fix(boxel-cli): consolidate publish workflows, push annotated tags#4879
Merged
Conversation
Run 26077192437 failed for two independent reasons: 1. The new `boxel-cli-on-main.yml` requested an OIDC token whose workflow filename didn't match the npm trusted-publisher rule (registered for `manual-boxel-cli-publish.yml`). pnpm fell back to `NODE_AUTH_TOKEN`, which is empty since the package migrated to trusted publishing — npm returned 404 on the unauthenticated PUT. 2. The "Commit, tag, and push" step created a lightweight tag with `git tag "$TAG"`. `git push --follow-tags` only pushes annotated tags, so the tag never reached origin and `gh release create` then failed with "tag exists locally but has not been pushed". Consolidate both publish flows into a single `boxel-cli-publish.yml` with two jobs gated by `github.event_name` so they share one trusted-publisher rule, and switch every `git tag` to the annotated form so `--follow-tags` actually pushes the tag. Requires a one-time npm UI update: edit the @cardstack/boxel-cli trusted-publisher rule to point at the new filename `boxel-cli-publish.yml`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
FadhlanR
added a commit
that referenced
this pull request
May 19, 2026
Only the stable promotion job writes `packages/boxel-cli/CHANGELOG.md` now. The per-merge unstable job still produces a rich filtered GitHub Release body but doesn't append to the on-disk changelog. Per-bump unstable detail stays available on the Releases page and on npm. Reset `CHANGELOG.md` to its seed state so the file starts fresh on the next stable cut — the existing `.293` / `.294` / `.298` entries were all generated with `PREV_TAG=boxel-cli-v0.1.4` (the lightweight-tag bug fixed in #4879 left intermediate tags unpushed, so `git describe` kept walking back to the last actually-pushed tag). Each entry was the same noisy ~50-PR repo-wide list and not worth keeping around. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Run 26077192437 failed for two independent reasons, both fixed here:
boxel-cli-on-main.ymlrequested an OIDC token whosejob_workflow_refclaim didn't match the npm trusted-publisher rule (registered formanual-boxel-cli-publish.yml). pnpm fell back toNODE_AUTH_TOKEN, which is empty because the package migrated to trusted publishing — npm returned 404 on the unauthenticated PUT.git tag "\$TAG"creates a lightweight tag;git push --follow-tagsonly pushes annotated tags. The tag stayed on the runner, andgh release createthen failed withtag exists locally but has not been pushed.This PR consolidates both publish flows into a single
.github/workflows/boxel-cli-publish.ymlwith two jobs gated bygithub.event_name(so both share one trusted-publisher rule), and switches everygit taginvocation to the annotated formgit tag -a "\$TAG" -m "\$TAG".Out-of-band action required
Before this PR's first post-merge run can publish, update the npm trusted-publisher rule:
@cardstack/boxel-cli→ Settings → Trusted Publishersmanual-boxel-cli-publish.ymltoboxel-cli-publish.yml. Repo and environment fields unchanged.The PR itself is safe to land before the rule is updated — the workflow only fires on merges to main, not PR pushes.
Recovery for the orphan
0.2.0-unstable.294That version is on npm but has no git tag on origin and no GitHub Release. Recommended: skip — the next merge will produce
0.2.0-unstable.295with a proper annotated tag and Release.Test plan
boxel-cli-publish.ymlandboxel-cli-pr-title.yml(confirmed before commit).chore(boxel-cli):PR to main → workflow loads under new filename,compute-releaseshort-circuits atnpmBump=none, no publish attempted.fix(boxel-cli):orfeat(boxel-cli):merge: push log shows bothmain -> mainAND* [new tag] boxel-cli-v0.2.0-unstable.NNN -> boxel-cli-v0.2.0-unstable.NNN. OIDC token-exchange returns 200 (no "Skipped OIDC" warning). GitHub Release created with rich notes body.CHANGELOG.mdupdated.workflow_dispatchwithconfirm: promote: same OIDC success path, dist-taglatest, annotated stable tag pushed.🤖 Generated with Claude Code