dgf1988/codewhale
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

chore(release): drop auto npm publish, document manual flow, trim research PDF

Browse Source 
- Remove the `publish-npm` job from `release.yml`. It has been failing on
  every release with `npm error code EOTP` because the configured `NPM_TOKEN`
  doesn't bypass 2FA. Manual publish from a developer machine is the actual
  ship path; codify that.
- Update `docs/RELEASE_RUNBOOK.md` "npm Wrapper Release" to describe the
  manual flow (`npm publish --access public` + OTP) and explain why the auto
  path is gone, with a recovery note for future Trusted-Publishing migration.
- Refresh stale cross-reference comment in `publish-npm.yml` (the workflow
  remains as inert plumbing for an eventual Trusted Publishing setup).
- Stop tracking `docs/DeepSeek_V4.pdf` (4.4 MB). It was never referenced
  outside test fixture filenames; the tests synthesize their own fake PDF.
  Add to `.gitignore` so a local copy can sit there without nagging.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Hunter Bown
2026-04-26 16:26:10 -05:00
parent 9758e26349
commit 1f00ac6311
5 changed files with 36 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/publish-npm.yml
+5 -3
View File
@@ -14,9 +14,11 @@ env:
jobs:
publish:
runs-on: ubuntu-latest
# Prefer the npm-only workflow_dispatch path in release.yml. This workflow
# works only if npm Trusted Publishing is explicitly configured for
# `publish-npm.yml` instead of `release.yml`.
# `release.yml` no longer publishes to npm — see CLAUDE.md "Releases" for
# the manual flow we actually use. This workflow remains as inert plumbing
# that only works if npm Trusted Publishing is configured for it; trigger
# via `gh workflow run publish-npm.yml -f version=X.Y.Z` if you've set
# that up on the npm side.
permissions:
contents: read
id-token: write
.github/workflows/release.yml
+5 -56
View File
@@ -123,59 +123,8 @@ jobs:
files: artifacts/*/*
prerelease: false
publish-npm:
needs: release
runs-on: ubuntu-latest
# Token-based publish (npm classic automation token). The OIDC
# Trusted Publisher path was unreliable across v0.5.1/v0.5.2/v0.6.1
# (npm returned 404 on PUT despite valid OIDC). Set the `NPM_TOKEN`
# repo secret to a granular access token scoped to `deepseek-tui`
# with publish permission.
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '24'
registry-url: 'https://registry.npmjs.org'
- name: Verify package version
working-directory: npm/deepseek-tui
run: |
actual="$(node -p "require('./package.json').version")"
expected="${GITHUB_REF_NAME#v}"
if [ "${actual}" != "${expected}" ]; then
echo "package.json version ${actual} does not match tag ${expected}" >&2
exit 1
fi
- name: Publish wrapper to npm
working-directory: npm/deepseek-tui
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm publish --access public
publish-npm-manual:
if: github.event_name == 'workflow_dispatch'
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '24'
registry-url: 'https://registry.npmjs.org'
- name: Verify package version
working-directory: npm/deepseek-tui
run: |
actual="$(node -p "require('./package.json').version")"
expected="${{ inputs.version }}"
if [ "${actual}" != "${expected}" ]; then
echo "package.json version ${actual} does not match requested ${expected}" >&2
exit 1
fi
- name: Publish wrapper to npm
working-directory: npm/deepseek-tui
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm publish --access public
# npm publish is intentionally not automated. The npm account requires 2FA OTP
# on every publish, and a granular automation token that bypasses 2FA has not
# been provisioned. Release the npm wrapper manually from a developer machine
# after the GitHub Release has been created — see CLAUDE.md "Releases" for the
# exact commands.