Add npm publish workflow with provenance (OIDC trusted publishing)#80
Merged
Conversation
…lishing) Adds .github/workflows/publish.yml: on a GitHub Release, publishes @qulib/core then @qulib/mcp with `npm publish --provenance` via OIDC trusted publishing (tokenless — no NPM_TOKEN secret). Verifies core/mcp versions are aligned and match the release tag before publishing; core publishes before mcp. Also adds a PR-template checklist line so PRs are labeled + assigned to a milestone (closes a repo-wide PR-hygiene gap). Requires a one-time npmjs.com trusted-publisher config per package. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What this PR does
Adds
.github/workflows/publish.yml— on a published GitHub Release, builds and publishes@qulib/corethen@qulib/mcpto npm withnpm publish --provenancevia OIDC trusted publishing (tokenless; noNPM_TOKENsecret). Verifies core/mcp versions are aligned and equal the release tag before publishing; always publishes core before mcp.Also adds one PR-template checklist line (labeled + assigned to a milestone) to close a repo-wide PR-hygiene gap.
Why
qulib is published by hand today, so packages are signed but carry no provenance attestation — the 'verified built & published from this repo' supply-chain badge. Publishing from CI via OIDC adds that badge and removes the local-token publish path.
Type
Checklist
mainnpm run build— N/A (CI/docs only, no source touched; PR CI validates)type: short descriptionOne-time setup before the first release
Before cutting v0.8.0, configure the npm trusted publisher for both packages: npmjs.com → package Settings → Trusted Publisher → GitHub Actions → repo
TapeshN/qulib, workflowpublish.yml. Merging this PR is safe anytime — the workflow only runs on a published Release.