Skip to content

ci: harden release workflow (split npm job + workflow_dispatch, OIDC-ready)#79

Merged
santiagomed merged 2 commits into
mainfrom
ci/harden-release-npm
Jun 29, 2026
Merged

ci: harden release workflow (split npm job + workflow_dispatch, OIDC-ready)#79
santiagomed merged 2 commits into
mainfrom
ci/harden-release-npm

Conversation

@santiagomed

Copy link
Copy Markdown
Collaborator

Why

The release workflow ran GoReleaser and the npm publish in a single job, so:

  • an npm-side failure (a stale NPM_TOKEN) failed the whole run even though the GitHub release + Homebrew cask succeeded — this is what happened on v1.1.0, v1.1.1, and v1.2.0, and why npm is stuck at 1.0.3 (npm package version is outdated #77);
  • there was no way to re-publish npm without re-running GoReleaser, which conflicts with the already-created GitHub release.

What

  • Split into two jobs: goreleaser (binaries + GitHub release + Homebrew cask, tag-push only) and publish-npm. An npm failure no longer blocks the release/cask.
  • Add a workflow_dispatch trigger with a version input so npm can be (re)published for a given version independently — no GoReleaser re-run. (This is how we'll publish v1.2.0's npm package.)
  • publish-npm gets id-token: write, bumps to npm@latest, and publishes with --provenance — making it OIDC trusted-publishing ready. Once a trusted publisher is configured on npmjs.com, NPM_TOKEN can be removed entirely (no more 90-day token rotation).
  • Removed the risky npm unpublish-then-publish step (npm blocks republishing an unpublished version for 72h).
  • Bumped actions/setup-go@v4v5.

After merge

Publish v1.2.0 to npm via: Actions → Release → Run workflow → version 1.2.0 (or gh workflow run release.yml --ref main -f version=1.2.0).

…e/OIDC-ready)

Decouple npm publishing from GoReleaser so an npm-side failure no longer blocks the GitHub release / Homebrew cask, and so a version can be (re)published independently via workflow_dispatch without re-running GoReleaser (which would conflict with the existing release). Adds id-token: write + --provenance and bumps to npm@latest, making the job OIDC trusted-publishing ready so NPM_TOKEN can eventually be dropped. Removes the risky unpublish-then-publish step.
…OKEN)

A configured NODE_AUTH_TOKEN (even empty) makes npm take the token auth path instead of OIDC, so it would fail on token expiry rather than use trusted publishing. Drop the token + registry-url and bump to Node 24 (OIDC needs Node >= 22.14, npm >= 11.5) so npm authenticates via the OIDC id-token against the trusted publisher. NPM_TOKEN is no longer referenced and can be deleted.
@santiagomed

Copy link
Copy Markdown
Collaborator Author

Updated to pure OIDC trusted publishing (commit 7f39585): dropped NODE_AUTH_TOKEN/registry-url and bumped to Node 24 + npm@latest. A configured token (even empty) makes npm use the token path instead of OIDC, so leaving it would fail on expiry rather than use trusted publishing. With none set, npm authenticates via the OIDC id-token against the trusted publisher you configured — nothing to expire. NPM_TOKEN is no longer referenced and can be deleted.

@santiagomed santiagomed merged commit a312d5d into main Jun 29, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants