Skip to content

fix(ci): publish with explicit --provenance to surface OIDC errors#54

Merged
vibe-dex merged 1 commit into
mainfrom
fix/ci-explicit-provenance
May 19, 2026
Merged

fix(ci): publish with explicit --provenance to surface OIDC errors#54
vibe-dex merged 1 commit into
mainfrom
fix/ci-explicit-provenance

Conversation

@vibe-dex
Copy link
Copy Markdown
Contributor

@vibe-dex vibe-dex commented May 19, 2026
edited by cubic-dev-ai Bot
Loading

Summary

Recent CI publish attempts have failed with a generic `404 Not Found - PUT`. Investigation showed the npm CLI is publishing anonymously — zero OIDC/provenance/trusted-publisher traces in the log — even though the workflow declares `id-token: write` and Trusted Publishing is configured on the npm package.

Adding `--provenance` makes the OIDC handshake mandatory. The next publish either:

  • ✅ Succeeds end-to-end with provenance signed (if OIDC was just being skipped opportunistically), or
  • ❌ Fails fast with a precise error (e.g. `ACTIONS_ID_TOKEN_REQUEST_URL not set`) that points at the actual broken layer — repo Actions settings, org-level workflow permissions, or runner regression — instead of silently degrading to an anonymous publish that returns a misleading 404.

No-op when OIDC is working; the previous behavior was already auto-signing provenance on successful runs (cf. v1.14.0 publish log: `Signed provenance statement with source and build information from GitHub Actions`). This just makes the requirement explicit and the failure mode visible.

Test plan

  • Verified the same workflow currently produces zero OIDC traces in the failing publish run.
  • After merge: the Release workflow will trigger on push to main. Will publish v1.15.2 (a no-op patch that captures this CI fix) and validate the OIDC handshake end-to-end. If publish fails again, the error message itself will diagnose the next step.

Made with Cursor

Summary by cubic

Add --provenance to npm publish in .releaserc.json to require OIDC/Trusted Publishing. This surfaces real OIDC errors and stops silent anonymous publishes that end in 404s.

  • Bug Fixes
    • Require provenance signing during release; no-op when OIDC already works.
    • When OIDC is missing, publish now fails early with a precise error instead of a generic 404 Not Found - PUT.

Written for commit 8d25e1d. Summary will update on new commits. Review in cubic

@vibe-dex @cursoragent
fix(ci): publish with explicit --provenance to surface OIDC errors
8d25e1d 
Recent releases have failed silently — `npm publish` does no OIDC token
exchange, posts anonymously, and the registry returns a misleading 404.
The publish step's log shows zero OIDC/provenance/trusted-publisher
traces, meaning the npm CLI isn't even attempting the handshake.

Adding `--provenance` makes the OIDC code path mandatory: if the
runtime is missing the required env vars (e.g. `id-token: write` not
being honored by the runner), npm fails fast with a precise error
instead of silently degrading to anonymous publish.

No-op when OIDC is working — the previous behavior already auto-signed
provenance on successful runs; this just makes the requirement
explicit and the failure mode visible.

Co-authored-by: Cursor <cursoragent@cursor.com>
@vibe-dex vibe-dex requested a review from a team May 19, 2026 21:12
@vibe-dex vibe-dex merged commit 7eb9bc6 into main May 19, 2026
2 checks passed
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 19, 2026

🎉 This PR is included in version 1.15.2 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vibe-dex