Skip to content

docs(release): make OIDC trusted publishing the documented npm flow#109

Merged
dipto0321 merged 1 commit into
mainfrom
docs/npm-trusted-publishing
Jul 3, 2026
Merged

docs(release): make OIDC trusted publishing the documented npm flow#109
dipto0321 merged 1 commit into
mainfrom
docs/npm-trusted-publishing

Conversation

@dipto0321

Copy link
Copy Markdown
Owner

Summary

Rewrite the npm section of docs/release-checklist.md around the now-decided publishing process: OIDC Trusted Publishing for every nodeupx publish after the first.

Why

The section still presented OIDC vs granular-token as an undecided "pick one before wiring up release.yml" choice, and instructed the reader to add a publish step that PR #100 already added (publish-npm job: id-token: write, clean .npmrc, npm publish --provenance). With the maintainer's decision to use the trusted-publisher process for the next version update, the doc now describes reality instead of a menu.

What changed

  • One-time bootstrap subsection: manual first publish of nodeupx (required because npm's Trusted Publisher config lives on the package's access page, which doesn't exist until the package does), then register the trust entry (GitHub Actions / dipto0321/nodeup / release.yml / no environment). Account prerequisites (2FA, name-squat note) kept.
  • Every subsequent release subsection: fully automatic on tag push — no npm login, no OTP; verify with npm view nodeupx version; ENEEDAUTH troubleshooting pointer.
  • Granular-token "Option B" collapsed to a short fallback note for non-GitHub CI; the stale "add this step to release.yml" YAML snippets are gone.
  • Post-tag checklist item now checks the publish-npm job result instead of pointing at a manual publish.

No workflow changes needed — release.yml was already correct; this is doc-only.

Dependencies

None added.

Refs #35.

🤖 Generated with Claude Code

The npm section of the release checklist still presented OIDC vs
granular-token as an undecided pick one before wiring release.yml
choice, with instructions to add a publish step that PR #100 had
already added. The decision is now made: OIDC Trusted Publishing is
the process for every nodeupx publish after the first.

Restructured the section into a one-time bootstrap (manual first
publish of nodeupx, required because npm's Trusted Publisher config
lives on the package page, then register the trust entry) and an
every-subsequent-release path that is fully automatic on tag push.
The granular-token option shrinks to a fallback note for non-GitHub
CI. Post-tag checklist item now verifies the publish-npm job instead
of pointing at a manual publish.

Refs #35.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@cocogitto-bot

cocogitto-bot Bot commented Jul 3, 2026

Copy link
Copy Markdown

✔️ 8dc6ebb - Conventional commits check succeeded.

@dipto0321 dipto0321 merged commit c5b4301 into main Jul 3, 2026
10 checks passed
@dipto0321 dipto0321 deleted the docs/npm-trusted-publishing branch July 3, 2026 18:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant