You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
npm publishing for @wavehouse/sdk is live and confirmed working via OIDC trusted publishing (#227, shipped in #266 + #267). This tracks the remaining post-launch / go-public hardening items.
Follow-ups
Enable build provenance.(done in ci: add build provenance for npm, go binaries, and the ghcr image #308 — also extended to Go release binaries + the GHCR image, not just the two npm publish lines.) Once the repo is public (the "Make GitHub repo public" step in release: cut v0.1.0-alpha.1 (first public alpha) #149), uncomment --provenance on bothnpm publish lines in .github/workflows/publish-npm.yml (the dev and release jobs). Provenance requires a public source repo; it adds a signed SLSA build attestation + the npm "Provenance" badge. Do this together with the go-public step so it isn't forgotten.
Exercise the sdk-v* release path. The release job (tag → latest/alpha/beta/rc/next + a GitHub Release) is wired but has never run. Cutting sdk-v0.1.0 (or sdk-v0.1.0-alpha.1) is its first real test — verify the tag↔version match check, dist-tag derivation, npm publish, and gh release create.
latest dist-tag. It currently points at the bootstrap 0.0.0-dev.0f8826c (npm auto-set latest on the first-ever publish), so bare npm install @wavehouse/sdk resolves to a dev build. The first sdk-v* release publishes a real version to latest and resolves this — confirm afterward.
Document the npm release flow in AGENTS.md — the content-addressed dev channel, the sdk-v* release flow, the one-trusted-publisher constraint, and the Node 24 / npm ≥ 11.5 requirement.
How it works today (context)
One trusted publisher: publish-npm.yml (configured on npmjs.com → Wave-RF/WaveHouse). OIDC, no NPM_TOKEN.
Dev channel: every push to main builds the SDK and publishes 0.0.0-dev.h<dist-hash> to the dev dist-tag, skipping when the build hash is unchanged. Commit traceability via npm gitHead.
Publish jobs run on Node 24 (ships npm ≥ 11.5.1 for OIDC; Node 22.22.2's bundled npm 10.9.7 is broken — actions/runner-images#13883).
npm publishing for
@wavehouse/sdkis live and confirmed working via OIDC trusted publishing (#227, shipped in #266 + #267). This tracks the remaining post-launch / go-public hardening items.Follow-ups
--provenanceon bothnpm publishlines in.github/workflows/publish-npm.yml(thedevandreleasejobs). Provenance requires a public source repo; it adds a signed SLSA build attestation + the npm "Provenance" badge. Do this together with the go-public step so it isn't forgotten.sdk-v*release path. Thereleasejob (tag →latest/alpha/beta/rc/next+ a GitHub Release) is wired but has never run. Cuttingsdk-v0.1.0(orsdk-v0.1.0-alpha.1) is its first real test — verify the tag↔version match check, dist-tag derivation,npm publish, andgh release create.latestdist-tag. It currently points at the bootstrap0.0.0-dev.0f8826c(npm auto-setlateston the first-ever publish), so barenpm install @wavehouse/sdkresolves to a dev build. The firstsdk-v*release publishes a real version tolatestand resolves this — confirm afterward.devchannel, thesdk-v*release flow, the one-trusted-publisher constraint, and the Node 24 / npm ≥ 11.5 requirement.How it works today (context)
publish-npm.yml(configured on npmjs.com →Wave-RF/WaveHouse). OIDC, noNPM_TOKEN.mainbuilds the SDK and publishes0.0.0-dev.h<dist-hash>to thedevdist-tag, skipping when the build hash is unchanged. Commit traceability via npmgitHead.Refs #227, #149.