved to OIDC trusted publishing, but a package may have only one trusted publisher and npm matches it against the top-level workflow, not a reusable child. The repo-wide publish-npm.yaml already is that single trusted publisher and publishes every non-private package (satp included) on v* tags.

So this pipeline can neither reuse nor duplicate that publisher for npmjs. Remove the npmjs publish job entirely: npmjs is owned by publish-npm.yaml on releases, and this workflow now publishes dev/release builds only to the GitHub Package Registry (GITHUB_TOKEN). No npm tokens anywhere.

Also add an idempotency guard to the GitHub Packages publish: dev versions are keyed on the short SHA, so re-running the pipeline on an unchanged commit republishes an identical version and the registry 409s. Skip when the exact version already exists.

Drop the now-unused id-token: write from this workflow and the caller pipeline.

Pull Request Requirements

  • Rebased onto upstream/main branch and squashed into single commit to help maintainers review it more efficiently and to avoid spaghetti git commit graphs that obfuscate which commit did exactly what change, when, and why.
  • Have git sign-off at the end of the commit message (Signed-off-by: Name <email>) to certify the Developer Certificate of Origin (DCO). Use the -s flag with git commit. See signing commits for more information. AI agents must not add Signed-off-by tags — only the human submitter may certify the DCO (see AI Guidelines §7).
  • Follow the Conventional Commits specification for commit linting.
  • If AI tools were used, include an Assisted-by tag in the commit message per the AI Guidelines §2.2 (e.g., Assisted-by: GitHub-Copilot:claude-opus-4). All AI-generated code must be human-reviewed before submission.
  • Read and followed the Pull Request Guidelines.

Note: PRs that do not satisfy the requirements above will fail the
DCO checker and/or the commit lint CI checks and cannot be merged.

Character Limit

  • Pull Request Title and Commit Subject must not exceed 72 characters (including spaces and special characters).
  • Commit Message per line must not exceed 80 characters (including spaces and special characters).

A Must Read for Beginners
For rebasing and squashing, here's a must read guide for beginners.

@ryjones ryjones changed the title ci(satp-hermes): stop publishing to npmjs; GPR-only + idempotent ci(satp-hermes): use secret for Docker Hub login username Jul 3, 2026
@RafaelAPB

Copy link
Copy Markdown
Contributor

Agreed, but this is already partially addressed here: #4532
In the PR above we remove npm publishing (normal process already publishes there); however we still need to update the docker token

The satp npm workflow published to npmjs.org with a legacy NPM_TOKEN that now
401s. npm moved to OIDC trusted publishing, but a package may have only one
trusted publisher and npm matches it against the top-level workflow, not a
reusable child. The repo-wide publish-npm.yaml already is that single trusted
publisher and publishes every non-private package (satp included) on v* tags.

So this pipeline can neither reuse nor duplicate that publisher for npmjs.
Remove the npmjs publish job entirely: npmjs is owned by publish-npm.yaml on
releases, and this workflow now publishes dev/release builds only to the GitHub
Package Registry (GITHUB_TOKEN). No npm tokens anywhere.

Also add an idempotency guard to the GitHub Packages publish: dev versions are
keyed on the short SHA, so re-running the pipeline on an unchanged commit
republishes an identical version and the registry 409s. Skip when the exact
version already exists.

Drop the now-unused id-token: write from this workflow and the caller pipeline.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Ry Jones <ry@linux.com>
@ryjones ryjones force-pushed the ci/satp-hermes-npm-idempotent-publish branch from 2395edb to 55697a4 Compare July 3, 2026 22:11
@ryjones ryjones changed the title ci(satp-hermes): use secret for Docker Hub login username ci(satp-hermes): stop publishing to npmjs; GPR-only + idempotent Jul 3, 2026
@ryjones

ryjones commented Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

@RafaelAPB I rebased on main to remove the merged commit

@RafaelAPB RafaelAPB merged commit 07f2292 into main Jul 4, 2026
141 of 156 checks passed
@RafaelAPB RafaelAPB deleted the ci/satp-hermes-npm-idempotent-publish branch July 4, 2026 09:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants