dgf1988/codewhale
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

ci: publish npm with trusted publishing

Browse Source
This commit is contained in:
Hunter Bown
2026-04-24 16:13:59 -05:00
parent 8323bedfb7
commit f3df8f5f26
3 changed files with 14 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/workflows/publish-npm.yml
+2 -4
View File
@@ -21,7 +21,7 @@ jobs:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
node-version: '24'
registry-url: 'https://registry.npmjs.org'
- name: Verify package version
working-directory: npm/deepseek-tui
@@ -34,6 +34,4 @@ jobs:
fi
- name: Publish wrapper to npm
working-directory: npm/deepseek-tui
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm publish --provenance --access public
run: npm publish --access public
.github/workflows/release.yml
+4 -6
View File
@@ -119,8 +119,8 @@ jobs:
publish-npm:
needs: release
runs-on: ubuntu-latest
# Trusted Publishing via OIDC — no NPM_TOKEN required.
# Configure the trusted publisher on the npm package settings page.
# Trusted Publishing via OIDC. Configure npm to trust this workflow
# filename (`release.yml`) for Hmbown/DeepSeek-TUI.
permissions:
contents: read
id-token: write
@@ -128,10 +128,8 @@ jobs:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '20'
node-version: '24'
registry-url: 'https://registry.npmjs.org'
- name: Publish wrapper to npm
working-directory: npm/deepseek-tui
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
run: npm publish --provenance --access public
run: npm publish --access public
docs/RELEASE_RUNBOOK.md
+8 -1
View File
@@ -132,7 +132,11 @@ release verification script both depend on that checksum manifest.
1. Set the npm package version in [npm/deepseek-tui/package.json](../npm/deepseek-tui/package.json).
2. Set `deepseekBinaryVersion` to the GitHub release tag that should supply binaries.
3. Run:
3. For GitHub Actions publishing, configure npm Trusted Publishing for:
- Publisher: GitHub Actions
- Repository: `Hmbown/DeepSeek-TUI`
- Workflow filename: `release.yml`
4. Run:
```bash
cd npm/deepseek-tui
@@ -141,6 +145,9 @@ npm publish
```
`prepublishOnly` verifies that all expected release assets and the checksum manifest exist.
The tag release workflow publishes through npm Trusted Publishing, so it does
not use `NPM_TOKEN`. npm requires Node 22.14.0+ and npm 11.5.1+ for that OIDC
path; the workflow uses Node 24.
## Recovery and Rollback