Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 7 additions & 7 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,9 @@
# - Creates a GitHub Release with an auto-generated changelog
# - Pushes to the homebrew-tap repo (if HOMEBREW_TAP_TOKEN is set)
# - Pushes to the scoop-bucket repo (if SCOOP_BUCKET_TOKEN is set)
# 4. Publish the nodeup-cli npm wrapper via OIDC Trusted Publishing.
# 4. Publish the nodeupx npm wrapper via OIDC Trusted Publishing.
# GitHub Actions exchanges its built-in OIDC token for a one-hour
# publish token scoped to the `nodeup-cli` package. No NPM_TOKEN
# publish token scoped to the `nodeupx` package. No NPM_TOKEN
# secret, no rotation, no leak surface.
#
# Required secrets (configured per-repo):
Expand All @@ -25,7 +25,7 @@
#
# npm publish uses OIDC Trusted Publishing — no secret required. The
# trust is registered on the npmjs.com side at
# https://www.npmjs.com/package/nodeup-cli/access
# https://www.npmjs.com/package/nodeupx/access
# under "Trusted Publisher", pointing at this workflow by filename
# (release.yml). If the publish job ever fails with ENEEDAUTH, the
# first thing to check is that the trust entry on npmjs.com still
Expand Down Expand Up @@ -84,15 +84,15 @@ jobs:
SCOOP_BUCKET_TOKEN: ${{ secrets.SCOOP_BUCKET_TOKEN }}

publish-npm:
name: Publish nodeup-cli to npm (OIDC)
name: Publish nodeupx to npm (OIDC)
runs-on: ubuntu-latest
needs: goreleaser
# OIDC Trusted Publishing — the trust is registered on the npmjs.com
# side at https://www.npmjs.com/package/nodeup-cli/access under
# side at https://www.npmjs.com/package/nodeupx/access under
# "Trusted Publisher", pointing at this workflow by filename. No
# NPM_TOKEN secret is needed; the runner mints an OIDC token,
# npmjs.com exchanges it for a one-hour publish token scoped to
# the nodeup-cli package.
# the nodeupx package.
#
# IMPORTANT: OIDC only kicks in when npm sees NO `_authToken` line
# in .npmrc for the target registry. The actions/setup-node action
Expand Down Expand Up @@ -130,7 +130,7 @@ jobs:
mkdir -p ~/.npm
printf 'registry=https://registry.npmjs.org/\n' > ~/.npmrc

- name: Publish nodeup-cli
- name: Publish nodeupx
working-directory: ./nodeup-npm
# --provenance attaches a SLSA-style attestation to the
# published package, generated from this OIDC token.
Expand Down
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ spell out exactly what to run.
|---|---|---|
| Already use Homebrew for dev tooling on macOS / Linux | **Homebrew** | One command, auto-updates with `brew upgrade`, lives outside any Node install, uninstalls cleanly with `brew uninstall`. |
| Already use Scoop on Windows | **Scoop** | Same shape as Homebrew on the Windows side — `scoop update nodeup` keeps it current, no admin shell needed. |
| Already manage dev tools via `npm install -g` and want a one-liner | **npm wrapper** (`nodeup-cli`) | No new package manager to set up; the install travels with the Node version it's installed against. Slight catch: a `nodeup` upgrade ships when the wrapper version bumps. The npm name is `nodeup-cli` because `nodeup` is taken. |
| Already manage dev tools via `npm install -g` and want a one-liner | **npm wrapper** (`nodeupx`) | No new package manager to set up; the install travels with the Node version it's installed against. Slight catch: a `nodeup` upgrade ships when the wrapper version bumps. The npm name is `nodeupx` because `nodeup` is taken. |
| Are blocked from system package installs but can `npm i -g` | **npm wrapper** | Sandboxed / corp-locked-down machines often allow npm globals where they block system installers. |
| Maintain `nodeup` itself, or want a version pinned to a specific tag without any postinstall network step | **Direct binary download** | You choose the exact release; no installer, no auto-update, no Node coupling. Best for reproducible CI installs. |
| Are a Go developer hacking on `nodeup` and want the latest commit | **`go install`** | Pulls the current source and builds it locally. Fastest iteration loop for contributors. |
Expand Down Expand Up @@ -107,10 +107,10 @@ auto-managed by GoReleaser from `scoop: {}` in `.goreleaser.yaml`.
#### npm wrapper (any platform with Node ≥ 14)

```bash
npm install -g nodeup-cli
npm install -g nodeupx
```

The wrapper is published as **`nodeup-cli`**, not `nodeup`, because
The wrapper is published as **`nodeupx`**, not `nodeup`, because
the bare `nodeup` name on npmjs.com is owned by an unrelated,
dormant 2015 package (`romanmt/nodeup` — "a simple cluster
implementation for node"). The downloaded binary still installs
Expand Down
10 changes: 5 additions & 5 deletions docs/installation.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ exactly what to run.
|---|---|---|---|---|---|
| **Homebrew** | `brew install dipto0321/tap/nodeup` | Yes — `brew upgrade` | `/opt/homebrew/bin/` (macOS) or `/home/linuxbrew/.linuxbrew/bin/` (Linux) | macOS / Linux devs already using Homebrew for tooling | You don't have Homebrew and don't want to set it up just for one tool |
| **Scoop** | `scoop install nodeup` (after adding the bucket) | Yes — `scoop update` | `%USERPROFILE%\scoop\apps\nodeup\` | Windows devs already using Scoop | You prefer winget / Chocolatey — neither is wired up today |
| **npm wrapper** | `npm install -g nodeup-cli` | Semi — `npm update -g nodeup-cli` only when a wrapper version bumps | Inside a Node install, on your global `node_modules/` path | JS devs who already treat `npm i -g` as the source of truth for CLIs; locked-down machines that block system installers but allow npm globals | You want a CLI that lives completely outside any Node install, or you want to track Go-binary releases the moment they tag (the wrapper lags by one publish). **Note**: the package is `nodeup-cli`, not `nodeup` — `nodeup` is taken on npmjs.com. |
| **npm wrapper** | `npm install -g nodeupx` | Semi — `npm update -g nodeupx` only when a wrapper version bumps | Inside a Node install, on your global `node_modules/` path | JS devs who already treat `npm i -g` as the source of truth for CLIs; locked-down machines that block system installers but allow npm globals | You want a CLI that lives completely outside any Node install, or you want to track Go-binary releases the moment they tag (the wrapper lags by one publish). **Note**: the package is `nodeupx`, not `nodeup` — `nodeup` is taken on npmjs.com. |
| **Direct binary** | `curl … \| tar xz` | No — you re-run to update | Wherever you put the extracted binary | CI pipelines, reproducible installs, lock-down environments without npm or brew | You want auto-updates; you'll forget to re-run |
| **From source** | `go install ./cmd/nodeup@latest` | No — re-run against a new tag | `$GOBIN` or `$GOPATH/bin` | `nodeup` contributors and Go developers who want HEAD | Anyone who doesn't have Go installed and isn't trying to hack on the tool |

Expand Down Expand Up @@ -68,10 +68,10 @@ holds the manifest and is auto-pushed by GoReleaser.
### npm wrapper (any platform with Node ≥ 14)

```bash
npm install -g nodeup-cli
npm install -g nodeupx
```

The package is published as **`nodeup-cli`**, not `nodeup`, because
The package is published as **`nodeupx`**, not `nodeup`, because
the bare `nodeup` name on npmjs.com is owned by an unrelated,
dormant 2015 package (`romanmt/nodeup` — "a simple cluster
implementation for node"). The downloaded binary still installs as
Expand All @@ -87,7 +87,7 @@ blocked but npm globals are allowed.

- **Slight version lag.** The wrapper pins to the Go-binary version
in its `binaryVersion` field. A new Go release needs a new wrapper
publish — `npm update -g nodeup-cli` only gets you a new Go binary
publish — `npm update -g nodeupx` only gets you a new Go binary
after the wrapper version that pins to it ships. To jump to a
brand-new release ahead of that, use a direct-binary install.
- **Coupled to a Node install.** The wrapper and binary live inside
Expand Down Expand Up @@ -167,7 +167,7 @@ and uninstalls consistently:

- **Homebrew** owns upgrades → use `brew upgrade nodeup`.
- **Scoop** owns upgrades → use `scoop update nodeup`.
- **npm** owns upgrades → use `npm update -g nodeup-cli`.
- **npm** owns upgrades → use `npm update -g nodeupx`.
- **Direct binary** owns upgrades → re-run the curl one-liner (or
pin a specific tag in CI).
- **From source** owns upgrades → `go install -u
Expand Down
14 changes: 7 additions & 7 deletions docs/release-checklist.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,11 +73,11 @@ cd ..

