Skip to content

🤖 Add NPM publishing with OIDC trusted publishing #358

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 13 commits into from
Oct 20, 2025
Merged

🤖 Add NPM publishing with OIDC trusted publishing #358

merged 13 commits into from
Oct 20, 2025

Conversation

@kylecarbs
Copy link
Member

@kylecarbs kylecarbs commented Oct 20, 2025

Summary

Adds automated NPM publishing to @coder/cmux using modern OIDC trusted publishing (no long-lived tokens needed).

Changes

GitHub Actions Workflow

  • Hybrid publishing strategy:
    • Main branch commits → publishes as @next tag (pre-release)
    • Git tags (v*) → publishes as latest tag (stable)
  • OIDC trusted publishing: Uses short-lived, cryptographically-signed tokens
  • Provenance attestations: Automatic supply chain security

Package Configuration

  • Package name: @coder/cmux (scoped package)
  • CLI support: Added bin field for npx @coder/cmux usage
  • Published files: Only dist/, README.md, LICENSE (no source/build files)
  • Repository metadata: Added for better NPM package page

.npmignore

  • Excludes dev files: src/, tests/, benchmarks/, docs/
  • Excludes build configs: .github/, Makefile, tsconfig.json, etc.
  • Results in much smaller NPM package

Setup Required After Merge

  1. First manual publish (one-time):

    npm publish

    This creates the package on npmjs.com

  2. Configure OIDC on npmjs.com (one-time):

    • Go to package settings at https://www.npmjs.com/package/@coder/cmux
    • Find "Trusted Publisher" section
    • Add GitHub Actions publisher:
      • Organization: coder
      • Repository: cmux
      • Workflow: publish-npm.yml
      • (Optional) Environment: production

  3. Done! Future publishes happen automatically:

    • Every push to main → @next tag
    • Every git tag → latest tag

Usage Examples

After publishing:

# Install stable version
npm install @coder/cmux

# Install latest from main (pre-release)
npm install @coder/cmux@next

# Run without installing
npx @coder/cmux server

References

Generated with cmux

@kylecarbs
🤖 Add NPM publishing with OIDC trusted publishing
2ddc193 
- Add GitHub Actions workflow for hybrid NPM publishing
  - Publishes to 'next' tag on main branch commits
  - Publishes to 'latest' tag on git tag releases
  - Uses OIDC trusted publishing (no long-lived tokens)
  - Includes provenance attestations for supply chain security

- Update package.json for NPM publishing
  - Change package name to @coder/cmux (scoped package)
  - Add bin field for CLI usage
  - Add repository and publishConfig fields
  - Add files array to control what gets published (whitelist approach)

Generated with cmux
@chatgpt-codex-connector
Copy link

chatgpt-codex-connector bot commented Oct 20, 2025

💡 Codex Review

cmux/package.json

Lines 138 to 143 in 602b6f2

"files": [
"dist/**/*.js",
"dist/**/*.js.map",
"dist/**/*.wasm",
"README.md",
"LICENSE"

P1 Badge Include renderer HTML assets in published files

The new files whitelist in package.json only includes JavaScript and WASM files. However the desktop entrypoint loads dist/splash.html and dist/index.html when packaged. With the current list those HTML files (and any CSS/images emitted by Vite) will be omitted from the npm tarball, so BrowserWindow.loadFile(...) will fail at runtime (ERR_FILE_NOT_FOUND) and the application cannot render. The files array should include the HTML and related assets or be removed so the full dist directory is published.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

@kylecarbs
🤖 Fix npm CLI bin: Add shebang and default to server mode
cbdacfa 
- Add shebang to src/main.ts so it's executable as a CLI
- Auto-detect execution context: CLI vs Electron
- Default to server mode when run via npm/npx (no Electron deps needed)
- Preserve Electron desktop mode when launched as Electron app

This makes 'npx @coder/cmux' work out of the box without requiring
Electron dependencies or 'server' argument.

Generated with cmux
@kylecarbs
Move server runtime dependencies to dependencies section
e299160 
- Move cors, express, ws from devDependencies to dependencies
- These are required at runtime for server mode to work
- Fixes 'cors cannot be found' error when running as npm package
@kylecarbs
Move UI-only dependencies to devDependencies
234bb96 
React, emotion, markdown/mermaid rendering, and other UI packages
are only needed for the Electron renderer, not the CLI/server.
This reduces npm package install size and dependencies.
@kylecarbs
Include electron in dependencies for full desktop app via npm
5541c46 
Users can now install the full Electron desktop app via npm:
  npm install -g @coder/cmux

Running 'cmux' launches the desktop app by default.
Running 'cmux server' runs the server mode.

Added dist/assets/* and dist/**/*.css to published files for renderer.
@kylecarbs
Update lockfile after dependency reorganization
93d5a99
@kylecarbs
Add *.tgz to gitignore
7466d9e
@kylecarbs
Add bin wrapper to properly launch Electron
892db01 
The bin script now:
- Detects if 'server' arg is passed and runs Node directly
- Otherwise spawns the electron binary to launch the desktop app

This makes 'cmux' launch the Electron app and 'cmux server' run server mode.
@kylecarbs
Simplify: handle Electron spawning in main.ts instead of separate bin…
6127d37 
… wrapper
@kylecarbs
Revert electron spawning logic - will fix later
53636bf
@kylecarbs
Remove provenance from publishConfig
3c14fd7 
Provenance is auto-enabled via --provenance flag in CI workflow.
Local manual publishing doesn't support it (needs GitHub Actions OIDC).
@kylecarbs
Move electron back to devDependencies and add author
f84e254 
electron-builder requires electron to be in devDependencies only.
@kylecarbs
Remove NPM_TOKEN - OIDC handles auth automatically
00b67ba
@kylecarbs kylecarbs merged commit bf6ea82 into main Oct 20, 2025
8 of 9 checks passed
@kylecarbs kylecarbs deleted the npm-publish-oidc branch October 20, 2025 23:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kylecarbs