Skip to content

fix(sdk): add repository metadata for npm provenance#34

Merged
lukeocodes merged 1 commit into
mainfrom
fix/sdk-repository-metadata
Apr 30, 2026
Merged

fix(sdk): add repository metadata for npm provenance#34
lukeocodes merged 1 commit into
mainfrom
fix/sdk-repository-metadata

Conversation

@lukeocodes
Copy link
Copy Markdown
Member

@lukeocodes lukeocodes commented Apr 30, 2026

Summary

@deepgram/agents@0.1.0 publish failed at the npm provenance step:

npm error 422 Unprocessable Entity - PUT https://registry.npmjs.org/@deepgram%2fagents
Error verifying sigstore provenance bundle: Failed to validate repository information:
package.json: "repository.url" is "", expected to match "https://github.com/deepgram/agent" from provenance

npm provenance requires repository.url in package.json to match the source repo from the GitHub Actions build attestation. the SDK package.json had no repository field.

Changes

  • packages/sdk/package.json: add repository (with directory: packages/sdk for monorepo awareness), homepage, and bugs.
  • release-please-config.json: drop release-as: "0.1.0" from the SDK package. now that 0.1.0 is tagged, release-please should resume normal pre-major bump rules. this fix will land as 0.1.1.

State on main

  • agents-v0.1.0 GitHub release exists but @deepgram/agents@0.1.0 is not on npm (provenance check rejected the upload).
  • after this PR merges, release-please will open a new PR for SDK 0.1.1. merging that runs publish-sdk again with the repository field present, which should pass provenance.

Test plan

  • bun run typecheck clean
  • bun run build clean
  • bun run test 78/78 passing
  • CI green on this PR
  • release-please PR for SDK 0.1.1 publishes @deepgram/agents@0.1.1 to npm

Follow-up

  • the phantom agents-v0.1.0 GitHub release/tag can be left as-is (no consumer ever saw it on npm) or deleted for cosmetic cleanup.
  • widget will get the same repository field in the phase 4 PR.
  • release-as: "0.1.0" for widget stays in config until widget's first tag.

@lukeocodes
fix(sdk): add repository metadata for npm provenance
2ef0493 
@deepgram/agents@0.1.0 publish failed with E422 because npm provenance
requires `repository.url` to match the source repo from the build
attestation. add `repository`, `homepage`, and `bugs` to the SDK
package.json.

also drop `release-as: "0.1.0"` from the SDK config now that 0.1.0
has been tagged. release-please will resume normal pre-major bump rules
from here, so this fix lands as 0.1.1.
@lukeocodes lukeocodes merged commit dc836fc into main Apr 30, 2026
1 check passed
@lukeocodes lukeocodes deleted the fix/sdk-repository-metadata branch April 30, 2026 19:43
@github-actions github-actions Bot mentioned this pull request Apr 30, 2026
Merged
lukeocodes pushed a commit that referenced this pull request Apr 30, 2026
@github-actions
chore(main): release agents 0.1.1 (#35)
e9ee638 
🤖 I have created a release *beep* *boop*
---


##
[0.1.1](agents-v0.1.0...agents-v0.1.1)
(2026-04-30)


### Bug Fixes

* **sdk:** add repository metadata for npm provenance
([#34](#34))
([dc836fc](dc836fc))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@lukeocodes lukeocodes mentioned this pull request Apr 30, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lukeocodes