chore(release): drop auto npm publish, document manual flow, trim research PDF

- Remove the `publish-npm` job from `release.yml`. It has been failing on every release with `npm error code EOTP` because the configured `NPM_TOKEN` doesn't bypass 2FA. Manual publish from a developer machine is the actual ship path; codify that. - Update `docs/RELEASE_RUNBOOK.md` "npm Wrapper Release" to describe the manual flow (`npm publish --access public` + OTP) and explain why the auto path is gone, with a recovery note for future Trusted-Publishing migration. - Refresh stale cross-reference comment in `publish-npm.yml` (the workflow remains as inert plumbing for an eventual Trusted Publishing setup). - Stop tracking `docs/DeepSeek_V4.pdf` (4.4 MB). It was never referenced outside test fixture filenames; the tests synthesize their own fake PDF. Add to `.gitignore` so a local copy can sit there without nagging. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 16:26:10 -05:00
parent 9758e26349
commit 1f00ac6311
5 changed files with 36 additions and 74 deletions
@@ -123,59 +123,8 @@ jobs:
          files: artifacts/*/*
          prerelease: false

-  publish-npm:
-    needs: release
-    runs-on: ubuntu-latest
-    # Token-based publish (npm classic automation token). The OIDC
-    # Trusted Publisher path was unreliable across v0.5.1/v0.5.2/v0.6.1
-    # (npm returned 404 on PUT despite valid OIDC). Set the `NPM_TOKEN`
-    # repo secret to a granular access token scoped to `deepseek-tui`
-    # with publish permission.
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '24'
-          registry-url: 'https://registry.npmjs.org'
-      - name: Verify package version
-        working-directory: npm/deepseek-tui
-        run: |
-          actual="$(node -p "require('./package.json').version")"
-          expected="${GITHUB_REF_NAME#v}"
-          if [ "${actual}" != "${expected}" ]; then
-            echo "package.json version ${actual} does not match tag ${expected}" >&2
-            exit 1
-          fi
-      - name: Publish wrapper to npm
-        working-directory: npm/deepseek-tui
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: npm publish --access public
-
-  publish-npm-manual:
-    if: github.event_name == 'workflow_dispatch'
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '24'
-          registry-url: 'https://registry.npmjs.org'
-      - name: Verify package version
-        working-directory: npm/deepseek-tui
-        run: |
-          actual="$(node -p "require('./package.json').version")"
-          expected="${{ inputs.version }}"
-          if [ "${actual}" != "${expected}" ]; then
-            echo "package.json version ${actual} does not match requested ${expected}" >&2
-            exit 1
-          fi
-      - name: Publish wrapper to npm
-        working-directory: npm/deepseek-tui
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: npm publish --access public
+# npm publish is intentionally not automated. The npm account requires 2FA OTP
+# on every publish, and a granular automation token that bypasses 2FA has not
+# been provisioned. Release the npm wrapper manually from a developer machine
+# after the GitHub Release has been created — see CLAUDE.md "Releases" for the
+# exact commands.