Conversation
npm Trusted Publishing requires the package to already exist on the registry before a Trusted Publisher can be configured on npmjs.com (npm/cli#8544). @seatmaps.com/angular-lib is not yet on npm, so the very first release cannot go through publish.yml. Adds a one-shot workflow_dispatch workflow that publishes from main using the existing NPM_TOKEN repo secret while still attaching Sigstore provenance via id-token: write. Reuses the npm-publish environment so the same manual-approval gate applies. INSTRUCTIONS_FOR_ADMIN.md is restructured into flow A (one-time bootstrap + Trusted Publisher setup) and flow B (every subsequent OIDC release), with bootstrap-publish.yml scheduled for deletion in step A5 after the first successful run. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
nexus
approved these changes
Jun 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a one-shot
bootstrap-publish.ymlworkflow so we can do the very first publish of@seatmaps.com/angular-libto npm.Why a separate workflow? npm Trusted Publishing requires the package to already exist on the registry before a Trusted Publisher can be configured on npmjs.com — known limitation tracked at npm/cli#8544.
@seatmaps.com/angular-libis currently 404 on npm, so the existing OIDC-basedpublish.yml(merged in #17) cannot be the path for release0.0.1.bootstrap-publish.ymlis identical in shape topublish.yml(same build, same secret-leak guard, samenpm-publishenvironment approval gate, same provenance attestation) but authenticates via the existing repo secretNPM_TOKENfor this one publish. After the first successful run, the admin configures the Trusted Publisher on npmjs.com and a follow-up PR deletes this workflow file so only the OIDC path remains.INSTRUCTIONS_FOR_ADMIN.mdis restructured into two clear flows:NPM_TOKENrevoke)Test plan
.github/workflows/bootstrap-publish.ymlvalidates withjs-yamlActions → Bootstrap publish (first npm version only) → Run workflowagainstmain, approves thenpm-publishenvironment gatenpm view @seatmaps.com/angular-lib versionreturns0.0.1; package page shows green Provenance badgehttps://www.npmjs.com/package/@seatmaps.com/angular-lib/access(provider GitHub Actions, repoKwiket/jets-seatmap-angular-lib, workflowpublish.yml, environmentnpm-publish).github/workflows/bootstrap-publish.ymlNPM_TOKENfrom repo secrets and npmjs.com