Skip to content

Publish TypeScript bindings to npm#429

Merged
jupblb merged 6 commits into
mainfrom
michal/npm-release
Jun 2, 2026
Merged

Publish TypeScript bindings to npm#429
jupblb merged 6 commits into
mainfrom
michal/npm-release

Conversation

@jupblb
Copy link
Copy Markdown
Member

@jupblb jupblb commented Jun 1, 2026
edited
Loading

Wires up TypeScript binding publication to npm via trusted publishing (OIDC). Adds a publish-npm job to release.yaml (alongside the existing Rust/JVM/Go publish jobs) and prepares bindings/typescript for npm with proper entry points, an emitted dist/ build, and automatic provenance attestation.

The workflow uses JS-DevTools/npm-publish@v4: no NPM_TOKEN secret, no bash idempotency wrapper, and --provenance is honored via the action's input. The job is safely re-runnable — the action reads the registry first and is a no-op if @scip-code/scip@<version> is already published.

Post-merge: claim the @scip-code scope on npm

npm versions are immutable — once 0.8.0 is published it can never be re-uploaded. And npm doesn't support "pending" trusted publishers, so the very first publish has to happen with an interactive login before trusted publishing can be configured.

1. Bootstrap publish from a maintainer's machine

cd bindings/typescript

# Materialize LICENSE exactly the way CI does
rm -f LICENSE && cp ../../LICENSE LICENSE

nix develop -c npm ci
nix develop -c npm run build

# Preview — verify dist/scip_pb.{js,d.ts,*.map} + package.json + LICENSE, nothing else (~31 kB packed)
nix develop -c npm publish --dry-run --access public

# Real publish — `npm login` opens a browser to authenticate as an owner of @scip-code
nix develop -c npm login
nix develop -c npm publish --access public

# Restore the symlink so the working tree stays clean
rm LICENSE && ln -s ../../LICENSE LICENSE

This seeds @scip-code/scip@0.8.0 and claims the package name for the scip-code org.

2. Configure the trusted publisher

On https://www.npmjs.com/package/@scip-code/scip/accessTrusted PublisherAdd Trusted Publisher:

Field Value
Publisher GitHub Actions
Organization scip-code
Repository scip
Workflow filename release.yaml
Environment (leave blank)

3. From the next release onwards

Trigger the release workflow from the Actions tab with the new version (e.g. 0.8.1). The publish-npm job authenticates via OIDC against the trusted publisher you just configured, publishes the package, and attaches a provenance statement — no long-lived secret involved.

@jupblb jupblb force-pushed the michal/npm-release branch from a60f6b3 to e68f3f5 Compare June 1, 2026 13:26
@jupblb jupblb requested a review from trly June 1, 2026 14:17
@jupblb jupblb force-pushed the michal/npm-release branch from 0d7d0eb to 692c9ee Compare June 2, 2026 09:10
@jupblb
Copy link
Copy Markdown
Member Author

jupblb commented Jun 2, 2026

Published manually the first release: https://www.npmjs.com/package/@scip-code/scip

@jupblb jupblb requested review from emidoots and eseliger June 2, 2026 09:23
@jupblb jupblb force-pushed the michal/npm-release branch from 0973c0f to 2c131c6 Compare June 2, 2026 09:26
@jupblb jupblb enabled auto-merge (squash) June 2, 2026 09:27
@jupblb jupblb merged commit 427f4c0 into main Jun 2, 2026
13 checks passed
@jupblb jupblb deleted the michal/npm-release branch June 2, 2026 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eseliger eseliger eseliger approved these changes

@trly trly Awaiting requested review from trly

@emidoots emidoots Awaiting requested review from emidoots

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jupblb @eseliger