ci(satp-hermes): stop publishing to npmjs; GPR-only + idempotent#4539
Merged
Conversation
sandeepnRES
approved these changes
Jul 3, 2026
Contributor
|
Agreed, but this is already partially addressed here: #4532 |
The satp npm workflow published to npmjs.org with a legacy NPM_TOKEN that now 401s. npm moved to OIDC trusted publishing, but a package may have only one trusted publisher and npm matches it against the top-level workflow, not a reusable child. The repo-wide publish-npm.yaml already is that single trusted publisher and publishes every non-private package (satp included) on v* tags. So this pipeline can neither reuse nor duplicate that publisher for npmjs. Remove the npmjs publish job entirely: npmjs is owned by publish-npm.yaml on releases, and this workflow now publishes dev/release builds only to the GitHub Package Registry (GITHUB_TOKEN). No npm tokens anywhere. Also add an idempotency guard to the GitHub Packages publish: dev versions are keyed on the short SHA, so re-running the pipeline on an unchanged commit republishes an identical version and the registry 409s. Skip when the exact version already exists. Drop the now-unused id-token: write from this workflow and the caller pipeline. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Ry Jones <ry@linux.com>
2395edb to
55697a4
Compare
Contributor
Author
|
@RafaelAPB I rebased on main to remove the merged commit |
RafaelAPB
approved these changes
Jul 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The satp npm workflow published to npmjs.org with a legacy NPM_TOKEN that now 401s. npm moved to OIDC trusted publishing, but a package may have only one trusted publisher and npm matches it against the top-level workflow, not a reusable child. The repo-wide publish-npm.yaml already is that single trusted publisher and publishes every non-private package (satp included) on v* tags.
So this pipeline can neither reuse nor duplicate that publisher for npmjs. Remove the npmjs publish job entirely: npmjs is owned by publish-npm.yaml on releases, and this workflow now publishes dev/release builds only to the GitHub Package Registry (GITHUB_TOKEN). No npm tokens anywhere.
Also add an idempotency guard to the GitHub Packages publish: dev versions are keyed on the short SHA, so re-running the pipeline on an unchanged commit republishes an identical version and the registry 409s. Skip when the exact version already exists.
Drop the now-unused id-token: write from this workflow and the caller pipeline.
Pull Request Requirements
upstream/mainbranch and squashed into single commit to help maintainers review it more efficiently and to avoid spaghetti git commit graphs that obfuscate which commit did exactly what change, when, and why.Signed-off-by: Name <email>) to certify the Developer Certificate of Origin (DCO). Use the-sflag withgit commit. See signing commits for more information. AI agents must not add Signed-off-by tags — only the human submitter may certify the DCO (see AI Guidelines §7).Assisted-bytag in the commit message per the AI Guidelines §2.2 (e.g.,Assisted-by: GitHub-Copilot:claude-opus-4). All AI-generated code must be human-reviewed before submission.Character Limit
A Must Read for Beginners
For rebasing and squashing, here's a must read guide for beginners.