Validate npm OIDC publish flow with prerelease release lane#8
Merged
Conversation
Add a release-driven publish workflow that uses GitHub OIDC, verifies the release tag against package.json, and routes prerelease versions to the npm next dist-tag. Bump the package version to 0.1.35-rc.0 so the pipeline can be exercised without moving latest. Constraint: Branch protection requires release validation to flow through the normal PR and main branch path Rejected: Publish 0.1.35 directly to latest | no consumer-facing package change yet Rejected: Skip real publish and rely on dry-run only | does not validate trusted publisher OIDC Confidence: high Scope-risk: narrow Reversibility: clean Directive: Keep prerelease versions on the next dist-tag until a consumer-visible package change is ready for latest Tested: npm run build; npm test; npm pack --dry-run Not-tested: End-to-end GitHub Release triggered npm publish via OIDC until merged and released from main
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
nextdist-tag instead oflatest0.1.35-rc.0for release-path validationValidation
npm run buildnpm testMaintainer Notes
v0.1.35-rc.0frommain.