ci: dispatch publish as a top-level run for trusted publishing#7
Merged
Conversation
The auto-publish called publish.yml as a reusable workflow, so the run's entry workflow was release-please.yml. npm trusted publishing matches the top-level (entry) workflow, which is configured as publish.yml, so the reusable call was rejected (404) while a manual workflow_dispatch worked. release-please now dispatches publish.yml via 'gh workflow run' once a release is cut, so the publish runs as its own top-level run with publish.yml as the entry. The GITHUB_TOKEN can trigger workflow_dispatch (the documented exception to the no-recursive-runs rule), so no PAT is needed. publish.yml drops the now-unused workflow_call trigger.
release-as forced the first release to 2.0.0; with 2.0.0 out, leaving it would make every later release PR keep proposing 2.0.0. Versions are now computed from Conventional Commits as usual.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the auto-publish that failed with a 404 on the 2.0.0 release (the manual publish worked, 2.0.0 is on npm).
Why it failed
npm trusted publishing matches the entry (top-level) workflow of the run, configured here as
publish.yml.publish.ymlas a reusable workflow fromrelease-please.yml, so the entry workflow wasrelease-please.yml→ no match → 404.workflow_dispatchhadpublish.ymlas the entry → matched → published.The fix (no PAT needed)
release-please.ymlnow dispatchespublish.ymlviagh workflow runonce it cuts a release, instead of calling it as a reusable workflow. The publish then runs as its own top-level run withpublish.ymlas the entry, so trusted publishing matches.GITHUB_TOKENcannot triggerpush/releaseevents, butworkflow_dispatchis the documented exception, so this works without a personal access token.publish.ymldrops the now-unusedworkflow_calltrigger;workflow_dispatchserves both manual and automatic publishes.Effect
Merging a
chore(master): release X.Y.ZPR will: tagvX.Y.Z→ create the GitHub Release → dispatchpublish.yml→ publish to npm with provenance. No npmjs.com reconfiguration needed (it stays pointed atpublish.yml).The same fix applies to node-cron's auto-publish wiring (its #577), which has the identical reusable-workflow issue.
Also in this PR: drop the
release-asbootstraprelease-as: 2.0.0forced the first release. Now that 2.0.0 is published, it is removed so future release PRs compute the version from Conventional Commits instead of repeatedly proposing 2.0.0.