🤖 Add NPM publishing with OIDC trusted publishing

- Add GitHub Actions workflow for hybrid NPM publishing
  - Publishes to 'next' tag on main branch commits
  - Publishes to 'latest' tag on git tag releases
  - Uses OIDC trusted publishing (no long-lived tokens)
  - Includes provenance attestations for supply chain security

- Update package.json for NPM publishing
  - Change package name to @coder/cmux (scoped package)
  - Add bin field for CLI usage
  - Add repository and publishConfig fields
  - Add files array to control what gets published

- Add .npmignore to exclude dev/build files from NPM package
  - Excludes source, tests, docs, build configs
  - Keeps only dist/ and essential files (README, LICENSE)
  - Results in smaller package size

Generated with cmux

Author: kylecarbs

.github/workflows/publish-npm.yml

@@ -0,0 +1,48 @@
+name: Publish to NPM
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - 'v*'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  id-token: write # Required for OIDC trusted publishing
+
+jobs:
+  publish:
+    name: Publish to NPM
+    runs-on: ${{ github.repository_owner == 'coder' && 'depot-ubuntu-22.04-16' || 'ubuntu-latest' }}
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0 # Required for git describe to find tags
+
+      - uses: ./.github/actions/setup-cmux
+
+      - name: Generate version file
+        run: ./scripts/generate-version.sh
+
+      - name: Build application
+        run: make build
+
+      - name: Determine NPM tag
+        id: npm-tag
+        run: |
+          if [[ $GITHUB_REF == refs/tags/* ]]; then
+            echo "tag=latest" >> $GITHUB_OUTPUT
+            echo "Publishing as 'latest' tag (stable release)"
+          else
+            echo "tag=next" >> $GITHUB_OUTPUT
+            echo "Publishing as 'next' tag (pre-release from main)"
+          fi
+
+      - name: Publish to NPM
+        run: npm publish --tag ${{ steps.npm-tag.outputs.tag }} --provenance
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+

.npmignore

@@ -0,0 +1,64 @@
+# Source files
+src/
+tests/
+benchmarks/
+
+# Documentation (use README.md only)
+docs/
+
+# Build configs
+.github/
+.storybook/
+*.config.js
+*.config.ts
+*.config.mjs
+Makefile
+fmt.mk
+tsconfig.json
+vite.config.ts
+electron-builder.yml
+
+# Development files
+.claude/
+.vscode/
+*.test.ts
+*.test.js
+*.spec.ts
+*.spec.js
+.git/
+.gitignore
+
+# CI/CD
+.circleci/
+.travis.yml
+.gitlab-ci.yml
+
+# Build outputs (keep only dist/)
+build/
+release/
+coverage/
+storybook-static/
+*.tsbuildinfo
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# IDE
+.idea/
+*.swp
+*.swo
+*~
+
+# Misc
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+.env
+.env.local
+.env.*.local
+
+# Keep only dist/ and essential files
+# Files to include are controlled by package.json "files" field
+

package.json

@@ -1,9 +1,20 @@
 {
-  "name": "cmux",
+  "name": "@coder/cmux",
   "version": "0.3.0",
   "description": "cmux - coder multiplexer",
   "main": "dist/main.js",
+  "bin": {
+    "cmux": "dist/main.js"
+  },
   "license": "AGPL-3.0-only",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/coder/cmux.git"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
   "scripts": {
     "dev": "make dev",
     "prebuild:main": "./scripts/generate-version.sh",
@@ -124,6 +135,13 @@
     "vite-plugin-top-level-await": "^1.6.0",
     "ws": "^8.18.3"
   },
+  "files": [
+    "dist/**/*.js",
+    "dist/**/*.js.map",
+    "dist/**/*.wasm",
+    "README.md",
+    "LICENSE"
+  ],
   "build": {
     "appId": "com.cmux.app",
     "productName": "cmux",