feat: OIDC trusted npm publishing + agent workflow tooling#5
feat: OIDC trusted npm publishing + agent workflow tooling#5khaliqgant merged 7 commits intomainfrom
Conversation
…oling Replace long-lived NPM_TOKEN with GitHub Actions OIDC trusted publishing in publish.yml, fix the @PrPM skill source scope and opencode skill directory in the workload-router SDK, and add agent-relay workflows for automated publishing configuration and agent-profile investigation. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Workflows and investigation outputs now live in AgentWorkforce/build-plans under the workforce/ directory. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Update regex patterns in index.test.ts to match the corrected @prpm/npm-trusted-publishing package reference. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| - name: Publish to npm | ||
| if: ${{ github.event.inputs.dry_run != 'true' }} | ||
| working-directory: packages/workload-router | ||
| run: npm publish --access public --provenance --tag ${{ github.event.inputs.tag }} | ||
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | ||
| run: npm publish --provenance --access public --tag ${{ github.event.inputs.tag }} |
There was a problem hiding this comment.
🟡 NODE_AUTH_TOKEN removed from publish.yml but setup-node still configures registry-url expecting it
In .github/workflows/publish.yml, NODE_AUTH_TOKEN env was removed from both publish steps (lines 81-89), but setup-node@v4 with registry-url: 'https://registry.npmjs.org' (line 49) creates an .npmrc with //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}. For this to work without NODE_AUTH_TOKEN, the package must be configured for npm OIDC trusted publishing on npmjs.com, and npm >= 10.9 (ensured by the new npm install -g npm@latest step) must handle OIDC auth. If the trusted publisher is not yet registered on npmjs.com, or if the npm install -g npm@latest step fails/is skipped, the real publish step will fail with an auth error. This is not inherently a code bug, but a fragile implicit dependency on external npm registry configuration.
Was this helpful? React with 👍 or 👎 to provide feedback.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
| claude: { asFlag: 'claude', dir: '.claude/skills' }, | ||
| codex: { asFlag: 'codex', dir: '.agents/skills' }, | ||
| opencode: { asFlag: 'opencode', dir: '.agents/skills' } | ||
| opencode: { asFlag: 'opencode', dir: '.skills' } |
There was a problem hiding this comment.
🟡 installedManifest hardcodes SKILL.md but opencode format uses .md
The PR aligns the opencode skill directory with prpm's actual behavior (changing from .agents/skills to .skills at line 119), but the installedManifest computation at packages/workload-router/src/index.ts:209 still unconditionally appends /SKILL.md for every harness. The newly added prpm.lock file confirms that the opencode format installs the manifest as npm-trusted-publishing.md, not SKILL.md:
- Code computes:
.skills/npm-trusted-publishing/SKILL.md - prpm.lock actual (
prpm.lock:62):.skills/npm-trusted-publishing/npm-trusted-publishing.md
For the claude format the SKILL.md assumption is correct (confirmed by prpm.lock:72), so only opencode is affected. Any caller that reads installedManifest to inject the skill into an agent's task body (as suggested by the README) would get a file-not-found for opencode-installed skills.
Prompt for agents
The HARNESS_SKILL_TARGETS map was updated with the correct opencode directory (.skills), but the installedManifest computation in the materializeSkills function (line 209) hardcodes SKILL.md as the manifest filename for all harnesses. The prpm.lock file shows that opencode format uses <packageName>.md (e.g. npm-trusted-publishing.md) instead of SKILL.md, while claude format does use SKILL.md.
To fix this, the HarnessSkillTarget interface (or the HARNESS_SKILL_TARGETS constant) needs to include per-harness manifest filename information. For example, add a manifestFilename field to HarnessSkillTarget: claude uses 'SKILL.md', opencode uses the derived package name + '.md'. Then update line 209 in materializeSkills to use that field instead of the hardcoded 'SKILL.md'. Also add a test case for the opencode harness verifying the correct installedManifest path.
Was this helpful? React with 👍 or 👎 to provide feedback.
1 participant
Summary
NPM_TOKEN/NODE_AUTH_TOKENsecrets, switched to OIDC trusted publishing. Addednpm install -g npm@lateststep before publish to avoid stale-runner auth failures. Provenance attestations preserved.@prpm/npm-trusted-publishingskill source scope (wasprpm/, now@prpm/)HARNESS_SKILL_TARGETS.opencode.dirfrom.agents/skillsto.opencode/skillsto match prpm's actual install pathconfigure-trusted-publishing.ts(DAG workflow that uses the npm-provenance-publisher persona to automate the publish.yml conversion) andinvestigate-agent-profile-workflows.ts(investigation workflow exploring auto-generated workflows from--agentflag)agent-relay run --agent <persona>featureTest plan
configure-trusted-publishingworkflow passed all 15 steps (verified via agent-relay run)id-token: writepresent,--provenanceflag present,npm install -g npm@lateststep present,repository.urlsetpnpm run checkpassed as final gate@agentworkforce/workload-router(manual step — required before first OIDC publish)🤖 Generated with Claude Code