ci: Publish to npm registry alongside GH packages registry#19
ci: Publish to npm registry alongside GH packages registry#19frankieyan merged 7 commits intomainfrom
Conversation
![doistbot-app[bot]](https://avatars.githubusercontent.com/in/2345791?s=60&v=4){kind=small}
| env: | ||
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
There was a problem hiding this comment.
This should no longer be used, publishing to npm must go through Trusted Publishing. However, I'm not exactly sure how to configure that when the package does not yet exist on npm. Maybe it's possible to add a package without publishing first?
| env: | |
| NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} |
There was a problem hiding this comment.
Good catch @rfgamaral! I don't have the answer to that right now. I logged in as Doistbot into npmjs.com but don't see a way to add a package. I'll do some research and find out.
There was a problem hiding this comment.
From what I can tell, trusted publishing is set up on the package level, not organization, so I think what we'll need to do is to temporarily add an NPM_TOKEN to the repo secrets here, publish it, then set up the trusted publisher. However: https://github.blog/changelog/2023-07-25-publishing-with-npm-provenance-from-private-source-repositories-is-no-longer-supported/
There was a problem hiding this comment.
@frankieyan That doesn't make a lot of sense to me. Tokens are meant to be fully deprecated, and when that happens, you won't be able to add a temporary NPM_TOKEN, so there must be another way.
Also, provenance and trusted publishing are not the same thing. You'll need to remove the --provenance, otherwise the build will likely fail.
There was a problem hiding this comment.
If npm fully disables token-based publishing (including granular tokens) for automation, then CI/CD publishing would have to use OIDC Trusted Publishing, and “human / local” publishing would rely on interactive login sessions (not reusable tokens), with 2FA enforced for publishing. ([The GitHub Blog]1)
The bootstrap problem (first publish) and the practical answer today
Today, npm’s own flow has a hard limitation:
- You cannot publish the initial version of a package using OIDC, because you can only configure a Trusted Publisher from the package’s settings page, and that page only exists after the package exists. ([npm Docs]2)
- This is explicitly called out as a limitation in npm/cli tracking (initial publish must be “manual or using a token”). ([GitHub]3)
So if token-based publishing gets fully deprecated, the way to publish a brand-new package becomes:
Publish the first version “manually” using session-based auth
npm login(which now issues a short-lived session rather than a classic long-lived token) ([The GitHub Blog]1)npm publishfrom your machine to create the package on npmImmediately configure Trusted Publishing in npmjs.com package settings
- Add your GitHub Actions / GitLab CI trusted publisher
All subsequent releases happen from CI via OIDC
- No publish tokens in CI
This resolves the chicken-and-egg problem without relying on publishing tokens, because the first publish uses interactive session-based auth, not a CI token. ([The GitHub Blog]1)
What would need to change for “OIDC-first publish” to be possible
npm would need to add something like pre-configuration / reservation of a package name with an OIDC trust policy (similar to what the issue references other registries doing). That capability is being requested, but it’s not the current behavior. ([GitHub]3)
I got this from ChatGPT, so I guess we can do what you suggested, or use the npm login/publish approach for the first release, and then configure trusted publishing. Either way should work.
frankieyan
force-pushed
the
frankie/publish-npmjs
branch
from
f446855 to
41e3dd9
Compare
|
Okay, the package now exists on https://www.npmjs.com/package/@doist/react-compiler-tracker. Let's give this a go |
frankieyan
changed the title
Update engines field to explicitly target LTS versions only: - ^22.22.0: Node 22 LTS (current Active LTS) - >=24.13.0: Node 24 LTS and future versions This excludes Node 23 (non-LTS "Current" release). Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add CHANGELOG.md to the files array so users can see the version history when they install the package. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add npm version, license, and Node.js version badges - Rewrite opening paragraphs for clarity and conciseness Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
frankieyan
changed the title
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2 participants
Some of our repositories are set up to pull from the npm registry when installing
@doist-scoped packages, so we can't rely on the GH packages registry alone. Publishing to both will ensure projects set up with either registries can make use of this tool.References
Closes #18
Test plan