Skip to content

Phase 6h: add publish-wasm to release.yml (npm @joaoh82/sqlrite-wasm via OIDC)#36

Merged
joaoh82 merged 1 commit intomainfrom
feat/publish-wasm
Apr 25, 2026
Merged

Phase 6h: add publish-wasm to release.yml (npm @joaoh82/sqlrite-wasm via OIDC)#36
joaoh82 merged 1 commit intomainfrom
feat/publish-wasm

Conversation

@joaoh82
Copy link
Copy Markdown
Owner

@joaoh82 joaoh82 commented Apr 25, 2026

Summary

Adds a single publish-wasm job to release.yml that builds the WASM package via wasm-pack and publishes to npm as @joaoh82/sqlrite-wasm using OIDC trusted publishing.

Job Cells Role
publish-wasm 1 (single ubuntu-latest) Build WASM + publish to npm + cut sqlrite-wasm-v GitHub Release

No matrix — WebAssembly is one universal artifact that runs on any wasm32-capable host. One build, one upload.

Design choices

Scoped name preemptively (@joaoh82/sqlrite-wasm)

The unscoped sqlrite-wasm is currently free on npm but the same similarity check that rejected sqlrite (vs sqlite, distance 1) might also reject sqlrite-wasm (vs sqlite-wasm, distance 1). Going scoped from day one matches the Node SDK's @joaoh82/sqlrite decision (PR #30) and avoids a possible rename dance. Free to revisit if the ecosystem demands unscoped.

Build target = bundler

Webpack/vite/rollup/parcel users get JS modules + .wasm directly. web / nodejs / deno targets can be added as siblings later if there's demand; one target per package is the simpler MVP.

Inherits all the OIDC lessons from publish-nodejs

The job uses the exact same npm publish recipe we landed on after the v0.1.5–v0.1.7 debugging cycle:

  • No registry-url on setup-node (would force token-auth, bypassing OIDC)
  • npm install -g npm@latest (need 11.5+ for trusted publishing)
  • npm publish --access public --provenance --loglevel verbose (--provenance triggers OIDC code path, --access public for scoped packages, verbose for diagnosable errors)
  • OIDC env diagnostics step (catches "is the OIDC token even being injected" issues)

Wiring

  • sqlrite-wasm-v<V> added to tag-all
  • publish-wasm added to finalize.needs
  • Umbrella release body gets a 🌐 WASM entry → npm + GitHub Release

Docs updated

  • docs/release-secrets.md §3 — rewritten end-to-end to reflect what we actually learned in v0.1.5–v0.1.7 (npm DOES require placeholder publish before trusted publisher config; form fields must exactly match OIDC subject claim with the right exact format). Now covers both scoped npm packages.
  • docs/roadmap.md — Phase 6h marked done with design rationale.
  • sdk/wasm/README.md — install via @joaoh82/sqlrite-wasm, callout explaining the scoped-name choice.
  • All other refs to sqlrite-wasm updated across examples/README.md, docs/embedding.md, docs/release-plan.md, sdk/wasm/src/lib.rs, root README.md.

Test plan

  • python3 -c "import yaml; yaml.safe_load(open('.github/workflows/release.yml'))" — YAML parses
  • cargo check in sdk/wasm/ — clean (existing unused-mut warnings unrelated)
  • npm name availability verified: @joaoh82/sqlrite-wasm returns 404 on registry.npmjs.org
  • CI on this PR
  • ONE-TIME npm SETUP REQUIRED before v0.1.8 canary:
    • Publish @joaoh82/sqlrite-wasm@0.0.0 placeholder (same flow as @joaoh82/sqlrite per docs/release-secrets.md §3a — npm login + npm publish --access public from a temp dir with a 4-line package.json)
    • Add trusted publisher on the new package's settings page (per docs/release-secrets.md §3b — Repository: rust_sqlite (basename only), Workflow: release.yml (basename only), Environment: release)
  • After that: dispatch v0.1.8, verify @joaoh82/sqlrite-wasm@0.1.8 lands on npm + sigstore provenance via npm audit signatures

🤖 Generated with Claude Code

@joaoh82 @claude
Phase 6h: add publish-wasm to release.yml (npm via OIDC)
0675846 
Adds a single publish-wasm job alongside the existing
publish-* chain. Unlike the Python / Node SDKs, WASM doesn't
need a per-platform binary matrix — WebAssembly is one
universal artifact that runs on any wasm32-capable host
(browsers, Deno, modern bundlers). One build, one upload.

**Scoped name preemptively (`@joaoh82/sqlrite-wasm`):** the
unscoped `sqlrite-wasm` is currently free on npm but the
similarity check that rejected `sqlrite` (vs `sqlite`) might
also reject `sqlrite-wasm` (vs `sqlite-wasm`, distance 1).
Going scoped from day one matches the Node SDK's
`@joaoh82/sqlrite` decision and avoids the rename dance we
did in PR #30. Free to revisit if the ecosystem demands
unscoped.

**Build target = `bundler`:** webpack/vite/rollup/parcel users
get JS modules + .wasm without extra config. `web` / `nodejs`
/ `deno` targets can be added as siblings later if there's
demand; one target per package is the simpler MVP shape.

**Job structure** (single cell, no matrix):

  - install Rust + wasm32-unknown-unknown target
  - cargo install wasm-pack via the curl|sh installer (binstall
    isn't preinstalled on ubuntu-latest; the official installer
    is one less moving piece)
  - actions/setup-node WITHOUT registry-url (same lesson learned
    in publish-nodejs across v0.1.5–v0.1.7 — registry-url
    forces token-auth and bypasses OIDC)
  - npm install -g npm@latest (need 11.5+ for trusted
    publishing)
  - wasm-pack build --release --target bundler --scope joaoh82
    → produces sdk/wasm/pkg/ with auto-generated package.json
    naming the package @joaoh82/sqlrite-wasm
  - OIDC env diagnostics step (proven valuable on v0.1.7)
  - npm publish --access public --provenance --loglevel verbose
    from sdk/wasm/pkg
  - upload .wasm to sqlrite-wasm-vX.Y.Z GitHub Release

**Wiring:**

  - tag-all → pushes sqlrite-wasm-v<V>
  - finalize.needs → extended with publish-wasm
  - umbrella release body → 🌐 WASM entry pointing at
    npm + GitHub Release

**Docs:**

  - sdk/wasm/README.md — install via @joaoh82/sqlrite-wasm,
    callout explaining the scoped name choice, source-build
    docs unchanged for `web` / `nodejs` / `deno` targets
  - docs/roadmap.md — Phase 6h marked done with the design
    rationale captured
  - docs/release-secrets.md §3 — rewritten to reflect what we
    actually learned in v0.1.5–v0.1.7: npm DOES require
    placeholder publish before trusted publisher can be
    configured (no PyPI-style pending publisher on npm), and
    the form fields must exactly match the OIDC subject claim
    (typoed repo name burned us once on v0.1.7)
  - sdk/wasm/src/lib.rs, docs/embedding.md, docs/release-plan.md,
    examples/README.md, root README.md — install command +
    package name updated everywhere

After this merges, user does the one-time npm placeholder
publish + trusted-publisher registration for
@joaoh82/sqlrite-wasm (per docs/release-secrets.md §3a + 3b),
then v0.1.8 canary validates publish-wasm end-to-end.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@joaoh82 joaoh82 merged commit 0d4f715 into main Apr 25, 2026
15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@joaoh82