From 0335a56452189dd86b859d9714b48e71c0703358 Mon Sep 17 00:00:00 2001 From: Michae Touito Date: Mon, 29 Jun 2026 10:38:49 +0300 Subject: [PATCH 1/2] ci: route automatic publish to the npm-trusted workflow The Release workflow dispatched publish.yml, which is not a configured npm OIDC trusted publisher and always failed with ENEEDAUTH. Point the on-release dispatch at publish-as-is.yml (the workflow npm authorizes, used to ship 0.0.4) and drop the prerelease "next" dispatch, which fired on every release PR open and could not authenticate. Co-authored-by: Cursor --- .github/workflows/release.yml | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e3c2c90..6708145 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -29,20 +29,13 @@ jobs: dispatch-publish: needs: process runs-on: ubuntu-latest - if: needs.process.outputs.releases_created == 'true' || needs.process.outputs.prs_created == 'true' + # Only publish once a release is actually cut (release PR merged → tag + GitHub release). + if: needs.process.outputs.releases_created == 'true' steps: + # Routes to publish-as-is.yml, the workflow npm authorizes for OIDC trusted publishing. + # (publish.yml is not a configured trusted publisher and fails with ENEEDAUTH.) - name: Dispatch publish for releases - if: needs.process.outputs.releases_created == 'true' uses: peter-evans/repository-dispatch@v2 with: token: ${{ secrets.GITHUB_TOKEN }} - event-type: publish-package - client-payload: '{"tag": "latest"}' - - - name: Dispatch publish for prerelease - if: needs.process.outputs.prs_created == 'true' - uses: peter-evans/repository-dispatch@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - event-type: publish-package - client-payload: '{"tag": "next"}' + event-type: publish-package-as-is From 246acdfa623418e3351ac334e22f1bc9737ca5c1 Mon Sep 17 00:00:00 2001 From: Michae Touito Date: Mon, 29 Jun 2026 10:43:18 +0300 Subject: [PATCH 2/2] ci: remove orphaned publish.yml workflow publish.yml is no longer dispatched by release.yml and is not an authorized npm OIDC trusted publisher (always failed with ENEEDAUTH). Remove the dead workflow; publish-as-is.yml is the sole publish path. Co-authored-by: Cursor --- .github/workflows/publish.yml | 49 ----------------------------------- 1 file changed, 49 deletions(-) delete mode 100644 .github/workflows/publish.yml diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml deleted file mode 100644 index a65cf7e..0000000 --- a/.github/workflows/publish.yml +++ /dev/null @@ -1,49 +0,0 @@ -name: Publish Package - -on: - workflow_dispatch: - inputs: - tag: - description: 'npm tag (latest or next)' - required: true - type: choice - options: - - latest - - next - repository_dispatch: - types: [publish-package] - -permissions: - id-token: write - contents: read - -jobs: - publish: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v4 - with: - fetch-depth: 0 - fetch-tags: true - - - uses: jdx/mise-action@d6e32c1796099e0f1f3ac741c220a8b7eae9e5dd - with: - install: true - cache: true - experimental: true - - - name: Build - run: mise run build - - - id: inputs - uses: simenandre/setup-inputs@v1 - - - name: Publish to npm with OIDC - run: | - TAG="${{ steps.inputs.outputs.tag }}" - if [ -z "$TAG" ]; then - TAG="latest" - fi - - echo "Publishing with tag: $TAG" - mise run publish --tag "$TAG"