Fixed
- Publishing to npm failed again right after the 0.9.8 fix landed, this time with
ENEEDAUTH. npm's OIDC trusted-publishing exchange mints a short-lived credential
only when the published package'srepository.urlmatches the workflow's identity
claim, and npm compares that field case-sensitively. The generated package manifest's
homepage,repository.urlandbugsfields all read the lowercasetautlines,
but GitHub's canonical owner isTautlines(capital T), so the comparison never
matched, no token was minted, and npm fell back to demanding an interactive login.
These fields are now generated from GitHub's exact canonical casing, and a guard
test pins it going forward. Publishing to PyPI, which does not compare this field
case-sensitively, was never affected.
Full changelog: https://github.com/tautlines/tautline/blob/main/CHANGELOG.md