maint(resources): move NPM package publishing to GitHub Actions 🍒 🏠#15054
Merged
mcdurdin merged 9 commits intostable-18.0from Oct 30, 2025
Merged
maint(resources): move NPM package publishing to GitHub Actions 🍒 🏠#15054mcdurdin merged 9 commits intostable-18.0from
mcdurdin merged 9 commits intostable-18.0from
Conversation
Due to recent changes in NPM package publishing security requirements, we have to move from TeamCity build to a GitHub Action to publish our NPM packages, so we can take advantage of trusted publishing. This change also consolidates and centralizes the npm publishing into resources/build/ci/npm-publish.sh, which removes a lot of boilerplate from each of the build.sh scripts, and ensures consistency. Packages will be `npm pack`ed on PR and test builds, and published in release builds. Ref: https://docs.npmjs.com/trusted-publishers Ref: https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/ Fixes: #14963 Test-bot: skip Build-bot: release:developer Cherry-pick-of: #15029
Cherry-pick-of: #15041
If the repository is a shallow checkout, then the only commit will be the most recent one, and the test will fail. We could lookup the date of the most recent test, but it's a pretty meaningless test, so instead we will skip the test in this scenario. For example, this happens on GitHub Actions when we do a shallow checkout. The only risk we have is if we move all builds to shallow checkouts and end up always skipping this test, but (a) the code is unlikely to change, and (b) issuse would be picked up on local builds in that situation pretty quickly. Cherry-pick-of: #15042
I am not entirely clear why the coverage dropped, but I suspect it's due to code paths that are not activated in node 24. For now, just dropping coverage threshold to 40%. Cherry-pick-of: #15042
While not documented as such, it appears that the repository record is required with trusted publishing of npm packages. Cherry-pick-of: #15049 Build-bot: skip release:developer
This commit collects all changes to npm-publish.yml and npm-publish.sh, from the series of PRs associated with PR #15029.
github-actions
bot
added
developer/
common/
developer/compilers/
common/resources/
User Test ResultsTest specification and instructions User tests are not required Test Artifacts
|
keymanapp-test-bot
bot
changed the title
darcywong00
approved these changes
Oct 30, 2025
Contributor
darcywong00
left a comment
darcywong00
left a comment
There was a problem hiding this comment.
lgtm
lots of cherries
Collaborator
|
Changes in this pull request will be available for download in Keyman version 18.0.244 |
mcdurdin
added a commit
that referenced
this pull request
Oct 31, 2025
Follows: #15054 Build-bot: skip Test-bot: skip
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry-picks a range of PRs, all relating to #15029. Skips pr-build-bot which is not in 18.0. All of the cherry-picked PRs are listed below. Note, manually added final version of npm-publish.yml and npm-publish.sh rather than cherry-picking each iteration, so not every alpha commit will be represented.
Due to recent changes in NPM package publishing security requirements, we have to move from TeamCity build to a GitHub Action to publish our NPM packages, so we can take advantage of trusted publishing. This change also consolidates and centralizes the npm publishing into resources/build/ci/npm-publish.sh, which removes a lot of boilerplate from each of the build.sh scripts, and ensures consistency.
Packages will be
npm packed on PR and test builds, and published in release builds.Ref: https://docs.npmjs.com/trusted-publishers
Ref: https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/
Fixes: #14963
Test-bot: skip
Build-bot: release:developer
Cherry-pick-of: #15029
Cherry-pick-of: #15035
Cherry-pick-of: #15036
Cherry-pick-of: #15037
Cherry-pick-of: #15038
Cherry-pick-of: #15039
Cherry-pick-of: #15041
Cherry-pick-of: #15042
Cherry-pick-of: #15045
Cherry-pick-of: #15047
Cherry-pick-of: #15049
Cherry-pick-of: #15051