From 2fd9278870d7fb5924d3428ea3c9a377c89cf9b0 Mon Sep 17 00:00:00 2001 From: Robert DeLanghe <1240090+bdelanghe@users.noreply.github.com> Date: Sun, 28 Jun 2026 21:20:28 -0400 Subject: [PATCH] =?UTF-8?q?build(publish):=20set=20up=20npm=20publishing?= =?UTF-8?q?=20(OIDC=20provenance,=20tag-gated)=20=E2=80=94=20prx-47qm?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Makes the kit installable beyond bounded-systems — `npm i @bounded-systems/conformance-kit` — so it's reusable everywhere, not just git-vendored. Setting up the pipeline does NOT publish: the release only fires on a `v*` tag push (merging to main never does). - package.json: add `files` allowlist (gates/generators/integrity/emitters/lib + README/LICENSE/provenance — excludes test/fixtures), wildcard `exports` for deep imports (e.g. `@bounded-systems/conformance-kit/gates/conformance-report.mjs`), and `publishConfig` (public + provenance). Version 0.1.0 (vendored-only stub) → 0.2.0. - .github/workflows/publish.yml: on a `v*` tag, npm ci → npm test → `npm publish --provenance` via Trusted Publishing (OIDC, id-token:write — no stored NPM_TOKEN), mirroring lone's tag-gated publish. npm pack --dry-run: 35 files, 70.4 kB. Tests 17/0. NOTE — registry-side, owner only: configure the package's npm Trusted Publisher (repo + publish.yml) on npmjs.com (a brand-new name may need one manual `npm publish` to claim it first, then OIDC for subsequent tags). lone stays the JSR-published STANDARD; npm is the right home for this CLI/vendoring toolkit. Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/publish.yml | 31 +++++++++++++++++++++++++++++++ package.json | 26 +++++++++++++++++++++++++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml new file mode 100644 index 0000000..3b05600 --- /dev/null +++ b/.github/workflows/publish.yml @@ -0,0 +1,31 @@ +name: publish + +# Publishes @bounded-systems/conformance-kit to npm with build provenance, on a +# `v*` tag push (the deliberate release trigger — merging to main never publishes). +# Uses npm Trusted Publishing (OIDC): no stored NPM_TOKEN. The package's trusted +# publisher must be configured once on npmjs.com (repo + this workflow); until then +# the publish step fails closed. +on: + push: + tags: ["v*"] + workflow_dispatch: + +permissions: + contents: read + id-token: write # OIDC — npm provenance + trusted publishing + +jobs: + publish: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0 + with: + node-version: "22" + registry-url: "https://registry.npmjs.org" + - name: Install deps + run: npm ci --no-audit --no-fund + - name: Test gate (must pass before publish) + run: npm test + - name: Publish to npm (provenance, public) + run: npm publish --provenance --access public diff --git a/package.json b/package.json index dde1fd7..cb65f93 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@bounded-systems/conformance-kit", - "version": "0.1.0", + "version": "0.2.0", "description": "Standalone, site-agnostic web-conformance toolkit: integrity tooling + build gates + provenance generators, all parameterized so a site vendors one kit instead of duplicating scripts.", "type": "module", "license": "MIT", @@ -31,6 +31,30 @@ "scripts": { "test": "node test/run.mjs" }, + "files": [ + "gates", + "generators", + "integrity", + "emitters", + "lib", + "provenance.json", + "vendor.example.json", + "README.md", + "LICENSE" + ], + "exports": { + "./package.json": "./package.json", + "./gates/*": "./gates/*", + "./gates/conformance/*": "./gates/conformance/*", + "./generators/*": "./generators/*", + "./integrity/*": "./integrity/*", + "./emitters/*": "./emitters/*", + "./lib/*": "./lib/*" + }, + "publishConfig": { + "access": "public", + "provenance": true + }, "dependencies": { "@mozilla/readability": "^0.5.0", "@zazuko/env-node": "^2.1.5",