From ba5fb0fada47eefb0ffd1e3ff34c5c2fcb8044be Mon Sep 17 00:00:00 2001 From: Robin Bolscher Date: Mon, 18 May 2026 10:30:06 +0200 Subject: [PATCH 1/3] chore: publish to npmjs.org via OIDC - Replace GitHub Packages publish workflow with OIDC publish to registry.npmjs.org based on the node-homey template. - Add publishConfig.access:public required for a public scoped package. - Remove .npmrc instructions from README; the default npm registry now serves the package without any consumer-side config. - Update update-dependents workflow to point at the new publish workflow and strip the legacy @athombv -> GitHub Packages mapping from any dependent .npmrc when bumping the version. --- .github/workflows/gpr-publish.yaml | 46 ---------------- .github/workflows/publish-package-npm.yml | 66 +++++++++++++++++++++++ .github/workflows/update-dependents.yaml | 16 ++++-- README.md | 14 ++--- package.json | 3 ++ 5 files changed, 84 insertions(+), 61 deletions(-) delete mode 100644 .github/workflows/gpr-publish.yaml create mode 100644 .github/workflows/publish-package-npm.yml diff --git a/.github/workflows/gpr-publish.yaml b/.github/workflows/gpr-publish.yaml deleted file mode 100644 index 0459893..0000000 --- a/.github/workflows/gpr-publish.yaml +++ /dev/null @@ -1,46 +0,0 @@ -name: Publish to GitHub Packages Registry - -# Version: 1.0.0 -# Modified: No -# Requirements: -# - The `name` in `package.json` should start with `@athombv/`. -# -# Ensure you've run `npm version major|minor|patch` on the `master` branch before merging to `production`. -# -# This GitHub Workflow: -# 1. [Optional] If `npm run build` exists. If so, it runs `npm ci` and `npm run build`. -# 2. Publishes the package to the GitHub Packages Registry. - -on: - push: - branches: - - production - -jobs: - publish: - name: Publish - runs-on: ubuntu-latest - steps: - - - name: Checkout git repository - uses: actions/checkout@v3 - - - name: Set up node 16 environment - uses: actions/setup-node@v3 - with: - node-version: 16 - registry-url: 'https://npm.pkg.github.com' - - - name: Build - run: | - if cat package.json | jq -e .scripts.build; then - echo "`npm run build` does exist. Building..." - npm ci - npm run build - else - echo "`npm run build` does not exist. Skipping build..." - fi - - name: Publish - run: npm publish - env: - NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} \ No newline at end of file diff --git a/.github/workflows/publish-package-npm.yml b/.github/workflows/publish-package-npm.yml new file mode 100644 index 0000000..5d08c3d --- /dev/null +++ b/.github/workflows/publish-package-npm.yml @@ -0,0 +1,66 @@ +name: Publish to NPM + +# Publishes the package to npmjs.org using OIDC (Trusted Publisher). +# +# Requirements: +# - The `@athombv/jsdoc-template` package must have a Trusted Publisher +# configured on npmjs.org pointing at this repository and workflow file. +# - Bump the version on `master` via the Version workflow before merging to +# `production`. +# +# Steps: +# 1. Verifies a `files` array is present in package.json. +# 2. Installs dependencies and runs `npm run build` if it exists. +# 3. On `workflow_dispatch`: runs `npm publish --dry-run`. +# 4. On push to `production`: publishes to npmjs.org. + +on: + workflow_dispatch: + push: + branches: + - production + +permissions: + id-token: write + contents: read + +jobs: + publish: + name: Publish + runs-on: ubuntu-latest + steps: + - name: Checkout git repository + uses: actions/checkout@v4 + + - name: Set up node + uses: actions/setup-node@v4 + with: + node-version: '20' + registry-url: 'https://registry.npmjs.org/' + + - name: Verify files field in package.json + run: | + if ! jq -e .files package.json > /dev/null; then + echo "Missing 'files' array in package.json." + exit 1 + fi + + - name: Install dependencies + run: npm ci --ignore-scripts --audit=false + + - name: Build + run: | + if jq --exit-status '.scripts | has("build")' package.json > /dev/null; then + echo "Running npm run build..." + npm run build + else + echo "No build script; skipping." + fi + + - name: Publish dry run + if: github.event_name == 'workflow_dispatch' + run: npm publish --dry-run + + - name: Publish + if: github.ref == 'refs/heads/production' + run: npm publish diff --git a/.github/workflows/update-dependents.yaml b/.github/workflows/update-dependents.yaml index e1bc074..e3968f9 100644 --- a/.github/workflows/update-dependents.yaml +++ b/.github/workflows/update-dependents.yaml @@ -2,7 +2,7 @@ name: Update Dependent Repos on: workflow_run: - workflows: ["Publish to GitHub Packages Registry"] + workflows: ["Publish to NPM"] types: - completed @@ -161,9 +161,15 @@ jobs: else . end ' package.json > package.json.tmp && mv package.json.tmp package.json - # Configure npm to use GitHub Packages for @athombv scope - echo "@athombv:registry=https://npm.pkg.github.com" >> .npmrc - echo "//npm.pkg.github.com/:_authToken=${GH_TOKEN}" >> .npmrc + # Strip any leftover @athombv -> GitHub Packages mapping from .npmrc + # so the new version resolves from npmjs.org. Remove the file when + # nothing meaningful remains. + if [ -f .npmrc ]; then + sed -i '/@athombv:registry/d; /npm.pkg.github.com/d' .npmrc + if [ ! -s .npmrc ] || ! grep -qv '^\s*$' .npmrc; then + rm -f .npmrc + fi + fi # Update lockfile npm install --package-lock-only --ignore-scripts @@ -171,6 +177,8 @@ jobs: # Commit and push git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" + # Stage updates and any .npmrc add/modify/delete + git add -A -- package.json package-lock.json .npmrc 2>/dev/null || true git add package.json package-lock.json git commit -m "chore: update @athombv/jsdoc-template to ${NEW_SPEC}" diff --git a/README.md b/README.md index 9a3d6e8..c4f1667 100644 --- a/README.md +++ b/README.md @@ -2,21 +2,13 @@ ## How to use this template -This package is publicly distributed via [GitHub Packages](https://github.com/athombv/homey-jsdoc-template/pkgs/npm/jsdoc-template). No GitHub token is required to install it. - -1. Add a `.npmrc` in the root of your project so npm resolves the `@athombv` scope to GitHub Packages: - -``` -@athombv:registry=https://npm.pkg.github.com -``` - -2. Install as a dev dependency +1. Install as a dev dependency ```bash $ npm i --save-dev @athombv/jsdoc-template ``` -3. Create `./jsdoc.json`: +2. Create `./jsdoc.json`: ```json { @@ -78,7 +70,7 @@ npm link @athombv/jsdoc-template ## Publishing 1. Bump the version on `master` via the [Version workflow](https://github.com/athombv/jsdoc-template/actions/workflows/version.yaml). -2. Merge `master` to `production` — this will automatically publish the release to the GitHub Packages Registry. +2. Merge `master` to `production` - this will automatically publish the release to npmjs.org via OIDC (Trusted Publisher). 3. Create PRs in dependent repos via the [Update Dependents workflow](https://github.com/athombv/jsdoc-template/actions/workflows/update-dependents.yaml). This will automatically discover repos in the `athombv` org that use `@athombv/jsdoc-template` and open PRs to update them to the new version. diff --git a/package.json b/package.json index 918d17c..62f8402 100644 --- a/package.json +++ b/package.json @@ -13,6 +13,9 @@ "/tmpl", "/publish.js" ], + "publishConfig": { + "access": "public" + }, "author": "Athom B.V.", "license": "GPL-3.0", "dependencies": { From 2c469d39a30bb0346d43870b55fa369f2722bbe3 Mon Sep 17 00:00:00 2001 From: Robin Bolscher Date: Mon, 18 May 2026 11:21:27 +0200 Subject: [PATCH 2/3] chore: address copilot review feedback - Use Node 24 in publish workflow so the bundled npm (>=11.5.1) supports OIDC for Trusted Publisher; Node 20 ships npm 10.x and would fail auth. - Rename publish-package-npm.yml to .yaml for consistency with the other workflows in this repo, before any Trusted Publisher binding to the filename gets created on npmjs.org. - Replace the redundant git add with a guarded stage that only touches .npmrc when it exists or is tracked, and stops swallowing real errors. --- ...{publish-package-npm.yml => publish-package-npm.yaml} | 3 ++- .github/workflows/update-dependents.yaml | 9 ++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) rename .github/workflows/{publish-package-npm.yml => publish-package-npm.yaml} (94%) diff --git a/.github/workflows/publish-package-npm.yml b/.github/workflows/publish-package-npm.yaml similarity index 94% rename from .github/workflows/publish-package-npm.yml rename to .github/workflows/publish-package-npm.yaml index 5d08c3d..3ce8172 100644 --- a/.github/workflows/publish-package-npm.yml +++ b/.github/workflows/publish-package-npm.yaml @@ -35,7 +35,8 @@ jobs: - name: Set up node uses: actions/setup-node@v4 with: - node-version: '20' + # Node 24 bundles npm >= 11.5.1, required for OIDC `npm publish`. + node-version: '24' registry-url: 'https://registry.npmjs.org/' - name: Verify files field in package.json diff --git a/.github/workflows/update-dependents.yaml b/.github/workflows/update-dependents.yaml index e3968f9..c618435 100644 --- a/.github/workflows/update-dependents.yaml +++ b/.github/workflows/update-dependents.yaml @@ -177,9 +177,12 @@ jobs: # Commit and push git config user.name "github-actions[bot]" git config user.email "github-actions[bot]@users.noreply.github.com" - # Stage updates and any .npmrc add/modify/delete - git add -A -- package.json package-lock.json .npmrc 2>/dev/null || true - git add package.json package-lock.json + # Stage the version bump, plus any add/modify/delete to .npmrc + # if it currently exists or is tracked in the repo. + git add -A -- package.json package-lock.json + if [ -e .npmrc ] || git ls-files --error-unmatch .npmrc > /dev/null 2>&1; then + git add -A -- .npmrc + fi git commit -m "chore: update @athombv/jsdoc-template to ${NEW_SPEC}" if ! git push --force origin "$BRANCH_NAME" 2>&1; then From d0a0b517e661909dfea0aef0e417136b9479d9cd Mon Sep 17 00:00:00 2001 From: Robin Bolscher Date: Mon, 18 May 2026 11:27:52 +0200 Subject: [PATCH 3/3] chore: address copilot review feedback - Guard the real publish step on both event_name=push and the production ref so a manual workflow_dispatch from production cannot trigger both the dry-run and the real publish in one run. - Pass --provenance to both publish invocations to attach an OIDC-backed provenance attestation, which is the main reason to migrate to npm's Trusted Publishers. --- .github/workflows/publish-package-npm.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish-package-npm.yaml b/.github/workflows/publish-package-npm.yaml index 3ce8172..507f92a 100644 --- a/.github/workflows/publish-package-npm.yaml +++ b/.github/workflows/publish-package-npm.yaml @@ -60,8 +60,8 @@ jobs: - name: Publish dry run if: github.event_name == 'workflow_dispatch' - run: npm publish --dry-run + run: npm publish --dry-run --provenance - name: Publish - if: github.ref == 'refs/heads/production' - run: npm publish + if: github.event_name == 'push' && github.ref == 'refs/heads/production' + run: npm publish --provenance