Skip to content

ci: route automatic publish to the npm-trusted workflow#21

Merged
michaelfrog merged 2 commits into
mainfrom
fix/auto-publish-route-to-trusted-workflow
Jun 29, 2026
Merged

ci: route automatic publish to the npm-trusted workflow#21
michaelfrog merged 2 commits into
mainfrom
fix/auto-publish-route-to-trusted-workflow

Conversation

@michaelfrog

@michaelfrog michaelfrog commented Jun 29, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Problem

The automatic publish has been failing on every release. release.yml dispatched publish.yml ("Publish Package"), but publish.yml is not a configured npm OIDC trusted publisher, so npm publish died with ENEEDAUTH. The only workflow npm authorizes is publish-as-is.yml ("Publish public Package version") — the one that successfully shipped 0.0.4 manually.

A second symptom: the prs_creatednext dispatch fired on every release-please PR open and also failed (same ENEEDAUTH), producing recurring red runs and no usable prerelease.

Fix (GitHub-side only — no npmjs changes)

  • Point the on-release dispatch at publish-package-as-is so it triggers publish-as-is.yml, which npm already trusts. publish-as-is.yml publishes package.json's version as-is at latest — exactly what a merged release PR needs.
  • Drop the broken next prerelease dispatch and gate the job on releases_created == 'true' only.
  • Delete the orphaned publish.yml — it's no longer dispatched and was never an authorized publisher. publish-as-is.yml is now the sole publish path.

After this, merging a release-please PR auto-publishes to npm with no manual step.

Notes

  • Do not rename publish-as-is.yml — npm's trusted-publisher match is keyed to the workflow filename.

Test plan

michaelfrog and others added 2 commits June 29, 2026 10:38
@michaelfrog @cursoragent
ci: route automatic publish to the npm-trusted workflow
0335a56 
The Release workflow dispatched publish.yml, which is not a configured npm
OIDC trusted publisher and always failed with ENEEDAUTH. Point the on-release
dispatch at publish-as-is.yml (the workflow npm authorizes, used to ship
0.0.4) and drop the prerelease "next" dispatch, which fired on every release
PR open and could not authenticate.

Co-authored-by: Cursor <cursoragent@cursor.com>
@michaelfrog @cursoragent
ci: remove orphaned publish.yml workflow
246acdf 
publish.yml is no longer dispatched by release.yml and is not an authorized
npm OIDC trusted publisher (always failed with ENEEDAUTH). Remove the dead
workflow; publish-as-is.yml is the sole publish path.

Co-authored-by: Cursor <cursoragent@cursor.com>
@michaelfrog michaelfrog merged commit 446d0d0 into main Jun 29, 2026
4 checks passed
@michaelfrog michaelfrog deleted the fix/auto-publish-route-to-trusted-workflow branch June 29, 2026 07:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@YoniMelki YoniMelki YoniMelki approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@michaelfrog @YoniMelki