chore: publish to npmjs.org via OIDC#23
Merged
Merged
Conversation
- Replace GitHub Packages publish workflow with OIDC publish to registry.npmjs.org based on the node-homey template. - Add publishConfig.access:public required for a public scoped package. - Remove .npmrc instructions from README; the default npm registry now serves the package without any consumer-side config. - Update update-dependents workflow to point at the new publish workflow and strip the legacy @athombv -> GitHub Packages mapping from any dependent .npmrc when bumping the version.
There was a problem hiding this comment.
Pull request overview
Switches the package's publish pipeline from GitHub Packages to npmjs.org using npm's OIDC Trusted Publisher flow, and adjusts the dependent-update workflow to clean up the no-longer-needed @athombv → GitHub Packages .npmrc mapping in downstream repos.
Changes:
- Replace
gpr-publish.yamlwithpublish-package-npm.yml(push toproductionpublishes via OIDC,workflow_dispatchis meant as dry-run; addspublishConfig.access: publicinpackage.json). - Update
update-dependents.yamlto trigger off the new workflow name and strip stale@athombv:registry/npm.pkg.github.comlines from each dependent's.npmrc, removing the file when empty. - Update README to drop the
.npmrcinstall instructions and reflect the new npmjs.org publish path.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| README.md | Removes the GitHub Packages .npmrc setup section and updates the Publishing section to mention npmjs.org via OIDC. |
| package.json | Adds publishConfig.access: public so the scoped package is publishable as public on npmjs.org. |
| .github/workflows/publish-package-npm.yml | New workflow that builds and publishes (or dry-runs) the package to npmjs.org with id-token: write for OIDC. |
| .github/workflows/update-dependents.yaml | Retargets the workflow_run trigger to the new workflow name and replaces the GH Packages .npmrc write with sed-based cleanup plus a git add -A for .npmrc. |
| .github/workflows/gpr-publish.yaml | Deleted; superseded by publish-package-npm.yml. |
Comments suppressed due to low confidence (2)
.github/workflows/publish-package-npm.yml:66
- On
workflow_dispatch, thePublishstep's conditiongithub.ref == 'refs/heads/production'will also evaluate to true whenever the workflow is dispatched from theproductionbranch (which is the default branch for this workflow'spushtrigger and a likely place to dispatch from). That means both the dry-run step and the real publish step would execute back-to-back, defeating the stated intent thatworkflow_dispatchshould be dry-run only. Gate the publish step ongithub.event_name == 'push'(and optionally the branch), so the two steps are mutually exclusive.
- name: Publish dry run
if: github.event_name == 'workflow_dispatch'
run: npm publish --dry-run
- name: Publish
if: github.ref == 'refs/heads/production'
run: npm publish
.github/workflows/publish-package-npm.yml:66
- The publish workflow has no guard against republishing the same version. If
productionis updated without a prior version bump (or the Version workflow is forgotten),npm publishwill fail mid-run and the failure won't be obvious until afternpm ciandnpm run buildhave already executed. Consider adding a preflight step that checks whetherpackage.json's version already exists on the registry (npm view <pkg>@<version> version) and exits early with a clear message when it does, mirroring the kind of safety check the README's "Publishing" section assumes.
- name: Publish dry run
if: github.event_name == 'workflow_dispatch'
run: npm publish --dry-run
- name: Publish
if: github.ref == 'refs/heads/production'
run: npm publish
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This was referenced May 18, 2026
- Use Node 24 in publish workflow so the bundled npm (>=11.5.1) supports OIDC for Trusted Publisher; Node 20 ships npm 10.x and would fail auth. - Rename publish-package-npm.yml to .yaml for consistency with the other workflows in this repo, before any Trusted Publisher binding to the filename gets created on npmjs.org. - Replace the redundant git add with a guarded stage that only touches .npmrc when it exists or is tracked, and stops swallowing real errors.
- Guard the real publish step on both event_name=push and the production ref so a manual workflow_dispatch from production cannot trigger both the dry-run and the real publish in one run. - Pass --provenance to both publish invocations to attach an OIDC-backed provenance attestation, which is the main reason to migrate to npm's Trusted Publishers.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Switches the publish target from GitHub Packages to npmjs.org so the package can be installed by anyone without configuring authentication. GitHub Packages npm-registry rejects anonymous reads even for public packages.
Changes
publish-package-npm.yaml, replacesgpr-publish.yaml). Publishes toregistry.npmjs.orgvia OIDC Trusted Publisher with--provenance, no NPM_TOKEN secret needed. Triggers: push toproduction(real publish) orworkflow_dispatch(dry-run). The real-publish step is gated on bothevent_name == 'push'and theproductionref so a manual dispatch fromproductioncannot accidentally run a real publish alongside the dry-run.package.json: addspublishConfig.access: public(required for a public scoped package).README.md: drops the.npmrcinstall snippet and updates the Publishing section. Consumers can nownpm i --save-dev @athombv/jsdoc-templatestraight from the default registry.update-dependents.yaml:Publish to NPM).@athombv:registry=https://npm.pkg.github.com/_authTokenlines from a committed.npmrcand removes the file if nothing meaningful remains. Onlyathombv/node-homey-logandathombv/node-homey-zigbeedrivercurrently have such a file; none of the 11 dependents use any other@athombv/*package, so dropping the scope mapping is safe.Sequence
@athombv/jsdoc-templatepointing atathombv/jsdoc-templateand workflow filenamepublish-package-npm.yaml.mastervia the Version workflow (1.7.0).masterintoproduction- triggers the first publish to npmjs.org.update-dependents.yamlfires automatically after the publish and opens one PR per dependent. Each PR bumps the@athombv/jsdoc-templateversion, strips the legacy.npmrcmapping (where present), and regeneratespackage-lock.jsonso it resolves the package from npmjs.org instead of GitHub Packages URLs - all in a single commit.Superseded PRs
.npmrcon its own would leave their lockfiles pointing atnpm.pkg.github.comURLs and breaknpm ci. The update-dependents automation does the full transition in one commit per repo.