npm: ship weave-router as @workweave/router (org-scoped) + OIDC publish workflow#147
Merged
Merged
Conversation
- bump version to 0.1.1 (statusline self-refresh + uninstall delegation) - add .github/workflows/publish_npm.yml: tag `weave-router-v*` triggers `npm publish --provenance --access public`, asserts tag matches package.json version first
Rename the unscoped weave-router package to @workweave/router (org-scoped) so the package is owned by the workweave org from day one — no npm-support ticket needed, no squat risk on the unscoped name. - install/npm/package.json: name → @workweave/router, version reset to 0.1.0 (fresh scoped package; the unscoped weave-router@0.1.0 will be deprecated with a pointer to the new name) - Swap `npx weave-router` → `npx @workweave/router` in install.sh, uninstall.sh, install/README.md, install/npm/README.md, and bin.js comment - Keep the binary name as `weave-router` (package.json bin field) so the CLI on PATH after `npm install -g` is unchanged - publish_npm.yml: tag prefix `weave-router-v*` → `router-v*` (npm scope slashes break git refs; flat prefix is cleaner), drop NODE_AUTH_TOKEN env in favor of npm OIDC trusted publishing (no long-lived secret in repo)
steventohme
changed the title
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- homepage: weave.ai → workweave.ai (correct marketing domain) - license: Apache-2.0 → "SEE LICENSE IN LICENSE" (the repo is ELv2, which is not on the SPDX list; the npm-recommended pattern for non-SPDX licenses is to point at the bundled LICENSE file) - copy-installer.js: also copy ../../LICENSE into the npm package root so npm surfaces the license on the package page and consumers receive it with `npm install` - .gitignore: add LICENSE alongside the other prepack-generated files - bump to 0.1.1 (0.1.0 just shipped with the wrong metadata)
- pin actions/checkout + actions/setup-node to commit SHAs since this workflow has id-token: write and publishes to npm; floating tags here let an upstream-action compromise ship a malicious package - bump node-version 20 → 24 because npm OIDC trusted publishing requires npm ≥ 11.5 (Node 20 ships with npm 10 and would 401)
Without this, anyone with tag-push capability could publish from a side branch and bypass branch-protection / PR-review on main. The new step fetches origin/main and asserts the tagged commit is an ancestor before the publish step runs.
Default shallow clone (depth 1) only has the tagged commit, so `git merge-base --is-ancestor $SHA origin/main` can't walk the graph and the reachability check would reject even legitimate main-reachable tags.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit f15615b. Configure here.
actions/setup-node v6.0.2 is the first release with npm OIDC support (actions/setup-node#1477). v4/v5 write an .npmrc that points `_authToken` at $NODE_AUTH_TOKEN unconditionally, which short-circuits npm CLI's OIDC code path and 401s at publish even when the trusted publisher is configured correctly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two coupled changes that should land together:
weave-routerto@workweave/router— gets the package owned by theworkweaveorg from day one (npm has no CLI path to transfer unscoped packages to an org; it requires a support ticket), and reserves the@workweave/*scope for future packages..github/workflows/publish_npm.yml— on tag push matchingrouter-v*, asserts tag matchespackage.jsonversion, then publishes via npm OIDC trusted publishing (noNPM_TOKENsecret in the repo).The binary name stays
weave-router(package.jsonbinfield), sonpm install -g @workweave/routerstill puts aweave-routercommand on PATH. Only thenpxinvocation changes:npx weave-router→npx @workweave/router.Follow-ups (separate PRs)
backend/internal/app/syncrouterinstall/config.goto rendernpx -y @workweave/routerinstead ofnpx -y weave-router, plus the matching test assertions.weave-router@0.1.0:npm deprecate weave-router@0.1.0 "moved to @workweave/router"(kills the squat risk without unpublishing).Release flow after merge
@workweave/router: org=workweave, repo=router, workflow=publish_npm.yml.git tag router-v0.1.0 && git push origin router-v0.1.0.@workweave/router@0.1.0to npm with provenance.Test plan
router-v0.1.0tag, confirm workflow run publishesnpx -y @workweave/router@0.1.0 --helpworks from a clean machinenpm deprecate weave-router@0.1.0after the new package is live