Skip to content

maint(resources): move npm package publishing to GitHub Actions#15029

Merged
mcdurdin merged 1 commit intomasterfrom
maint/resources/14963-npm-publish-on-gha
Oct 28, 2025
Merged

maint(resources): move npm package publishing to GitHub Actions#15029
mcdurdin merged 1 commit intomasterfrom
maint/resources/14963-npm-publish-on-gha

Conversation

@mcdurdin
Copy link
Copy Markdown
Member

@mcdurdin mcdurdin commented Oct 27, 2025
edited
Loading

Due to recent changes in npm package publishing security requirements, we have to move from TeamCity build to a GitHub Action to publish our npm packages, so we can take advantage of trusted publishing. This change also consolidates and centralizes the npm publishing into resources/build/ci/npm-publish.sh, which removes a lot of boilerplate from each of the build.sh scripts, and ensures consistency.

Packages will be npm packed on PR and test builds, and published in release builds.

Ref: https://docs.npmjs.com/trusted-publishers
Ref: https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/
Fixes: #14963
Test-bot: skip
Build-bot: release:developer

@github-project-automation github-project-automation bot moved this to Todo in Keyman Oct 27, 2025
@github-actions github-actions bot added windows/ developer/ common/ developer/compilers/ core/ Keyman Core common/web/ windows/config/ resources/ maint Maintenance work -- continuous integration, build scripts, infrastructure labels Oct 27, 2025
@keymanapp-test-bot
Copy link
Copy Markdown

keymanapp-test-bot bot commented Oct 27, 2025
edited
Loading

User Test Results

Test specification and instructions

User tests are not required

Test Artifacts

  • Android
    • Keyman for Android apk - build : all tests passed (no artifacts on BuildLevel "build")
    • FirstVoices Keyboards for Android apk - build : all tests passed (no artifacts on BuildLevel "build")
    • FirstVoices Keyboards for Android apk (old PRs) - build : all tests passed (no artifacts on BuildLevel "build")
    • KeyboardHarness apk - build : all tests passed (no artifacts on BuildLevel "build")
    • Keyman for Android apk (old PRs) - build : all tests passed (no artifacts on BuildLevel "build")
    • KMSample1 apk - build : all tests passed (no artifacts on BuildLevel "build")
    • KMSample2 apk - build : all tests passed (no artifacts on BuildLevel "build")
  • Developer
  • iOS
    • Keyman for iOS (simulator image) - build : all tests passed (no artifacts on BuildLevel "build")
    • FirstVoices Keyboards for iOS (simulator image) - build : all tests passed (no artifacts on BuildLevel "build")
    • FirstVoices Keyboards for iOS (simulator image) (old PRs) - build : all tests passed (no artifacts on BuildLevel "build")
    • Keyman for iOS (simulator image) (old PRs) - build : all tests passed (no artifacts on BuildLevel "build")
  • Keyboards
  • macOS
    • Keyman for macOS - build : all tests passed (no artifacts on BuildLevel "build")
    • Keyman for macOS (old PRs) - build : all tests passed (no artifacts on BuildLevel "build")
  • Web
    • KeymanWeb Test Home - build : all tests passed (no artifacts on BuildLevel "build")
  • Windows
    • Keyman for Windows - build : all tests passed (no artifacts on BuildLevel "build")
    • FirstVoices Keyboards for Windows - build : all tests passed (no artifacts on BuildLevel "build")
    • FirstVoices Keyboards for Windows (old PRs) - build : all tests passed (no artifacts on BuildLevel "build")
    • Keyman for Windows (old PRs) - build : all tests passed (no artifacts on BuildLevel "build")
    • Text Editor (32 bit) - build : all tests passed (no artifacts on BuildLevel "build")
    • Text Editor (64 bit) - build : all tests passed (no artifacts on BuildLevel "build")

@keymanapp-test-bot keymanapp-test-bot bot added this to the A19S15 milestone Oct 27, 2025
@mcdurdin mcdurdin force-pushed the maint/resources/14963-npm-publish-on-gha branch from bc2477c to bbc5ffe Compare October 27, 2025 12:03
@github-actions github-actions bot added the docs label Oct 27, 2025
@mcdurdin mcdurdin force-pushed the maint/resources/14963-npm-publish-on-gha branch from bbc5ffe to 069ec31 Compare October 27, 2025 12:47
@mcdurdin mcdurdin marked this pull request as ready for review October 27, 2025 12:50
@mcdurdin mcdurdin force-pushed the maint/resources/14963-npm-publish-on-gha branch from 069ec31 to def72a9 Compare October 27, 2025 12:52
@mcdurdin
Copy link
Copy Markdown
Member Author

mcdurdin commented Oct 27, 2025

Once this is merged, I can test the action (the .yml needs to be on master).

I can see the build trigger ran:

13:04:39   [resources/teamcity/triggers] Triggering GitHub action build npm-publish/15029, level = release
13:04:40   GitHub Action Data: {
13:04:40       "event_type": "npm-publish: PR #15029",     "client_payload": {       "buildSha": "bbc5ffe46cb7aa48a55135c49a546db84b6db814",       "branch": "PR-15029",       "baseBranch": "master",       "baseRef": "a5b55715d6d50a3a14e6b2a44a7881137f6b7376",       "user": "mcdurdin",       "isTestBuild": "true",       "buildLevel": "release",       "skipApiCheck": "false"     }}
13:04:40 

But of course nothing happened because the .yml is not yet on master.

@mcdurdin mcdurdin changed the title maint(resources): move NPM package publishing to GitHub Actions maint(resources): move npm package publishing to GitHub Actions Oct 27, 2025
@mcdurdin mcdurdin force-pushed the maint/resources/14963-npm-publish-on-gha branch from def72a9 to bc1dea7 Compare October 27, 2025 14:54
@mcdurdin
maint(resources): move NPM package publishing to GitHub Actions
ba41177 
Due to recent changes in NPM package publishing security requirements,
we have to move from TeamCity build to a GitHub Action to publish our
NPM packages, so we can take advantage of trusted publishing. This
change also consolidates and centralizes the npm publishing into
resources/build/ci/npm-publish.sh, which removes a lot of boilerplate
from each of the build.sh scripts, and ensures consistency.

Packages will be `npm pack`ed on PR and test builds, and published in
release builds.

Ref: https://docs.npmjs.com/trusted-publishers
Ref: https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/
Fixes: #14963
Test-bot: skip
Build-bot: release:developer
@mcdurdin mcdurdin force-pushed the maint/resources/14963-npm-publish-on-gha branch from bc1dea7 to ba41177 Compare October 27, 2025 15:32
darcywong00
darcywong00 approved these changes Oct 28, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@darcywong00 darcywong00 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some minor questions

resources/build/ci/npm-packages.inc.sh
# Keyman is copyright (C) SIL Global. MIT License.
#
# List of all NPM packages that need to be published
#
Copy link
Copy Markdown
Contributor

@darcywong00 darcywong00 Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we we list packages that are no longer maintained? (from previous refactoring?)
These 3 haven't been updated for 9+ months:

Copy link
Copy Markdown
Member Author

@mcdurdin mcdurdin Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No, I don't think they are important to list here

resources/build/ci/npm-publish.sh
# Publish all the @keymanapp packages listed in npm-packages.inc.sh
#
# If the `--dry-run` option is available and specified as a command-line
# parameter, will do a dry run
Copy link
Copy Markdown
Contributor

@darcywong00 darcywong00 Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we mention

publish must use --dry-run flag for local or test builds

Copy link
Copy Markdown
Member Author

@mcdurdin mcdurdin Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could do, but the script will tell you anyway :D

docs/npm-packages.md
```
Once the build succeeds and the tests pass, you can publish! Add the package to
`resources/build/ci/npm-packages.inc.sh` and it will be published in the next
alpha release build.
Copy link
Copy Markdown
Contributor

@darcywong00 darcywong00 Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do the npm packages follow $KEYMAN_TIER?

Copy link
Copy Markdown
Member Author

@mcdurdin mcdurdin Oct 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes

@mcdurdin mcdurdin merged commit fe6e8e7 into master Oct 28, 2025
29 checks passed
@mcdurdin mcdurdin deleted the maint/resources/14963-npm-publish-on-gha branch October 28, 2025 06:57
@github-project-automation github-project-automation bot moved this from Todo to Done in Keyman Oct 28, 2025
@keyman-server
Copy link
Copy Markdown
Collaborator

keyman-server commented Oct 28, 2025

Changes in this pull request will be available for download in Keyman version 19.0.147-alpha

This was referenced Oct 30, 2025
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
Merged
mcdurdin added a commit that referenced this pull request Oct 30, 2025
@mcdurdin
maint(resources): move NPM package publishing to GitHub Actions
bb32cec 
Due to recent changes in NPM package publishing security requirements,
we have to move from TeamCity build to a GitHub Action to publish our
NPM packages, so we can take advantage of trusted publishing. This
change also consolidates and centralizes the npm publishing into
resources/build/ci/npm-publish.sh, which removes a lot of boilerplate
from each of the build.sh scripts, and ensures consistency.

Packages will be `npm pack`ed on PR and test builds, and published in
release builds.

Ref: https://docs.npmjs.com/trusted-publishers
Ref: https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/
Fixes: #14963
Test-bot: skip
Build-bot: release:developer
Cherry-pick-of: #15029
mcdurdin added a commit that referenced this pull request Oct 30, 2025
@mcdurdin
maint(resources): cherry-pick changes to npm-publish scripts
57a50ba 
This commit collects all changes to npm-publish.yml and npm-publish.sh,
from the series of PRs associated with PR #15029.
@mcdurdin mcdurdin mentioned this pull request Oct 30, 2025
Merged
ermshiperete
ermshiperete reviewed Nov 6, 2025
View reviewed changes
resources/build/ci/npm-packages.inc.sh
# TODO: this should really be somewhere else, but right now Developer CI is
# responsible for pulling the publish lever

readonly PACKAGES=(
Copy link
Copy Markdown
Contributor

@ermshiperete ermshiperete Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be good to rename to NPM_PACKAGES at some point.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ermshiperete ermshiperete ermshiperete left review comments

@darcywong00 darcywong00 darcywong00 approved these changes

@jahorton jahorton Awaiting requested review from jahorton

Assignees

No one assigned

Labels

common/web/ common/ core/ Keyman Core developer/compilers/ developer/ docs maint Maintenance work -- continuous integration, build scripts, infrastructure resources/ windows/config/ windows/

Projects

Keyman
Archived in project

Milestone

A19S15

Development

Successfully merging this pull request may close these issues.

maint(resources): move npm publishing to GHA for release builds

4 participants

@mcdurdin @keyman-server @ermshiperete @darcywong00