feat: npm publishing pipeline with OIDC provenance #8
Conversation
- Add PREP analysis documents (hypothesis, evidence, constants, stress-test) - Update release.yml: disable Windows (POSIX API issues), add fail-fast: false - Fix optionalDependencies in meta package (remove file: reference) - Update assembly script to support both local and CI builds - Document 8/10 platforms ready (Windows and i386 deferred)
- Darwin packages use 'arm64' (ansilust-darwin-arm64) - Linux packages use 'aarch64' (ansilust-linux-aarch64-gnu) - Update .gitignore to allow tracking launcher.js
- Add id-token: write permission for OIDC provenance - Remove NPM_TOKEN secret dependency (more secure) - Add npm upgrade step for OIDC support - Add OIDC preflight to scrub existing auth tokens - Publish with --provenance --access public flags
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
There was a problem hiding this comment.
Pull request overview
This PR introduces npm publishing infrastructure using OIDC authentication for the v1.0.0 release of ansilust, eliminating the need for long-lived NPM_TOKEN secrets. The changes include fixing ARM64 architecture detection across platforms, updating CI/CD workflows to support 8 platforms (excluding Windows and i386 for now), and adding comprehensive documentation for the release process.
Key changes:
- Implement OIDC-based npm publishing with provenance signing for enhanced security
- Fix ARM64 architecture naming (Darwin uses 'arm64', Linux uses 'aarch64' in package names)
- Update CI workflow to build and publish 8 platform-specific packages (Linux x64/arm64/arm with gnu/musl, macOS x64/arm64)
Reviewed changes
Copilot reviewed 11 out of 13 changed files in this pull request and generated 13 comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/release.yml | Adds OIDC permissions and provenance publishing, disables Windows/i386 builds, improves artifact organization with platform-specific directories |
| packages/ansilust/bin/launcher.js | Fixes ARM64 platform detection to use 'arm64' for Darwin and 'aarch64' for Linux package names |
| scripts/assemble-npm-packages.js | Adds dual-mode support for local builds (zig-out/bin) and CI builds (platform-binaries), includes platform-to-directory mapping |
| packages/ansilust/package.json | Fixes file: reference to use semantic version for linux-x64-gnu dependency |
| .gitignore | Updates exclusion patterns to track launcher.js while ignoring generated platform packages |
| .specs/publish/first/SPEC/README.md | Adds release analysis documentation with platform matrix, critical path, and next steps |
| .specs/publish/first/SPEC/MANUAL-STEPS.md | Provides manual configuration steps for secrets and release verification |
| .specs/publish/first/PREP/*.md | Adds PREP methodology documentation covering hypothesis, evidence, constants, stress testing, theoretical framework, and impact assessment |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
.specs/publish/first/SPEC/README.md
Outdated
|
|
||
| ### What's Broken/Missing | ||
| 1. **Windows build fails** - POSIX API usage in code (deferred to v1.1.0) | ||
| 2. **NPM_TOKEN secret not configured** - see MANUAL-STEPS.md |
There was a problem hiding this comment.
Documentation inconsistency: This PR implements OIDC authentication (as stated in the PR title and description), which does not require an NPM_TOKEN secret. The workflow in release.yml has been updated to use --provenance flag with id-token: write permission instead of NPM_TOKEN. This documentation should be updated to reflect that npm OIDC configuration is needed instead of NPM_TOKEN.
- Remove matrix strategy - Zig cross-compiles for any platform from any - Build all 8 targets sequentially on one ubuntu runner - Simplify artifact handling (single binaries-all artifact) - Update assembly script to use artifacts/ directory
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Address PR review comments: - Replace NPM_TOKEN references with npm OIDC setup instructions - Fix platform names (linux-arm-gnu not linux-armv7-gnu) - Add OIDC-specific failure scenarios in stress test - Update manual steps with trusted publisher setup
Summary
Changes
CI/CD (
release.yml)Launcher Fix
arm64, Linux usesaarch64- fixed mapping inlauncher.jsAssembly Script
zig-out/bin/) and CI artifacts (artifacts/)Documentation
Testing
Next Steps After Merge
effect-nativeorgv0.0.2-test.1tag