Skip to content

ci: restructure publish workflow for OIDC authentication#25

Merged
frankieyan merged 3 commits intomainfrom
frankieyan/fix-publish-flow
Jan 18, 2026
Merged

ci: restructure publish workflow for OIDC authentication#25
frankieyan merged 3 commits intomainfrom
frankieyan/fix-publish-flow

Conversation

@frankieyan
Copy link
Copy Markdown
Member

@frankieyan frankieyan commented Jan 18, 2026

This fixes the broken publish flow to the npm registry. Hopefully, third time's the charm.

The NODE_AUTH_TOKEN environment variable was persisting into the npm registry publish step, blocking OIDC authentication. Adding scope wasn't enough; the token persistence between steps was the real culprit.

Adopts the Reactist publishing pattern:

  1. Publish to npm first (no setup-node registry-url, uses .npmrc with @doist:registry=https://registry.npmjs.org/)
  2. Clean up with npm config delete @doist:registry --location=project
  3. Then publish to GitHub Packages with setup-node + GITHUB_TOKEN

Test plan

Trigger workflow via manual dispatch from this branch.

  • Verify both publishes succeed

@frankieyan @claude
fix(ci): restructure publish workflow for OIDC authentication
7d24fea 
Adopt the Reactist publishing pattern to fix npm registry authentication
failures. The previous approach had GITHUB_TOKEN leaking between publish
steps, preventing OIDC from working.

Changes:
- Add .npmrc with @Doist registry config for OIDC-based npm publishing
- Reverse publish order: npm first, GitHub Packages second
- Remove setup-node registry-url for initial npm publish (uses .npmrc)
- Add config cleanup step between registry publishes

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@frankieyan frankieyan requested a review from a team as a code owner January 18, 2026 05:02
@frankieyan frankieyan requested review from Bloomca and removed request for a team January 18, 2026 05:02
doistbot-app[bot]
doistbot-app Bot reviewed Jan 18, 2026
View reviewed changes
Copy link
Copy Markdown

@doistbot-app doistbot-app Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR adopts a dual-registry publishing strategy but breaks the OIDC authentication for the npm registry. While the intention to use .npmrc for configuration is good, setup-node requires specific inputs to trigger the OIDC token exchange necessary for provenance generation. Without this, the first publish step will fail.

Comment thread .github/workflows/publish.yml
@frankieyan frankieyan force-pushed the frankieyan/fix-publish-flow branch 2 times, most recently from 2c74939 to 77b126d Compare January 18, 2026 05:10
@frankieyan @claude
fix: update .node-version so that it satisfies the requirement define…
9a5391d 
…d in package.json on CI

Update .node-version to 22.22.0 to satisfy the engine requirement
(^22.22.0 || >=24.13.0) while keeping engine-strict=true in .npmrc.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@frankieyan frankieyan force-pushed the frankieyan/fix-publish-flow branch from 77b126d to 9a5391d Compare January 18, 2026 05:15
@frankieyan frankieyan force-pushed the frankieyan/fix-publish-flow branch from 578fc28 to 7fcbd2f Compare January 18, 2026 05:31
@frankieyan
Copy link
Copy Markdown
Member Author

frankieyan commented Jan 18, 2026
edited
Loading

It took a few tries, but we now have a "successful" publish run here, and v2.0.1 has been published to the npm registry. I made a mistake of setting the org name to "doist" instead of "Doist" when setting up the trusted publishing flow on npmjs.com 🤦

(success is in quotes because it can't publish v2.0.1 again to the GH registry, since it already exists)

Edit: green publish run for v2.0.2 here

@frankieyan frankieyan added the 👀 Show PR PR must be reviewed before or after merging label Jan 18, 2026
@frankieyan frankieyan changed the title fix(ci): restructure publish workflow for OIDC authentication ci: restructure publish workflow for OIDC authentication Jan 18, 2026
@frankieyan frankieyan merged commit aacf6c7 into main Jan 18, 2026
3 of 5 checks passed
@frankieyan frankieyan deleted the frankieyan/fix-publish-flow branch January 18, 2026 05:51
@github-actions github-actions Bot mentioned this pull request Jan 18, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@doistbot-app doistbot-app[bot] doistbot-app[bot] left review comments

@Bloomca Bloomca Awaiting requested review from Bloomca Bloomca is a code owner automatically assigned from Doist/frontend-product

Assignees

No one assigned

Labels

👀 Show PR PR must be reviewed before or after merging

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@frankieyan