Skip to content

chore: publish to npmjs.org via OIDC#23

Merged
RobinBol merged 3 commits into
masterfrom
chore/publish-to-npmjs
May 18, 2026
Merged

chore: publish to npmjs.org via OIDC#23
RobinBol merged 3 commits into
masterfrom
chore/publish-to-npmjs

Conversation

@RobinBol

@RobinBol RobinBol commented May 18, 2026

Copy link
Copy Markdown
Contributor

Switches the publish target from GitHub Packages to npmjs.org so the package can be installed by anyone without configuring authentication. GitHub Packages npm-registry rejects anonymous reads even for public packages.

Changes

  • New publish workflow (publish-package-npm.yaml, replaces gpr-publish.yaml). Publishes to registry.npmjs.org via OIDC Trusted Publisher with --provenance, no NPM_TOKEN secret needed. Triggers: push to production (real publish) or workflow_dispatch (dry-run). The real-publish step is gated on both event_name == 'push' and the production ref so a manual dispatch from production cannot accidentally run a real publish alongside the dry-run.
  • package.json: adds publishConfig.access: public (required for a public scoped package).
  • README.md: drops the .npmrc install snippet and updates the Publishing section. Consumers can now npm i --save-dev @athombv/jsdoc-template straight from the default registry.
  • update-dependents.yaml:
    • Trigger reference points at the new workflow name (Publish to NPM).
    • When opening a PR in a dependent repo, also strips any leftover @athombv:registry=https://npm.pkg.github.com / _authToken lines from a committed .npmrc and removes the file if nothing meaningful remains. Only athombv/node-homey-log and athombv/node-homey-zigbeedriver currently have such a file; none of the 11 dependents use any other @athombv/* package, so dropping the scope mapping is safe.

Sequence

  1. Before merge - configure a Trusted Publisher on npmjs.org for @athombv/jsdoc-template pointing at athombv/jsdoc-template and workflow filename publish-package-npm.yaml.
  2. Merge this PR.
  3. Bump the version on master via the Version workflow (1.7.0).
  4. Merge master into production - triggers the first publish to npmjs.org.
  5. update-dependents.yaml fires automatically after the publish and opens one PR per dependent. Each PR bumps the @athombv/jsdoc-template version, strips the legacy .npmrc mapping (where present), and regenerates package-lock.json so it resolves the package from npmjs.org instead of GitHub Packages URLs - all in a single commit.

Superseded PRs

- Replace GitHub Packages publish workflow with OIDC publish to
  registry.npmjs.org based on the node-homey template.
- Add publishConfig.access:public required for a public scoped package.
- Remove .npmrc instructions from README; the default npm registry now
  serves the package without any consumer-side config.
- Update update-dependents workflow to point at the new publish workflow
  and strip the legacy @athombv -> GitHub Packages mapping from any
  dependent .npmrc when bumping the version.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Switches the package's publish pipeline from GitHub Packages to npmjs.org using npm's OIDC Trusted Publisher flow, and adjusts the dependent-update workflow to clean up the no-longer-needed @athombv → GitHub Packages .npmrc mapping in downstream repos.

Changes:

  • Replace gpr-publish.yaml with publish-package-npm.yml (push to production publishes via OIDC, workflow_dispatch is meant as dry-run; adds publishConfig.access: public in package.json).
  • Update update-dependents.yaml to trigger off the new workflow name and strip stale @athombv:registry/npm.pkg.github.com lines from each dependent's .npmrc, removing the file when empty.
  • Update README to drop the .npmrc install instructions and reflect the new npmjs.org publish path.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
README.md Removes the GitHub Packages .npmrc setup section and updates the Publishing section to mention npmjs.org via OIDC.
package.json Adds publishConfig.access: public so the scoped package is publishable as public on npmjs.org.
.github/workflows/publish-package-npm.yml New workflow that builds and publishes (or dry-runs) the package to npmjs.org with id-token: write for OIDC.
.github/workflows/update-dependents.yaml Retargets the workflow_run trigger to the new workflow name and replaces the GH Packages .npmrc write with sed-based cleanup plus a git add -A for .npmrc.
.github/workflows/gpr-publish.yaml Deleted; superseded by publish-package-npm.yml.
Comments suppressed due to low confidence (2)

.github/workflows/publish-package-npm.yml:66

  • On workflow_dispatch, the Publish step's condition github.ref == 'refs/heads/production' will also evaluate to true whenever the workflow is dispatched from the production branch (which is the default branch for this workflow's push trigger and a likely place to dispatch from). That means both the dry-run step and the real publish step would execute back-to-back, defeating the stated intent that workflow_dispatch should be dry-run only. Gate the publish step on github.event_name == 'push' (and optionally the branch), so the two steps are mutually exclusive.
      - name: Publish dry run
        if: github.event_name == 'workflow_dispatch'
        run: npm publish --dry-run

      - name: Publish
        if: github.ref == 'refs/heads/production'
        run: npm publish

.github/workflows/publish-package-npm.yml:66

  • The publish workflow has no guard against republishing the same version. If production is updated without a prior version bump (or the Version workflow is forgotten), npm publish will fail mid-run and the failure won't be obvious until after npm ci and npm run build have already executed. Consider adding a preflight step that checks whether package.json's version already exists on the registry (npm view <pkg>@<version> version) and exits early with a clear message when it does, mirroring the kind of safety check the README's "Publishing" section assumes.
      - name: Publish dry run
        if: github.event_name == 'workflow_dispatch'
        run: npm publish --dry-run

      - name: Publish
        if: github.ref == 'refs/heads/production'
        run: npm publish

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/publish-package-npm.yaml
Comment thread .github/workflows/update-dependents.yaml Outdated
Comment thread .github/workflows/publish-package-npm.yaml
- Use Node 24 in publish workflow so the bundled npm (>=11.5.1) supports
  OIDC for Trusted Publisher; Node 20 ships npm 10.x and would fail auth.
- Rename publish-package-npm.yml to .yaml for consistency with the other
  workflows in this repo, before any Trusted Publisher binding to the
  filename gets created on npmjs.org.
- Replace the redundant git add with a guarded stage that only touches
  .npmrc when it exists or is tracked, and stops swallowing real errors.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.

Comment thread .github/workflows/publish-package-npm.yaml Outdated
Comment thread .github/workflows/publish-package-npm.yaml
Comment thread .github/workflows/update-dependents.yaml
Comment thread .github/workflows/update-dependents.yaml
Comment thread .github/workflows/publish-package-npm.yaml Outdated
- Guard the real publish step on both event_name=push and the production
  ref so a manual workflow_dispatch from production cannot trigger both
  the dry-run and the real publish in one run.
- Pass --provenance to both publish invocations to attach an OIDC-backed
  provenance attestation, which is the main reason to migrate to npm's
  Trusted Publishers.
@RobinBol RobinBol marked this pull request as ready for review May 18, 2026 09:58
@RobinBol RobinBol merged commit ed2c316 into master May 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants