docs(release): make OIDC trusted publishing the documented npm flow#109
Merged
Conversation
The npm section of the release checklist still presented OIDC vs granular-token as an undecided pick one before wiring release.yml choice, with instructions to add a publish step that PR #100 had already added. The decision is now made: OIDC Trusted Publishing is the process for every nodeupx publish after the first. Restructured the section into a one-time bootstrap (manual first publish of nodeupx, required because npm's Trusted Publisher config lives on the package page, then register the trust entry) and an every-subsequent-release path that is fully automatic on tag push. The granular-token option shrinks to a fallback note for non-GitHub CI. Post-tag checklist item now verifies the publish-npm job instead of pointing at a manual publish. Refs #35. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
✔️ 8dc6ebb - Conventional commits check succeeded. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Rewrite the npm section of
docs/release-checklist.mdaround the now-decided publishing process: OIDC Trusted Publishing for everynodeupxpublish after the first.Why
The section still presented OIDC vs granular-token as an undecided "pick one before wiring up
release.yml" choice, and instructed the reader to add a publish step that PR #100 already added (publish-npmjob:id-token: write, clean.npmrc,npm publish --provenance). With the maintainer's decision to use the trusted-publisher process for the next version update, the doc now describes reality instead of a menu.What changed
nodeupx(required because npm's Trusted Publisher config lives on the package's access page, which doesn't exist until the package does), then register the trust entry (GitHub Actions /dipto0321/nodeup/release.yml/ no environment). Account prerequisites (2FA, name-squat note) kept.npm login, no OTP; verify withnpm view nodeupx version;ENEEDAUTHtroubleshooting pointer.publish-npmjob result instead of pointing at a manual publish.No workflow changes needed —
release.ymlwas already correct; this is doc-only.Dependencies
None added.
Refs #35.
🤖 Generated with Claude Code