Skip to content

feat(ci): migrate npm publish to Trusted Publishing (OIDC)#7

Merged
mabry1985 merged 2 commits into
mainfrom
feat/trusted-publishing-2026-05-25
May 25, 2026
Merged

feat(ci): migrate npm publish to Trusted Publishing (OIDC)#7
mabry1985 merged 2 commits into
mainfrom
feat/trusted-publishing-2026-05-25

Conversation

@mabry1985

@mabry1985 mabry1985 commented May 25, 2026

Copy link
Copy Markdown

Summary

  • Removes env: NODE_AUTH_TOKEN from the publish step — npm now exchanges the GitHub OIDC token (id-token: write already at job level) for a short-lived publish credential. Same OIDC token continues to drive --provenance.
  • Documents the one-time UI prerequisite inline above the publish step so the next operator doesn't have to dig through CHANGELOG/PR history.

Roadmap: E4 (2 pts) from protoWorkstacean docs/roadmap/2026-06.md.

⚠️ Required UI step before merging

This PR will break the next v*.*.* tag push if the trusted publisher isn't configured on npm first. Sequence:

  1. https://www.npmjs.com/package/@protolabsai/protopatch/accessTrusted PublishersAddGitHub Actions
    • repository: protoLabsAI/protoPatch
    • workflow filename: publish.yml
    • environment: (none)
  2. Merge this PR.
  3. secrets.NPM_TOKEN becomes unused — can be deleted from repo/org secrets at leisure.

Test plan

  • UI prerequisite landed before merge
  • Cut a patch release tag (v0.6.2 or whatever the next minor is) after merge; verify the publish workflow's "Publish to npm" step succeeds without NODE_AUTH_TOKEN
  • Provenance attestation still visible at https://www.npmjs.com/package/@protolabsai/protopatch

Runner migration (fleet workspace-config conformance)

Stacked onto this branch. Migrates plain-Linux node/git jobs to the org-owned runner namespace-profile-protolabs-linux; jobs that genuinely require GitHub-hosted infra keep ubuntu-latest with a # workspace-config: allow-hosted-runner <reason> annotation.

Workflow / job Decision Reason
ci.ymltest MIGRATED typecheck / lint / format / test / build / pack:smoke — plain Linux node
codeql.ymlanalyze ANNOTATED CodeQL default setup requires hosted runner
dependency-review.ymldependency-review ANNOTATED dependency-review-action requires GitHub-hosted API context
pages.ymldeploy ANNOTATED GitHub Pages deploy requires the hosted Pages environment (build+deploy is a single job here)
publish.ymlpublish ANNOTATED npm publish --provenance requires hosted OIDC
crabbox-hydrate.ymlhydrate unchanged already on a self-hosted [self-hosted, crabbox, ...] runner — out of scope

Also scaffolded the missing workspace-config baseline so the repo passes the verify gate: created .beads/issues.jsonl and .automaker/settings.json, and added .beads/beads.db, .worktrees/, and .automaker/{features,checkpoints,trajectory}/ to .gitignore (via init-workspace-config, which does not touch runner labels).

verify-workspace-config --root .conformant, 0 errors (4 recognized hosted-runner exceptions).

🤖 Generated with Claude Code

Removes the NODE_AUTH_TOKEN env on the publish step — npm now exchanges
the GitHub OIDC token issued by `id-token: write` for a short-lived
publish credential. Same OIDC token continues to supply --provenance.

One-time UI prerequisite (must complete before the next tag push):
  npmjs.com/package/@protolabsai/protopatch/access →
  Trusted Publishers → Add → GitHub Actions
    repository:        protoLabsAI/protoPatch
    workflow filename: publish.yml
    environment:       (none)

After that, `secrets.NPM_TOKEN` becomes unused on this workflow and
can be removed from the repo/org secret store at leisure.

@mabry1985 mabry1985 left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

QA Audit — PR #7 | feat(ci): migrate npm publish to Trusted Publishing (OIDC)

VERDICT: WARN


CI Status

  • test: queued
  • Analyze (actions): queued
  • Analyze (typescript): queued

Diff Review

  • Single file changed: .github/workflows/publish.yml
  • Removes env: NODE_AUTH_TOKEN from the npm publish step — OIDC (id-token: write) already present at job level handles auth via npm's Trusted Publishing exchange
  • Improves inline documentation to document the one-time npm UI prerequisite (Trusted Publishers → Add → GitHub Actions, env: none)
  • No application code touched; purely CI workflow hygiene

Observations

  • CLAWPATCH/LOW: protoLabsAI/protoPatch is in the supported-repo allow-list but clawpatch returned "repo not mounted" — structural review skipped, diff-based review only. No action needed.
  • WARN: CI checks are still queued; no green signal yet.
  • WARN: Breaking pre-requisite — the PR body correctly flags that npm Trusted Publisher must be configured at npmjs.com/package/@protolabsai/protopatch/access before the next tag push, otherwise publish fails. Merge now, break later is the risk. Consider gating on the UI step being done first, or adding a repo-level enforcement note.

Checks: 3
Passed: 0 (CI pending)
Failed: 0
Gaps: 2 (queued CI, breaking pre-req not enforced)

— Quinn, QA Engineer

@mabry1985

Copy link
Copy Markdown
Author

Submitted COMMENT review on protoLabsAI/protoPatch#7.

Migrate plain-Linux node/git jobs to namespace-profile-protolabs-linux and
annotate jobs that genuinely require GitHub-hosted infra. Also scaffold the
missing workspace-config baseline (.beads/, .automaker/settings.json,
.gitignore entries) so the repo passes verify-workspace-config.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@mabry1985

Copy link
Copy Markdown
Author

Heads-up: automation (fleet workspace-config conformance) added the chore(ci): migrate node/git workflows to org-owned runner commit (31faa3d) on top of your Trusted Publishing work. It migrates plain-Linux node/git jobs to namespace-profile-protolabs-linux and annotates the genuinely-hosted ones (CodeQL, dependency-review, Pages deploy, and publish.yml — kept on hosted for OIDC --provenance, which matches your change here). It also scaffolds the .beads/ + .automaker/ baseline. We opted to leave it stacked rather than force-push your branch. If you'd rather review it separately, say the word and I'll extract it into a standalone PR.

@mabry1985 mabry1985 merged commit 473fd76 into main May 25, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant