fix(ci): migrate publish workflows to OIDC trusted publishing#755
Merged
kokevidaurre merged 1 commit intodevelopfrom Apr 24, 2026
Merged
fix(ci): migrate publish workflows to OIDC trusted publishing#755kokevidaurre merged 1 commit intodevelopfrom
kokevidaurre merged 1 commit intodevelopfrom
Conversation
Both publish.yml (manual) and release.yml (tag-triggered) passed
NODE_AUTH_TOKEN: \${{ secrets.NPM_TOKEN }} to npm publish, which npm
prefers over OIDC. With a stale NPM_TOKEN, publishes failed 404 and
OIDC was never attempted.
Changes:
- Remove NODE_AUTH_TOKEN from both publish steps — npm falls back to OIDC
via the trusted publisher already configured on npmjs.com
- Upgrade Node to 22 and install npm@latest so npm >= 11.5.1 is used
(required for OIDC trusted publisher authentication)
- publish.yml: detect pre-release dist-tag from package.json version
(matches release.yml behavior) so rc versions go to @next, not @latest
Closes #754
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
kokevidaurre
added a commit
that referenced
this pull request
Apr 24, 2026
* refactor(core): run engine decomposition + context helpers [v0.3.0 — 1/7] (#731) * refactor(core): run engine decomposition, context helpers, squad parser improvements Core runtime refactoring from v0.3.0 development cycle: - run-context.ts: expanded context helpers for goal injection, feedback, state - run-modes.ts: simplified run modes, removed per-squad limits - run-types.ts: added conversation_agents field type - execution-engine.ts: phase-ordered execution, role-based context - agent-runner.ts: bot identity injection, guardrail hooks, tool sets - squad-parser.ts: findProjectRoot, skills loading, dynamic discovery - env-config.ts: environment URL resolution additions Original commits: ~25 from develop (refactors, type fixes, context system updates) Backup tag: pre-v0.3.0-backup Co-Authored-By: Claude <noreply@anthropic.com> * fix: address Gemini review — configurable cred path, use parseAgentFrontmatter, fix staleness calc - execution-engine.ts: GCP credential path now configurable via SQUADS_GCP_CREDENTIALS_DIR env var (was hardcoded ~/.squads/secrets/). Use parseAgentFrontmatter() instead of fragile regex for model detection. - run-context.ts: Replace magic number 86400000 with MS_PER_DAY constant, use Math.floor instead of Math.round for staleness calculation. Co-Authored-By: Claude <noreply@anthropic.com> * fix(types): add model field to AgentFrontmatter interface Typecheck failed because parseAgentFrontmatter() returns AgentFrontmatter which didn't include the model property. Co-Authored-By: Claude <noreply@anthropic.com> * fix(lint): remove unused imports in agent-runner — SOFT_DEADLINE_RATIO, preflightExecutorCheck, pushCognitionSignal, findMemoryDir, timeoutMins Co-Authored-By: Claude <noreply@anthropic.com> * fix(lint): remove all 20 unused variable warnings across 9 files Cleaned up unused imports and variables flagged by eslint: - agent-runner.ts: DEFAULT_TIMEOUT_MINUTES, bold, gradient - scorecard-engine.ts: readFileSync - org-cycle.ts: logObservability, ObservabilityRecord - outcomes.ts: prefixed unmergedPRs with _ - repo-enforcement.ts: resolve - run-context.ts: removed unused readDirMd function + readdirSync - run-modes.ts: spawn, getProjectRoot, checkLocalCooldown, DEFAULT_SCHEDULED_COOLDOWN_MS, saveTranscript, reportExecutionStart, reportConversationResult, getBridgeUrl, ora - run-utils.ts: findMemoryDir - squad-loop.ts: Squad type Zero warnings remaining. Zero type errors. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> Co-authored-by: Claude <noreply@anthropic.com> * feat(run): workflow rewrite — smart skip, org cycle, wave execution [v0.3.0 — 2/7] (#732) * feat(run): workflow rewrite — smart skip, org cycle, wave execution, focus/resume Run engine and workflow rewrite from v0.3.0 development cycle. Fixes applied from Gemini Code Assist review: - HIGH: task directive now includes planPrompt context (was bypassed) - HIGH: converged reflects actual status (was forced true) - MEDIUM: setTimeout cleared on close/error (resource leak) - MEDIUM: skip logic query limit bumped to 500 - MEDIUM: fallback assigns ALL workers, not just first - Added CLI_RUN_COMPLETE telemetry event - Removed unused imports (dirname, homedir, bold) Co-Authored-By: Claude <noreply@anthropic.com> * fix(test): add findProjectRoot to squad-parser mock in workflow tests Co-Authored-By: Claude <noreply@anthropic.com> * fix(test): findProjectRoot mock should use mockReturnValue (sync, not async) findProjectRoot() returns string|null, not a Promise. Co-Authored-By: Claude <noreply@anthropic.com> * fix(test): update workflow tests for spawn-based agent execution workflow.ts now uses spawn instead of execSync. Updated test mocks: - Added createMockChild helper for spawn-based child processes - Added appendFileSync to fs mock - Added observability mock (snapshotGoals, diffGoals, logObservability) - All 16 tests pass Co-Authored-By: Claude <noreply@anthropic.com> * fix: remove hardcoded squad names from org cycle waves Wave definitions had our internal squad names (research, intelligence, cli, marketing, etc.) hardcoded. A user's squads would never match. Now: all planned squads run in a single parallel wave. Custom wave ordering can be added later via SQUAD.md `wave:` field. Co-Authored-By: Claude <noreply@anthropic.com> * fix: remove hardcoded git commit of .agents/memory/ between waves Auto-committing hq memory between waves was our internal pattern, not a product feature. Users won't have .agents/memory/ in their project root. Removed. Co-Authored-By: Claude <noreply@anthropic.com> * refactor: extract plan prompt to templates/prompts/plan.md "No prompts in code" — behavioral instructions live in markdown. Extracted the inline planPrompt template string to a markdown file with {{VARIABLE}} placeholders. TypeScript loads and substitutes. Also: squadContext is now included in the template (was passed as empty string, losing goals/priorities context). Co-Authored-By: Claude <noreply@anthropic.com> * fix(lint): remove unused execSync import from run.ts No longer needed after removing hardcoded git commit between waves. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> Co-authored-by: Claude <noreply@anthropic.com> * feat(conversation): agents talk + use tools [v0.3.0 — 3/7] (#733) * feat(conversation): agents talk + use tools, cognition engine, convergence Conversation mode rewrite and cognition engine from v0.3.0 cycle: - conversation.ts: Rewritten so agents talk AND use tools (was text-only). Parallel same-role agents within cycles. Hard-stop on lead completion. Squad cwd resolution for all agent turns. Transcript serialization fixes. Agent classification by name first, then role description. - cognition.ts: Local-first intelligence engine. Quality grading. Escalation pause for daemon. Signal synthesis via Claude CLI. Push memory signals after daemon cycles. Co-Authored-By: Claude <noreply@anthropic.com> * refactor: remove cognition.ts changes from this PR Cognition engine is not actively used (post-pivot, daemon is stopped). Changes parked in future/cognition-t2 branch for Tier 2 reactivation. This PR now only contains conversation.ts changes. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> Co-authored-by: Claude <noreply@anthropic.com> * feat(commands): review, credentials, goals, log + minor fixes [v0.3.0 — 4/7] (#734) * feat(commands): add review, credentials, goals, log commands + minor fixes New commands: - credentials.ts: per-squad GCP service account management - goals.ts: goals dashboard with status tracking - log.ts: run history with timestamps, duration, status - review.ts: post-cycle evaluation dashboard Fixes applied: - Added CLI_LOG telemetry event - Removed unused imports (writeFileSync, formatRelativeTime) - Removed unused variables (blockedStr, achievedStr) - Fixed hardcoded org name in review.ts issue URL resolution Co-Authored-By: Claude <noreply@anthropic.com> * fix: address Gemini review on credentials.ts - Use static renameSync import instead of dynamic import('fs') - Remove redundant --all handling (dedicated create-all command exists) Co-Authored-By: Claude <noreply@anthropic.com> * refactor(credentials): remove hardcoded squad names, read config from SQUAD.md credentials.ts had our internal squad names and GCP roles hardcoded. Now fully agnostic: - Permissions read from SQUAD.md `credentials.gcp.roles/apis` fields - Squads discovered dynamically from squads directory - No hardcoded squad names, org names, or internal structure - Helpful error message shows users how to configure their SQUAD.md - create-all discovers squads with GCP config automatically Co-Authored-By: Claude <noreply@anthropic.com> * test(credentials): add 8 tests for SQUAD.md GCP credentials parser Extracted parseGcpCredentials() as pure function for testability. Tests cover: inline YAML, quoted values, multiple APIs, missing config, empty content, roles without apis, mixed SQUAD.md content. All 8 pass. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> Co-authored-by: Claude <noreply@anthropic.com> * feat(init): demo agent scaffold, what's next guidance [v0.3.0 — 5/7] (#735) * feat(init): demo agent scaffold, what's next guidance, email capture Init UX improvements from v0.3.0 cycle: - "What's next" guidance after init with actionable next steps - Opt-in email capture for product updates - Demo squad scaffold with hello-world starter agent - IDP catalog seeding for agent frontmatter schemas - Competitor collection during init - Hints for empty business description - cli.run.complete telemetry event Co-Authored-By: Claude <noreply@anthropic.com> * fix(test): update E2E to expect 5 squads (4 core + demo) Init now creates a demo squad with hello-world agent. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> Co-authored-by: Claude <noreply@anthropic.com> * feat(security): PreToolUse guardrail hooks for agent sessions [v0.3.0 — 6/7] (#736) * feat(security): PreToolUse guardrail hooks for spawned agent sessions guardrail.json template injected into all spawned Claude sessions. Prevents agents from running destructive commands, force-pushing, publishing packages, or accessing secrets directly. Co-Authored-By: Claude <noreply@anthropic.com> * fix(security): add npm/yarn/pnpm publish to guardrail blocked commands Gemini review caught missing publish checks. Agents should never publish packages — that requires founder approval. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> Co-authored-by: Claude <noreply@anthropic.com> * test+docs: coverage + tier 2 docs + version bump 0.3.0 [v0.3.0 — 7/7] (#737) * test+docs: coverage + tier 2 docs + version bump to 0.3.0 Tests added (213 new tests): - catalog.test.ts: catalog command tests - dashboard.test.ts: dashboard engine, renderers, loader tests - services.test.ts: services command tests - first-run.e2e.test.ts: updated for demo squad scaffold - guardrail.test.ts: guardrail hook tests - init.test.ts: expanded init command tests - telemetry.test.ts: telemetry event tests Docs: - docs/tier2.md: Tier 2 architecture documentation Version: - package.json: bump to 0.3.0 Note: cli.test.ts failures are pre-existing on develop (not introduced by this PR). Co-Authored-By: Claude <noreply@anthropic.com> * docs: remove tier2.md — internal architecture, not product docs Hardcoded our repo structure, ports, service names. Belongs in private engineering repo, not the public CLI. Co-Authored-By: Claude <noreply@anthropic.com> * test: replace mock-heavy tests with real integration tests Before: 2,299 lines mocking fs, squad-parser, child_process, etc. Testing mocks, not the product. False confidence. After: 465 lines testing real files on real filesystem. - catalog: real IDP directory with YAML files - dashboard: zero mocks, real data structures into renderers - services: real docker-compose.yml in temp dir - init: real temp directory, verify actual files created 39 tests, all passing. 80% less code, 100% more real coverage. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> Co-authored-by: Claude <noreply@anthropic.com> * fix(services): make agnostic — remove hardcoded paths [v0.3.0] (#738) * fix(services): make agnostic — remove hardcoded paths and internal assumptions Before: searched for docker-compose.yml in ~/agents-squads/engineering/docker/ and hardcoded squads-postgres container name, internal DB table names. Now: - Discovers docker-compose.yml from project root, ./docker/, ./infra/, SQUADS_COMPOSE_FILE env var, or --file flag - Uses docker compose ps against user's compose file - Removed hardcoded port output and DB introspection - --file option on all 3 subcommands (up/down/status) - Health check verifies containers are actually running - Updated tests to match new agnostic implementation Co-Authored-By: Claude <noreply@anthropic.com> * test(services): update tests for agnostic services command - Use SQUADS_COMPOSE_FILE env var instead of hardcoded engineering path - Check --file option on all subcommands - Fix health check mock to return 'running' state - Updated status test for Docker not installed case Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> Co-authored-by: Claude <noreply@anthropic.com> * fix(telemetry): restore write-only API key — broken since March 14 [v0.3.0] (#739) * fix(telemetry): restore write-only API key — telemetry broken since March 14 Commit 6261882 removed the telemetry key and replaced it with an env var that no user has set. Result: zero telemetry events since ~March 14. Write-only analytics keys are standard practice (Segment, PostHog, Mixpanel all ship them in public code). The key can only write events; it cannot read, delete, or access any data. Users can still opt out. Closes #388 (GitHub Traffic API — this restores our primary data signal) Co-Authored-By: Claude <noreply@anthropic.com> * fix: use plain string for telemetry key, drop base64 obfuscation Gemini review: base64 encoding adds no security and reduces transparency. Plain string is honest — it's a write-only key, nothing to hide. Co-Authored-By: Claude <noreply@anthropic.com> * fix: lock telemetry key — no env var override Telemetry goes to our infrastructure only. No reason to let users redirect it. They can opt out, but not redirect. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> Co-authored-by: Claude <noreply@anthropic.com> * fix(ux): prerequisites check, no-args squad list, schedule hint [v0.3.0] (#740) * fix(run): UX improvements — prerequisites check, no-args squad list, schedule hint (#675, #694, #695) - Add checkPrerequisites() validating Node >= 18 and Claude CLI before run - Show available squads with missions when `squads run` invoked without args - Display scheduling tip after first successful squad run (persisted in ~/.squads-cli/schedule-hint-shown) Co-Authored-By: Claude <noreply@anthropic.com> * fix: skip prerequisites check in CI/test environments checkPrerequisites() called process.exit(1) when Claude CLI not found, killing the test runner. Now skips when CI or VITEST env vars are set. Co-Authored-By: Claude <noreply@anthropic.com> * fix: address Gemini review — remove redundant CLI check, fix cron hint, cleanup - Removed redundant Claude CLI check (preflightExecutorCheck handles it) - Removed non-existent --cron flag from schedule hint - Removed unused runAutopilot import (replaced by squad listing) - Added VITEST to skip conditions Co-Authored-By: Claude <noreply@anthropic.com> * fix(lint): remove unused execSync import Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> Co-authored-by: Claude <noreply@anthropic.com> * ci(release): support @next dist-tag for pre-release versions Tags matching v<semver>-<suffix> (e.g., v0.3.0-rc.1) publish to @next and mark the GitHub Release as pre-release. Clean semver tags (v0.3.0) continue publishing to @latest. Enables a burn-in channel for major releases — users opt in with `npm i squads-cli@next` before we promote to @latest. Co-Authored-By: Claude <noreply@anthropic.com> * fix(workflow): role-based timeouts + anti-collision rules [v0.3.0] (#748) * fix(workflow): role-based timeouts + anti-collision rules in plan prompt Two root causes of poor org run quality: 1. Workers timed out at 8 minutes (hardcoded) — can't complete real work like creating PRs, running BQ queries, or writing reports. Now role-based: scanners 10min, verifiers 15min, leads+workers 30min. 2. Multiple squads created duplicate deliverables (e.g., both ops and cli tried to create the v0.3.0 release PR). Plan prompt now includes explicit rules: only work on YOUR goals, check depends_on before acting, verify before creating, no PII on public repos. Closes #742 (partially — timeout portion) Co-Authored-By: Claude <noreply@anthropic.com> * fix: use DEFAULT_TIMEOUT_MINUTES + SQUADS_AGENT_TIMEOUT_MINUTES env var No hardcoded values. Timeout comes from: 1. SQUADS_AGENT_TIMEOUT_MINUTES env var (user override) 2. DEFAULT_TIMEOUT_MINUTES from run-types.ts (30 min) Co-Authored-By: Claude <noreply@anthropic.com> * fix: address Gemini review — timeout declaration order + dependency check instructions - workflow.ts: move timeout declaration before event handlers (no-use-before-define) - plan.md: specify how to check depends_on (read goals.md status field, use gh CLI) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> Co-authored-by: Claude <noreply@anthropic.com> * fix(audit): remove hardcoded values, extract prompts, parameterize config [v0.3.0] (#749) * fix(audit): remove hardcoded values, extract prompts, parameterize config 5 audit findings remediated: 1. tier-detect.ts: use getApiUrl/getBridgeUrl from env-config 2. agent-runner/workflow/run-modes: replace company-lead string match with frontmatter role 3. cognition.ts: parameterize company name via SQUADS_COMPANY_NAME 4. run-modes.ts: extract lead prompt to templates/prompts/lead-mode.md 5. lead-orchestrator.ts: extract orchestrator prompt to templates/prompts/orchestrator.md