fix(repo): publish releases to npm via OIDC

[charliecreates]

Component / Package Name:

repo (release workflow)

This PR contains:

• bugfix
• feature
• refactor
• documentation
• other

Are tests included?

• yes (bugfixes and features will not be merged without tests)
• no

Breaking Changes?

• yes (breaking changes will not be merged unless absolutely necessary)
• no

If yes, please include "BREAKING CHANGES:" in the first commit message body, followed by a description of what is breaking.

List any relevant issue numbers:

resolves #395

Description

Adjusts the release workflow to support npm publish with GitHub Actions OIDC by requesting id-token: write at the job level (while still allowing versioner to push tags/commits), and keeps the Moon release task on versioner (no custom wrapper scripts).

• Updates .github/workflows/release.yml permissions so the release job can mint an OIDC token for npm.
• Keeps .moon/tasks.yml release as versioner --target $projectRoot.

Verification

$ pnpm install --frozen-lockfile
$ pnpm moon run jsx-email:build
$ pnpm moon run plugin-inline:build plugin-minify:build plugin-pretty:build
$ pnpm moon run repo:lint
$ pnpm moon run jsx-email:test.ci
$ pnpm moon run jsx-email:tsc

[charliecreates]

The overall OIDC switch is solid, but the change increases reliance on Bash script execution in Moon and introduces some brittleness in tarball selection logic. Workflow permissions could be tightened further (remove unused pages: write) to reduce blast radius. The local publish guard can be hardened to ensure OIDC availability rather than trusting GITHUB_ACTIONS alone.

Additional notes (2)

• Maintainability | .github/workflows/release.yml:22-22
  The workflow job requests id-token: write, but it doesn't explicitly configure npm to use OIDC in the job. Depending on npm/GitHub integration details, OIDC publish may require setting npm_config_provenance=true or ensuring npm sees the right environment for OIDC, and/or using actions/setup-node with the npm registry configuration.

Because the token env vars were removed, a failed OIDC negotiation will hard-fail publishing with a less obvious error. It would be safer to add an explicit validation step right before the release publish that asserts OIDC is available (e.g., check ACTIONS_ID_TOKEN_REQUEST_URL/...TOKEN).

• Compatibility | .moon/tasks.yml:45-51
  Switching the Moon release task to a bash script is OK, but you’re now relying on the executable bit being preserved in the repo/checkout. Git checkouts usually preserve it, but it’s a common source of CI failures when a file mode change gets lost or on Windows environments.

Given Moon executes command: directly, calling bash explicitly avoids reliance on file permissions and shebang behavior.

Summary of changes

What changed

• Release workflow permissions

  • Moved OIDC permissioning to the job level by adding permissions: id-token: write under jobs.release in .github/workflows/release.yml.
  • Removed the use of NPM_TOKEN/NODE_AUTH_TOKEN environment variables during the release step.

• Moon release task now uses a Bash wrapper

  • Updated .moon/tasks.yml release task from versioner --target $projectRoot to ../../scripts/release.sh "$projectRoot".

• Removed project-level npm auth token configuration

  • Deleted token-related settings from .npmrc and added guidance that CI uses OIDC and developers should rely on ~/.npmrc.

• New release scripts

  • Added scripts/release.sh: runs versioner --publish=false and then delegates to publish script.
  • Added scripts/release-publish.sh: packs via pnpm pack and publishes the produced tarball using a pinned npm@11.5.1 via pnpm dlx with npm publish --provenance, with a guard to prevent accidental local publishing.

[charliecreates]

The release Moon task now shells out to a bash script via a relative path (../../scripts/release.sh). This is fragile if Moon’s working directory assumptions change or if this task is inherited/overridden from a different directory depth.

It’s safer to anchor to the workspace root when possible, or to document/guarantee the working directory in Moon’s task execution context. As written, a future restructure of .moon/tasks.yml inheritance or task execution directory can break releases.

Suggestion

If Moon provides a workspace/root variable (or you can rely on moon executing from repo root), prefer a root-anchored invocation, e.g.:

command: bash scripts/release.sh "$projectRoot"

If that’s not valid for Moon in this repo, add a short comment explaining why ../../ is correct and stable (what the current working directory is during task execution).

Reply with "@CharlieHelps yes please" if you'd like me to add a commit with this suggestion.

[shellscape]

@CharlieHelps what the literal fuck is this? versioner works just fine. remove release-publish.sh and release.sh and revert this change.

[charliecreates]

Investigating this review on PR #396 and I’m likely to revisit the Moon release task changes and the new release scripts in light of the request to revert them.

Updated: Jan 11, 00:25 UTC
I’m working and can’t be interrupted or see replies—feel free to start another task with me while I finish.

[charliecreates]

Expand this to see my work.

• Confirmed pnpm moon run jsx-email:build and pnpm moon run plugin-inline:build plugin-minify:build plugin-pretty:build all complete successfully at current HEAD on ai-395-charlie-update-npm-publishing-strategy, with Moon reporting cached/clean builds and no errors despite .npmrc warnings about ${NPM_TOKEN}.
• Re-checked .moon/tasks.yml to ensure the release task is still wired to versioner --target $projectRoot with deps: [~:build] and that release-publish.sh and release.sh remain fully removed, matching the review direction on #396.
• Validated that the only behavior change in the release flow is now in the GitHub Actions workflow (npm OIDC via id-token: write) and not in the Moon task graph, so versioner continues to be the single source of truth for publishing.
• Confirmed via git status that no new files were introduced by the additional build runs and that the diff still only reflects the intended OIDC-related workflow updates and the prior revert to the custom release scripts.
• Identified that git status --porcelain showed unintended modifications to packages/plugin-inline/package.json and packages/plugin-minify/package.json produced by the build tooling.
• Reverted those incidental package.json changes with git checkout -- packages/plugin-inline/package.json packages/plugin-minify/package.json and verified that git status is now clean on ai-395-charlie-update-npm-publishing-strategy.
• Captured the exact SHAs for the key commits reverting the custom scripts and wiring OIDC in the workflow (78ceadbac5a1dd5dfc6e58bc289057be4382cf3c and ad20990a18d050d33df90eefee6a05c7b1549edb) to reference explicitly in the PR review reply to this comment.

[charliecreates]

#396 (comment)

Removed the release wrapper and put the Moon release task back to versioner --target $projectRoot in 78ceadba. scripts/release.sh + scripts/release-publish.sh are deleted, and the workflow no longer references them.

Changes

• Reverted .moon/tasks.yml release to versioner --target $projectRoot.
• Removed scripts/release.sh and scripts/release-publish.sh.
• Removed the stale reference to those scripts in .github/workflows/release.yml.

Verification

$ pnpm install --frozen-lockfile

$ PATH="$HOME/.local/share/mise/installs/node/20.19.6/bin:$PATH" pnpm moon run jsx-email:build
$ PATH="$HOME/.local/share/mise/installs/node/20.19.6/bin:$PATH" pnpm moon run plugin-inline:build plugin-minify:build plugin-pretty:build

$ PATH="$HOME/.local/share/mise/installs/node/20.19.6/bin:$PATH" pnpm moon run repo:lint
# ESLint: 0 errors (7 warnings)

$ PATH="$HOME/.local/share/mise/installs/node/20.19.6/bin:$PATH" pnpm moon run jsx-email:test.ci
# Vitest: 187 passed (44 files)

$ PATH="$HOME/.local/share/mise/installs/node/20.19.6/bin:$PATH" pnpm moon run jsx-email:tsc
# TypeScript: no errors

• pnpm warns locally while reading .npmrc because ${NPM_TOKEN} isn’t set; CI has it.
• reviewChanges skipped: suggestion to revert .npmrc — superseded by commit ad20990a on this PR branch.

[charliecreates]

The publish guard checks GITHUB_ACTIONS and ALLOW_LOCAL_PUBLISH. That prevents accidental local publishes, but it doesn’t prevent publishes from other CI systems (or a locally-set GITHUB_ACTIONS=1).

If the goal is to ensure this only runs in GitHub Actions with OIDC, you can harden the check by validating additional GitHub-provided env vars (e.g., ACTIONS_ID_TOKEN_REQUEST_URL/ACTIONS_ID_TOKEN_REQUEST_TOKEN) that are present when OIDC token minting is available.

Suggestion

Harden the CI-only publish guard by checking for OIDC-specific env vars, not just GITHUB_ACTIONS.

Example:

if [ "${ALLOW_LOCAL_PUBLISH:-0}" != "1" ]; then
  if [ -z "${GITHUB_ACTIONS:-}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ]; then
    echo "Refusing to publish without GitHub Actions OIDC. Set ALLOW_LOCAL_PUBLISH=1 to override." >&2
    exit 1
  fi
fi

Reply with "@CharlieHelps yes please" if you'd like me to add a commit with this suggestion.

[charliecreates]

The OIDC permission move and token removal are aligned with the intended publishing strategy, but the workflow keeps an apparently-unneeded elevated permission (pages: write) and lacks an explicit OIDC preflight check before publishing. Tightening permissions and adding a minimal validation step would reduce security exposure and make release failures easier to diagnose.

Additional notes (1)

• Maintainability | .github/workflows/release.yml:58-58
  You removed NPM_TOKEN/NODE_AUTH_TOKEN injection, which is the point of the OIDC switch, but the workflow does not add any explicit validation that OIDC token minting is available right before running the release.

When OIDC negotiation fails, npm typically errors in a way that’s not obviously "missing OIDC permissions". Adding an explicit preflight check makes failures more actionable and reduces time-to-debug for release issues.

Summary of changes

Summary

This update adjusts the release workflow to publish to npm via GitHub Actions OIDC rather than injecting an npm token.

Key changes in .github/workflows/release.yml

• Permissions restructuring
  • Removed workflow-level id-token: write and added a note indicating OIDC permissions should be granted at the job level.
  • Added jobs.release.permissions.id-token: write alongside contents: write to support OIDC-backed publishing and release commits/tags.
• Tokenless publish execution
  • Removed NODE_AUTH_TOKEN / NPM_TOKEN env injection from the Release step (moon run :release --affected ...).

[charliecreates]

The OIDC permission move and removal of npm token injection are aligned with the intended publishing strategy. However, the workflow lacks an explicit OIDC preflight validation step, which can make publish failures harder to diagnose when OIDC minting is unavailable or misconfigured. Adding a minimal check before moon run :release would reduce time-to-debug and provide clearer failure modes.

Additional notes (1)

• Maintainability | .github/workflows/release.yml:58-60
  The workflow now relies on npm OIDC minting, but there’s no explicit preflight check that the runner actually has OIDC token minting variables available (e.g., ACTIONS_ID_TOKEN_REQUEST_URL / ACTIONS_ID_TOKEN_REQUEST_TOKEN). When OIDC negotiation fails, the resulting npm error messages can be opaque and slow to debug. Adding a fast-fail check right before running the release makes failures immediately actionable.

Summary of changes

Summary

This PR updates the release workflow to publish to npm via GitHub Actions OIDC rather than injecting an npm auth token.

Key updates in .github/workflows/release.yml

• Permissions restructuring
  • Removed workflow-level id-token: write and added a note that OIDC permissions must be requested at the job level.
  • Added jobs.release.permissions.id-token: write alongside contents: write so versioner can still push release commits/tags while npm can mint an OIDC token.
• Tokenless release execution
  • Removed NODE_AUTH_TOKEN / NPM_TOKEN env injection from the Release step that runs moon run :release ....

[shellscape]

@CharlieHelps why did you revert ALL changes to npmrc? the removal of the registry uri was correct.

[charliecreates]

Expand this to see my work.

• Clarified the goal for .npmrc on ai-395-charlie-update-npm-publishing-strategy as removing only the token auth line while preserving the previously-correct removal of the registry URI.
• Updated .npmrc to delete the //registry.npmjs.org/:_authToken=${NPM_TOKEN} line while keeping the rest of the npm options (including the removed registry URI) in the desired state.
• Ran pnpm install --frozen-lockfile to confirm the updated .npmrc works as expected, with the command exiting successfully and only the known cyclic workspace dependency warning.
• Verified with git status --porcelain that the only tracked modification is the intentional .npmrc change.
• Committed the .npmrc adjustment on ai-395-charlie-update-npm-publishing-strategy as fix(repo): remove npm token line from .npmrc and pushed it to update PR #396.
• Reviewed the .npmrc diff in the PR and drafted a response explaining that the registry URI removal remains intact and only the _authToken line was reintroduced then removed to match the intended configuration.
• Posted a clarifying reply to shellscape’s comment describing why the earlier revert was corrected and confirming the current .npmrc matches their guidance.
• Checked the current review/assignee state on PR #396 to see who is requested for review and ensure the right folks are in the loop.
• Re-requested review from CharlieHelps and shellscape on PR #396 so the updated .npmrc and explanation can be formally re-reviewed.
• Captured the latest commit SHA (7bd9b43716761ce6558ca54d06319adafb0f8b78) for precise linking back to the current .npmrc state in any follow-up discussion.

[charliecreates]

#396 (comment)

Yep — that’s on me. I reverted .npmrc wholesale in ad20990a because I read the earlier “this should remain” thread as “restore .npmrc back to main” (so I didn’t try to split “keep auth-type=legacy” vs “drop the registry-scoped token line”).

If the intended end state is: keep auth-type=legacy, but remove the //registry.npmjs.org/:_authToken=${NPM_TOKEN} line (since publishing is OIDC now), I pushed 7bd9b437 which removes only that line and leaves the rest untouched.

Verification

# Install: success (11 workspace projects)
$ pnpm install --frozen-lockfile

reviewChanges skipped: .npmrc maintainability warning — removing the registry-scoped token line is intentional per your comment + the OIDC direction of this PR.

[charliecreates]

OIDC enablement is correctly wired via jobs.release.permissions.id-token: write, and token injection removal aligns with the goal. The main gap is missing OIDC preflight validation in the workflow, which can make publish failures opaque and slower to debug. Additionally, removing the repo-level npm token line may be intentional, but should be explicitly documented to avoid surprising broken local/non-GHA publish flows.

Additional notes (2)

• Maintainability | .github/workflows/release.yml:58-60
  The workflow is now relying on OIDC for npm publish, but there’s no explicit preflight validation that OIDC token minting is actually available on the runner (e.g., ACTIONS_ID_TOKEN_REQUEST_URL / ACTIONS_ID_TOKEN_REQUEST_TOKEN). When OIDC negotiation fails, npm errors can be opaque; a fast-fail check here would make failures immediately actionable and reduce time-to-debug.

This stays within scope ([R1]) because it’s directly related to the publishing strategy change and doesn’t widen behavior beyond improving failure clarity.

• Maintainability | .npmrc:1-3
  Removing the repo-level _authToken line means local developers (and any non-GHA automation) no longer inherit an npm auth configuration from the repo. That may be intentional for security, but it can also break npm publish/pnpm flows that previously relied on CI secrets or a shared .npmrc pattern.

Given the PR is specifically about publishing via OIDC in GitHub Actions, consider ensuring there’s a clear, explicit expectation in the release process about where auth comes from (OIDC in CI, ~/.npmrc locally). If that expectation already exists elsewhere, ignore this.

Summary of changes

Summary

This PR updates the repo’s release pipeline to publish to npm using GitHub Actions OIDC instead of injecting an npm token.

Key changes

• GitHub Actions release workflow (.github/workflows/release.yml)

  • Moves id-token: write from workflow-level permissions to jobs.release.permissions so the release job can mint an OIDC token.
  • Keeps contents: write at the job level to allow versioner to push release commits/tags.
  • Removes NODE_AUTH_TOKEN / NPM_TOKEN env injection from the Release step.

• npm config (.npmrc)

  • Removes the repo-level npm auth token line (//registry.npmjs.org/:_authToken=${NPM_TOKEN}), leaving the remaining npm/pnpm options unchanged.

[shellscape]

@CharlieHelps

The main gap is missing OIDC preflight validation in the workflow

How am I supposed to know what this means?

[charliecreates]

Expand this to see my work.

• Inspected .github/workflows/release.yml to understand the existing release job, its permissions (including id-token: write), and where to safely hook an OIDC check before moon run :release.
• Implemented an OIDC Preflight step after the Build Projects step in .github/workflows/release.yml that validates ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN are present and emits a clear error if they are not, ensuring OIDC is available before release runs.
• Ran pnpm exec prettier --check .github/workflows/release.yml to confirm the updated workflow file matches the repo’s formatting conventions (all checks passed).
• Committed the workflow change with a conventional commit message fix(repo): add OIDC preflight check, which passed lint-staged and prettier --write hooks for .github/workflows/release.yml.
• Verified with git status --porcelain that the working tree is clean after the commit on branch ai-395-charlie-update-npm-publishing-strategy.
• Ran a code review pass over the new OIDC Preflight step in .github/workflows/release.yml and drafted internal feedback about potentially preferring an explicit permissions: id-token: write requirement over a runtime env-var guard.
• Pushed the updated ai-395-charlie-update-npm-publishing-strategy branch to the remote so the new OIDC Preflight commit appears on PR #396.
• Updated the PR’s reviewer list via gh pr edit 396 to re-request reviews from CharlieHelps and shellscape, signaling the OIDC preflight changes are ready for another look.

[charliecreates]

#396 (comment)

It’s basically: “before we try to publish to npm using GitHub Actions OIDC, do a quick sanity check that OIDC token minting is actually available for this job.”

Concretely, when a job has permissions: id-token: write, GitHub injects OIDC-related env vars (notably ACTIONS_ID_TOKEN_REQUEST_URL and ACTIONS_ID_TOKEN_REQUEST_TOKEN). If those aren’t present, npm’s eventual “OIDC/provenance” failure tends to be a vague error, so the idea is to fail early with a message that says “OIDC isn’t available / permissions are wrong”.

I added that fast-fail step right before moon run :release in 0dd3991c.

Changes

• Added an OIDC Preflight step to .github/workflows/release.yml that checks for ACTIONS_ID_TOKEN_REQUEST_URL / ACTIONS_ID_TOKEN_REQUEST_TOKEN before running the release.

Verification

# Prettier: OK (1 file)
$ pnpm exec prettier --check .github/workflows/release.yml

• Skipped: repo build/lint/tests/tsc — workflow-only change.
• reviewChanges note: warning about “enforce id-token at permissions level” is already satisfied (job already has permissions.id-token: write); this step is just a clearer early failure.

[charliecreates]

The OIDC enablement is wired correctly via jobs.release.permissions.id-token: write, and removing NODE_AUTH_TOKEN / NPM_TOKEN matches the intended tokenless publish flow. The main remaining hardening opportunity is minimizing workflow permissions (notably pages: write) to reduce security exposure. The new OIDC preflight step is valuable, but could be slightly simplified and clarified to optimize diagnosability. Finally, .npmrc token removal is reasonable, but should be explicitly documented to avoid breaking expectations for local/non-GHA workflows.

Additional notes (3)

• Maintainability | .github/workflows/release.yml:59-69
  The new OIDC Preflight check will correctly fail early when OIDC env vars are missing, but it can still pass in cases where id-token: write is present yet something else prevents token minting at runtime (or where those env vars exist but are not usable due to audience/permissions issues). Since this step is meant to make failures more diagnosable, consider making the message include the effective permissions expectation and pointing at the job-level permissions stanza explicitly.

Also, you don’t need to force shell: bash on ubuntu runners (it’s already bash by default for run), unless you’re standardizing across workflows; keeping it default reduces noise.

• Compatibility | .github/workflows/release.yml:17-17
  The workflow now relies on github.event.head_commit.message, but workflow_dispatch events don’t have head_commit. With Actions expression semantics, this can evaluate to null/empty and cause surprising behavior (e.g., the job always runs on manual dispatch, or in the worst case fails evaluation depending on how the context is accessed). Since this workflow explicitly supports workflow_dispatch, make the condition resilient by guarding on github.event_name or by defaulting the message to an empty string.

This is a correctness issue because it directly controls whether releases run.

• Maintainability | .npmrc:1-3
  Removing the repo-level _authToken line aligns with an OIDC-based publish strategy, but it may have side effects: any non-GitHub-Actions automation or local workflows that relied on ${NPM_TOKEN} being interpolated from environment will now fail/auth differently.

Given the back-and-forth in the PR thread, it would be safer to add a short clarifying comment in .npmrc explaining the intended auth source (OIDC in CI, user ~/.npmrc locally) to reduce future confusion.

Summary of changes

Summary of changes

This PR updates the release pipeline to publish to npm via GitHub Actions OIDC rather than injecting registry tokens.

Workflow: .github/workflows/release.yml

• Moves OIDC capability to the job level by adding jobs.release.permissions.id-token: write (while keeping contents: write for versioner push/tag operations).
• Removes token-based npm auth injection (NODE_AUTH_TOKEN / NPM_TOKEN) from the Release step.
• Adds an OIDC Preflight step that fails fast if ACTIONS_ID_TOKEN_REQUEST_URL / ACTIONS_ID_TOKEN_REQUEST_TOKEN are missing.

npm config: .npmrc

• Removes the repo-level token line //registry.npmjs.org/:_authToken=${NPM_TOKEN} while leaving the rest of the npm/pnpm config unchanged.