Skip to content

ci: dispatch publish as a top-level run for trusted publishing#7

Merged
merencia merged 2 commits into
masterfrom
fix-publish-entry
Jun 22, 2026
Merged

ci: dispatch publish as a top-level run for trusted publishing#7
merencia merged 2 commits into
masterfrom
fix-publish-entry

Conversation

@merencia

@merencia merencia commented Jun 22, 2026

Copy link
Copy Markdown
Member

Fixes the auto-publish that failed with a 404 on the 2.0.0 release (the manual publish worked, 2.0.0 is on npm).

Why it failed

npm trusted publishing matches the entry (top-level) workflow of the run, configured here as publish.yml.

  • Auto publish called publish.yml as a reusable workflow from release-please.yml, so the entry workflow was release-please.yml → no match → 404.
  • Manual workflow_dispatch had publish.yml as the entry → matched → published.

The fix (no PAT needed)

  • release-please.yml now dispatches publish.yml via gh workflow run once it cuts a release, instead of calling it as a reusable workflow. The publish then runs as its own top-level run with publish.yml as the entry, so trusted publishing matches.
  • A GITHUB_TOKEN cannot trigger push/release events, but workflow_dispatch is the documented exception, so this works without a personal access token.
  • publish.yml drops the now-unused workflow_call trigger; workflow_dispatch serves both manual and automatic publishes.

Effect

Merging a chore(master): release X.Y.Z PR will: tag vX.Y.Z → create the GitHub Release → dispatch publish.yml → publish to npm with provenance. No npmjs.com reconfiguration needed (it stays pointed at publish.yml).

The same fix applies to node-cron's auto-publish wiring (its #577), which has the identical reusable-workflow issue.


Also in this PR: drop the release-as bootstrap

release-as: 2.0.0 forced the first release. Now that 2.0.0 is published, it is removed so future release PRs compute the version from Conventional Commits instead of repeatedly proposing 2.0.0.

merencia added 2 commits June 22, 2026 17:45
The auto-publish called publish.yml as a reusable workflow, so the run's
entry workflow was release-please.yml. npm trusted publishing matches the
top-level (entry) workflow, which is configured as publish.yml, so the
reusable call was rejected (404) while a manual workflow_dispatch worked.

release-please now dispatches publish.yml via 'gh workflow run' once a
release is cut, so the publish runs as its own top-level run with
publish.yml as the entry. The GITHUB_TOKEN can trigger workflow_dispatch
(the documented exception to the no-recursive-runs rule), so no PAT is
needed. publish.yml drops the now-unused workflow_call trigger.
release-as forced the first release to 2.0.0; with 2.0.0 out, leaving it
would make every later release PR keep proposing 2.0.0. Versions are now
computed from Conventional Commits as usual.
@merencia merencia merged commit 3bbfa08 into master Jun 22, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant