From 427c7832d3dcc3f147b29c005cdc45b98e489a35 Mon Sep 17 00:00:00 2001 From: Tyler Benfield Date: Fri, 12 Jun 2026 13:02:23 -0400 Subject: [PATCH] Fix npm trusted publishing workflows --- .github/workflows/publish-cli.yml | 10 ++++++---- .github/workflows/publish-compute.yml | 10 ++++++---- AGENTS.md | 1 + .../adrs/0001-preview-package-and-publishing.md | 2 +- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/.github/workflows/publish-cli.yml b/.github/workflows/publish-cli.yml index 14c45d4..ca31698 100644 --- a/.github/workflows/publish-cli.yml +++ b/.github/workflows/publish-cli.yml @@ -36,7 +36,8 @@ jobs: - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node-version-file: .node-version + node-version: 24 + registry-url: https://registry.npmjs.org - name: Install dependencies run: pnpm install --frozen-lockfile @@ -55,7 +56,7 @@ jobs: - name: Publish dev package to npm working-directory: packages/cli - run: pnpm publish --access public --tag dev --provenance --no-git-checks + run: npm publish --access public --tag dev --provenance - name: Summarize dev publish run: | @@ -93,7 +94,8 @@ jobs: - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node-version-file: .node-version + node-version: 24 + registry-url: https://registry.npmjs.org - name: Install dependencies run: pnpm install --frozen-lockfile @@ -137,7 +139,7 @@ jobs: - name: Publish official package to npm if: ${{ !inputs.dry_run }} working-directory: packages/cli - run: pnpm publish --access public --tag latest --provenance --no-git-checks + run: npm publish --access public --tag latest --provenance - name: Create release tag if: ${{ !inputs.dry_run }} diff --git a/.github/workflows/publish-compute.yml b/.github/workflows/publish-compute.yml index 7275ec7..e77a39d 100644 --- a/.github/workflows/publish-compute.yml +++ b/.github/workflows/publish-compute.yml @@ -36,7 +36,8 @@ jobs: - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node-version-file: .node-version + node-version: 24 + registry-url: https://registry.npmjs.org - name: Install dependencies run: pnpm install --frozen-lockfile @@ -55,7 +56,7 @@ jobs: - name: Publish dev package to npm working-directory: packages/compute - run: pnpm publish --access public --tag dev --provenance --no-git-checks + run: npm publish --access public --tag dev --provenance - name: Summarize dev publish run: | @@ -93,7 +94,8 @@ jobs: - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0 with: - node-version-file: .node-version + node-version: 24 + registry-url: https://registry.npmjs.org - name: Install dependencies run: pnpm install --frozen-lockfile @@ -137,7 +139,7 @@ jobs: - name: Publish official package to npm if: ${{ !inputs.dry_run }} working-directory: packages/compute - run: pnpm publish --access public --tag latest --provenance --no-git-checks + run: npm publish --access public --tag latest --provenance - name: Create release tag if: ${{ !inputs.dry_run }} diff --git a/AGENTS.md b/AGENTS.md index d3183fd..4fd4429 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -14,6 +14,7 @@ Use this file for repo-wide instructions. Use package-local `AGENTS.md` files fo ## Package Manager - Use `pnpm` for commands run inside this repo. +- Exception: use `npm publish` for npm release workflow publish steps so npm trusted publishing can use its OIDC authentication flow. - Use `npm` or multiple package-manager examples in user-facing content. ## Pre-Commit Verification diff --git a/docs/architecture/adrs/0001-preview-package-and-publishing.md b/docs/architecture/adrs/0001-preview-package-and-publishing.md index c114f45..65b1477 100644 --- a/docs/architecture/adrs/0001-preview-package-and-publishing.md +++ b/docs/architecture/adrs/0001-preview-package-and-publishing.md @@ -37,7 +37,7 @@ The publish workflow is prepared for npm trusted publishing with provenance. Official releases publish with: ```bash -pnpm publish --access public --tag latest --provenance +npm publish --access public --tag latest --provenance ``` Local development should build and inspect the package, but should not publish it.