chore(engine): add publish-engine.yml, ready for the npm bootstrap#4148
Conversation
Mirrors npm-publish.yml's already-hardened design exactly: unprivileged validate job (contents: read, runs the package's own test suite, packs + smoke-tests the tarball) -> privileged publish job (contents: write, id-token: write, environment: release) that only downloads the pre-built tarball and publishes it, tagging engine-v<version> to match the mcp-v* convention. Cannot run successfully yet: @jsonbored/gittensory-engine has never been published, and npm's trusted publishing/OIDC can't bootstrap a brand-new package -- the first publish has to come from a maintainer's own authenticated `npm login` session before a Trusted Publisher can be configured in npmjs.com's package settings. This workflow is prepared and ready for the moment that one-time manual step happens.
|
Superagent didn't find any vulnerabilities or security issues in this PR. |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #4148 +/- ##
=======================================
Coverage 93.72% 93.72%
=======================================
Files 385 385
Lines 36243 36243
Branches 13281 13281
=======================================
Hits 33968 33968
Misses 1618 1618
Partials 657 657 🚀 New features to boost your workflow:
|
|
Warning 🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨🟨 ⏸️ Gittensory review result - manual review recommendedReview updated: 2026-07-08 08:03:21 UTC
⏸️ Suggested Action - Manual Review
Review summary Nits — 6 non-blocking
Concerns raised — review before merging
Review context
Contributor next steps
Signal definitions
🟩 Safe / merged · 🟦 Advisory · 🟨 Held for review · 🟥 Blocked / closed 💰 Earn for open-source contributions like this. Gittensor lets GitHub contributors earn for the work they already do — register to start earning →. Checked by Gittensory, a quiet PR intelligence layer for OSS maintainers.
|
Summary
.github/workflows/publish-engine.yml, mirroringnpm-publish.yml's already-hardened design exactly: unprivilegedvalidatejob (contents: read, runs the package's own test suite, packs + smoke-tests the tarball) → privilegedpublishjob (contents: write, id-token: write,environment: release) that only downloads the pre-built tarball and publishes it. Tagsengine-v<version>to match themcp-v*convention.@jsonbored/gittensory-enginehas never been published, and npm's trusted publishing (OIDC) can't bootstrap a brand-new package: the first publish must come from a maintainer's own authenticatednpm loginsession before a Trusted Publisher can be configured in npmjs.com's package settings. This workflow is prepared and ready for the moment that one-time manual step happens (see follow-up conversation for the exact steps).validatejob's "Engine test suite" step (npm run test --workspace @jsonbored/gittensory-engine) is also currently blocked on a separate pre-existing issue (that package's own test suite has stale fixtures unrelated to this PR) — flagged separately as a follow-up task.Test plan
npm run actionlint— clean