Co-Authored-By: Claude <noreply@anthropic.com> * fix: address Gemini review — use replaceAll for template tags - lead-orchestrator.ts: {{WORKERS}} now uses regex for consistency - run-modes.ts: all template tags use replaceAll() for multi-occurrence safety Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> Co-authored-by: Claude <noreply@anthropic.com> * feat: project-level config system — .squads/config.yml [v0.3.0] (#750) * feat: add project-level config system (.squads/config.yml) Centralizes runtime settings (agent timeout, token budget, cost ceiling, company name, compose file, telemetry) into a single project config file with env var > config file > constant default resolution order. - New: src/lib/config.ts — loader with minimal YAML parser, no deps - New: templates/config.example.yml — ships with package - Updated: workflow.ts reads token_budget + cost_ceiling from config - Updated: cognition.ts reads company_name from config (was hardcoded) - Updated: services.ts reads compose_file from config - Updated: telemetry.ts checks config for telemetry opt-out - Updated: init.ts generates .squads/config.yml + gitignore entry Co-Authored-By: Claude <noreply@anthropic.com> * fix: address Gemini review — YAML parser, gitignore check, config resolution - config.ts: allow uppercase YAML keys (normalized to lowercase), fix comment stripping for quoted values and comment-only values - init.ts: exact line match for gitignore entry (not substring) - services.ts: remove redundant env var check, use loadProjectConfig() as single config source Co-Authored-By: Claude <noreply@anthropic.com> * test(services): reset config cache in beforeEach Config cache held a stale null compose_file across tests, so the env-var override case failed because earlier tests had already cached the unset state. Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> Co-authored-by: Claude <noreply@anthropic.com> * feat(templates): evaluation-first goals + add growth squad (#752) * feat(templates): evaluation-first goals + add growth squad Every non-demo starter squad now ships with a first-run "Squad evaluation" goal so `squads run <squad>` produces deliverable output on first invocation: audit the domain against BUSINESS_BRIEF.md and output a baseline report with top priorities. Adds a new `growth` squad (4 agents — growth-lead, funnel-analyst, experiment-runner, growth-critic) distinct from marketing: growth owns AARRR funnel, experiments, and kills vanity metrics. Marketing creates content, growth measures and distributes. Growth exposed via: - Use-case option in `squads init` - `--pack growth` flag - Included in `--pack all` - Included in `full-company` use case Closes #751 * fix: address Gemini review — marketing dep + use-case + state files - growth use case now includes getMarketingSquad() (declared dependency) - --pack processing updates selectedUseCase so getFirstRunCommand suggests the right first agent (e.g. growth-lead instead of always research/lead) - --pack growth now also installs marketing (dependency) - Added initial state.md for funnel-analyst, experiment-runner, growth-critic so their first-run Read() calls do not fail --------- Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> * chore: bump to 0.3.0-rc.1 for @next burn-in Pre-release candidate for v0.3.0. Will publish to @next dist-tag via release.yml (tag matches v<semver>-<suffix> pattern). Users can test with: npm i -g squads-cli@next Promotes to @latest after burn-in by tagging main with v0.3.0. Co-Authored-By: Claude <noreply@anthropic.com> * fix(ci): migrate publish workflows to OIDC trusted publishing (#755) Both publish.yml (manual) and release.yml (tag-triggered) passed NODE_AUTH_TOKEN: \${{ secrets.NPM_TOKEN }} to npm publish, which npm prefers over OIDC. With a stale NPM_TOKEN, publishes failed 404 and OIDC was never attempted. Changes: - Remove NODE_AUTH_TOKEN from both publish steps — npm falls back to OIDC via the trusted publisher already configured on npmjs.com - Upgrade Node to 22 and install npm@latest so npm >= 11.5.1 is used (required for OIDC trusted publisher authentication) - publish.yml: detect pre-release dist-tag from package.json version (matches release.yml behavior) so rc versions go to @next, not @latest Closes #754 Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> --------- Co-authored-by: Jorge Vidaurre <jorge@agents-squads.com> Co-authored-by: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Impact
Testing
Closes #754