**Required once, not per release:**

- An `npmjs.com` account with publish rights on the `nodeup-cli`
- An `npmjs.com` account with publish rights on the `nodeupx`
package name. The bare `nodeup` name is owned by an unrelated
2015 package (`romanmt/nodeup`, "a simple cluster implementation
for node") so we ship under `nodeup-cli`. `npm publish` will fail
with `You do not have permission to publish "nodeup-cli"` if the
for node") so we ship under `nodeupx`. `npm publish` will fail
with `You do not have permission to publish "nodeupx"` if the
name isn't claimed yet on your account.
- **2FA enabled** on the npm account, with an authenticator-app
factor (TOTP). Configure under
Expand All @@ -97,11 +97,11 @@ offers two options — pick one before wiring up `release.yml`:
**Option A — OIDC Trusted Publishing (recommended).** GitHub
Actions can publish without a long-lived secret. The runner
exchanges its built-in OIDC token for a one-hour publish token
scoped to the `nodeup-cli` package. Per-package config lives in
scoped to the `nodeupx` package. Per-package config lives in
npm's "Trusted Publisher" UI.

1. After the first manual `npm publish` succeeds, open
<https://www.npmjs.com/package/nodeup-cli/access> (or the
<https://www.npmjs.com/package/nodeupx/access> (or the
"Trust" tab on the package page) and add a trusted publisher:
- Provider: **GitHub Actions**
- Repository: `dipto0321/nodeup`
Expand Down Expand Up @@ -131,10 +131,10 @@ Actions entirely, or if you're publishing from a non-GitHub CI.
<https://www.npmjs.com/settings/<your-username>/tokens> and
click **Generate New Token**.
2. Fill in:
- **Name / description**: e.g. `nodeup-cli-ci-publish`
- **Name / description**: e.g. `nodeupx-ci-publish`
- **Expiration**: 30 days (granular tokens max out at 90 days;
rotate before expiry)
- **Packages and scopes**: select `nodeup-cli` only (not `*`,
- **Packages and scopes**: select `nodeupx` only (not `*`,
not unscoped — limit the blast radius)
- **Permissions**: `Read and write` on packages
- **Bypass 2FA**: ON (so the CI publish doesn't need an OTP)
Expand Down
10 changes: 5 additions & 5 deletions nodeup-npm/README.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,11 @@
# nodeup-cli (npm wrapper)
# nodeupx (npm wrapper)

> Thin npm wrapper around the [`nodeup`](https://github.com/dipto0321/nodeup)
> Go binary. Installs the right static binary for your OS/arch on
> `npm install -g nodeup-cli` and exposes `nodeup` on your `$PATH`.
> `npm install -g nodeupx` and exposes `nodeup` on your `$PATH`.

This directory is the **npm distribution channel** for `nodeup`. The
package is published as **`nodeup-cli`** because the bare `nodeup`
package is published as **`nodeupx`** because the bare `nodeup`
name on npmjs.com is owned by an unrelated, dormant 2015 package
(`romanmt/nodeup`, "a simple cluster implementation for node").
The downloaded binary still ships as the `nodeup` CLI you know.
Expand All @@ -18,7 +18,7 @@ package's `binaryVersion` field points at.
## Install

```bash
npm install -g nodeup-cli
npm install -g nodeupx
nodeup version
```

Expand Down Expand Up @@ -73,7 +73,7 @@ release bump ship in the same commit.
## Updating

```bash
npm update -g nodeup-cli
npm update -g nodeupx
```

You get a new wrapper version. If that wrapper pins a newer
Expand Down
2 changes: 1 addition & 1 deletion nodeup-npm/package.json
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
"name": "nodeup-cli",
"name": "nodeupx",
"version": "1.0.1",
"description": "Automated Node.js version upgrade + global package migration CLI. Static Go binary wrapped for npm distribution.",
"license": "MIT",
Expand Down
Loading