fix(javascript-npm-packages): use npm CLI for the token bootstrap publish#19
Merged
Conversation
…lish v0.1.5 through v0.1.9 chased pnpm-side workarounds and each one hit a dead-end: pnpm 11 auto-attempts OIDC without .npmrc fallback; pnpm 10.33.0 via npx is intercepted by corepack; the standalone 10.33.0 binary self-switches on packageManager pnpm@11.x and crashes against its own snapshot. npm publish is not managed by corepack, does not auto-attempt OIDC, reads _authToken from .npmrc directly, and produces an identical tarball (same files, same prepublishOnly). The OIDC branch is unchanged. Bumps 0.1.9 to 0.1.10 and prepends the changelog entry.
ob-aion
added a commit
to coroboros/sparkline
that referenced
this pull request
May 20, 2026
Aligns sparkline with uri / clone / location-timezone on pnpm 11.1.3. The pnpm 10.33.0 pin originated alongside the OIDC-blocked exception documented in OPTIM_PLAYBOOK, but the OIDC binding break is independent of the pnpm version — the token-bootstrap CI shape stays as-is, and the reusable workflow's token branch already uses npm CLI for publish (coroboros/ci#19) so pnpm 11.x auto-OIDC behavior on publish is moot. Unblocks CI: the new `package-lock=false` line in coroboros/ci's recommended NPM_CONFIG_FILE (2026-05-20) is interpreted by pnpm 10 as "disable pnpm-lock.yaml entirely", colliding with the workflow's `pnpm install --frozen-lockfile`. pnpm 11 scopes that line to npm's lockfile only, so install works as expected.
ob-aion
added a commit
to coroboros/sparkline
that referenced
this pull request
May 20, 2026
) * docs(readme): align API blocks to <details> pattern with Types group Reshape the API section to match the Coroboros canonical per-method block format (uri-style). SparklineOptions, SparklineError, and SparklineErrorCode now live in a `### Types` group as `<details><summary><code>Name</code></summary>` blocks. The per-option table moves into SparklineOptions; the `sparkline()` block carries only `values` and `options?` referencing the type. The `sparkline(values, options?)` function moves to `<details><summary><code>...</code></summary>`. Summary carries the signature only — Returns / Throws / Examples / Notes sit below the parameter table. The Notes block links to `bench/baseline.md` for SVG-render timings. Other tweaks: - `### Examples` renamed `### Gallery` (the rendered SVG embeds are visual references; code examples live inside the function `<details>`). - `### Errors` keeps the codes table only; the SparklineError class documentation moves into Types. Pure docs. No source change; SparklineOptions and SparklineError are already exported from src/index.ts. * chore(deps): bump packageManager to pnpm 11.1.3, regenerate lockfile Aligns sparkline with uri / clone / location-timezone on pnpm 11.1.3. The pnpm 10.33.0 pin originated alongside the OIDC-blocked exception documented in OPTIM_PLAYBOOK, but the OIDC binding break is independent of the pnpm version — the token-bootstrap CI shape stays as-is, and the reusable workflow's token branch already uses npm CLI for publish (coroboros/ci#19) so pnpm 11.x auto-OIDC behavior on publish is moot. Unblocks CI: the new `package-lock=false` line in coroboros/ci's recommended NPM_CONFIG_FILE (2026-05-20) is interpreted by pnpm 10 as "disable pnpm-lock.yaml entirely", colliding with the workflow's `pnpm install --frozen-lockfile`. pnpm 11 scopes that line to npm's lockfile only, so install works as expected.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
v0.1.5 → v0.1.9 chased pnpm-side workarounds for the token bootstrap path. Each one hit a different pnpm dead-end:
env -u ACTIONS_ID_TOKEN_REQUEST_*ERR_PNPM_ID_TOKEN_GITHUB_WORKFLOW_INCORRECT_PERMISSIONS, drops.npmrctoken, PUT 404NPM_CONFIG_PROVENANCE=falseERR_PNPM_AUTH_TOKEN_EXCHANGE+ PUT 404npx -y pnpm@10.33.0pnpminvocation, runs consumer's 11.x anywaypnpm-linux-x64@10.33.0+ SHA verifypackageManager: pnpm@11.x,pnpm add @pnpm/exe@11.xcrashes against the snapshot--config.manage-package-manager-versions=falseUse
npm publishfor the token bootstrap path:npmis not managed by corepack — no shim interception.npm 10.xdoes not auto-attempt OIDC —--provenanceis opt-in.npm publishreads_authTokenfrom.npmrcdirectly and PUTs.pnpm publish's (samefiles, sameprepublishOnlyexecution).pnpm publish --provenance --no-git-checksstill runs once a Trusted Publisher is bound for1.0.1+.Revert to a single
pnpm publishonce pnpm 11.x's bootstrap-via-token regression is upstream-fixed.Test plan
v0to this commit.coroboros/uri: delete1.0.0local + remote, re-tag, re-push. Token branch logsnpm --versionprinting the CI runner'snpm 10.xandnpm publishsucceeding.npm view @coroboros/uri versionreturns1.0.0. uri'spackage.jsonpackageManagerstayspnpm@11.1.3.ci.ymldoes not forwardNPM_PACKAGE_REGISTRY_TOKEN,pnpm publish --provenance --no-git-checksruns via the corepack-pinned pnpm 11.x and emits provenance.