ci: tokenless OIDC trusted publishing via npm (bun pm pack)#21
Merged
Conversation
bun publish supports neither npm OIDC trusted publishing nor --provenance (oven-sh/bun#22423), so the publish job failed with 'missing authentication'. Switch the publisher to the npm CLI: - bun pm pack builds the tarball, npm publish --provenance uploads it - actions/setup-node provisions the registry .npmrc + an npm new enough for provenance; id-token: write grants the OIDC token - npm view guards make the job idempotent (skip already-published vers) - add the missing @pleaseai/code-style (cli) publish step — it was stuck at 0.0.1 on npm while the manifest tracks 0.0.3
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
Deploying code-style with
|
| Latest commit: |
d3a842c
|
| Status: | ⚡️ Build in progress... |
Authenticate to npm purely via OIDC: id-token: write mints the token, a trusted publisher configured on npmjs.com authorizes it. Removes the NODE_AUTH_TOKEN/NPM_TOKEN secret entirely. - ensure npm >= 11.5.1 (OIDC trusted-publishing minimum) before publish - no long-lived registry token in CI
amondnet
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
문제
publish job이
bun publish: error: missing authentication으로 실패합니다 (failing run).bun publish는 npm OIDC trusted publishing도,--provenance도 지원하지 않습니다 (oven-sh/bun#22423, #24855).변경 — tokenless OIDC trusted publishing
발행 도구를 npm CLI로 전환하고, 장기 토큰(
NPM_TOKEN) 없이 OIDC로만 인증합니다:bun pm pack으로 tarball 생성 →npm publish *.tgz --provenance --access public으로 업로드permissions: id-token: write→ npm이 OIDC 토큰을 발급받아 인증 (장기 토큰 불필요)actions/setup-node(registry-url)가 레지스트리.npmrc구성npm view가드로 멱등성 확보 (이미 발행된 버전 skip → 재실행 안전)@pleaseai/code-style(cli) 발행 스텝 추가 — manifest는 0.0.3을 추적하지만 npm은 0.0.1에 멈춰 있었음NODE_AUTH_TOKEN/NPM_TOKEN시크릿 의존성 완전 제거tokenless OIDC는 npm 레지스트리에 trusted publisher가 설정돼 있어야 동작합니다. 각 발행 패키지마다 npmjs.com → Settings → Trusted Publishers에서 다음을 등록해야 합니다:
@pleaseai/eslint-configpleaseai/code-stylerelease-please.yml@pleaseai/prettier-configpleaseai/code-stylerelease-please.yml@pleaseai/code-stylepleaseai/code-stylerelease-please.yml검증
bun pm pack --dry-runtarball 이름 확인 (pleaseai-eslint-config-<ver>.tgz등 glob 매칭)@pleaseai/editorconfig는private: true→ 발행 대상 아님