Skip to content

Release prep: publish nodeup-npm to npm registry on v1.0.0 cut #35

Description

@dipto0321

Tracks the manual npm-publish step for the v1.0.0 cut. The wrapper
itself shipped in #34 (nodeup-npm/ in repo, scripts/check.js +
scripts/install.js, pinned-version design). The npm package name
is nodeupx (not nodeup); see #37.

Pre-publish checklist

  • npmjs.com account exists with publish rights on the
    nodeupx package name. The bare nodeup name is owned
    by an unrelated dormant 2015 package (romanmt/nodeup,
    "a simple cluster implementation for node"), so we cannot
    claim it — npm publish fails with
    You do not have permission to publish "nodeup" if you
    try the wrong name.
  • 2FA enabled on the npm account, authenticator-app mode (SMS
    and email-only modes are not accepted for publish). Configure
    at https://www.npmjs.com/settings//security.
  • v1.0.0 GitHub release exists with all 5 binaries uploaded by
    GoReleaser (linux/darwin/windows × amd64/arm64, minus
    windows/arm64 which is intentionally excluded). The wrapper's
    install.js downloads from
    https://github.com/dipto0321/nodeup/releases/download/v1.0.0/...,
    so this has to land first.
  • nodeup-npm/package.json's binaryVersion field is set to
    1.0.0 (already true on main as of chore(release): ship npm wrapper and install-method guidance #34).

Publish flow

cd nodeup-npm
npm pack --dry-run   # expect 5 files: LICENSE, README.md, package.json, scripts/{check,install}.js
npm login            # prompts for username + password + email; then for OTP from your authenticator app
npm publish          # prompts for another OTP from your authenticator

Full details are in docs/release-checklist.md under "Publishing
nodeup-npm to the npm registry".

After the first publish

  • Confirm npm view nodeupx shows version 1.0.0 on the
    registry.

  • Smoke test: npm install -g nodeupx in a fresh shell,
    then nodeup version. Should print the v1.0.0 build info
    and download a ~6 MB static binary.

  • Consider automating future publishes. npmjs.com permanently
    revoked classic tokens on December 9, 2025; there's no
    "Automation" token type anymore. The right options are:
    1. OIDC Trusted Publishing (recommended) — the
    publish-npm job in .github/workflows/release.yml
    already exchanges GitHub's OIDC token for a one-hour
    publish token scoped to nodeupx. The trust entry
    on the npmjs.com side must point at
    release.yml in dipto0321/nodeup. No NPM_TOKEN
    secret, no rotation, no leak surface.
    2. Granular access token — created at
    <https://www.npmjs.com/settings//tokens>, 90-day
    max expiry, package-scoped to nodeupx, optional
    bypass_2fa for unattended CI. Stored as
    gh secret set NPM_TOKEN and consumed in release.yml.

    Don't automate the *first* publish; the manual `npm publish`
    establishes the package on npmjs.com and the OIDC trust
    entry can be registered on the package page right after.
    

Linked


Note

2026-07-04 updates:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions