From 1eea1ab13a4868e986fba80ff3a7f88f59f8998d Mon Sep 17 00:00:00 2001 From: Santiago Puppo Date: Thu, 25 Jun 2026 17:50:48 -0300 Subject: [PATCH 1/2] fix(ci): publish canaries from CD workflow to satisfy npm trusted publishing --- .github/workflows/cd.yml | 34 ++++++++++++++++++++++++++++++++-- .github/workflows/ci.yml | 6 ------ 2 files changed, 32 insertions(+), 8 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index 01598a8b..bae4c7a0 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -73,8 +73,6 @@ jobs: - name: Publish if: ${{ steps.release.outputs.releases_created == 'true' }} run: npm exec -c publish-packages - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: 'Get message' if: ${{ steps.release.outputs.releases_created == 'true' }} @@ -91,3 +89,35 @@ jobs: SLACK_USERNAME: Mux Elements SLACK_ICON: https://avatars.githubusercontent.com/muxinc?size=48 SLACK_FOOTER: '' + + # Canary prereleases run from this (the trusted-publisher) workflow rather than + # CI, because npm trusted publishing only trusts a single workflow per package. + canary: + # Only publish canaries from main, and never on the Release Please commit + # (that path publishes the real release via `release` above). + if: ${{ github.ref == 'refs/heads/main' && github.event.commits[0].author.name != 'github-actions[bot]' }} + + runs-on: ubuntu-latest + environment: production + permissions: + id-token: write + + steps: + - uses: actions/checkout@v4 + - name: read node version from the .nvmrc file + run: echo ::set-output name=NODE_VERSION::$(cat .nvmrc) + shell: bash + id: nvmrc + - uses: actions/setup-node@v4 + with: + node-version: ${{steps.nvmrc.outputs.NODE_VERSION}} + # required so npm can publish below + registry-url: 'https://registry.npmjs.org' + cache: npm + - run: npm ci + - run: npm run clean + - run: npm run build:packages + # Auth is handled by npm trusted publishing (OIDC) via `id-token: write`. + # Do not add NODE_AUTH_TOKEN here — the long-lived NPM token is unused and + # flagged by security scanning. + - run: npx --yes -w packages wet-run@1.2.5 release prerelease --prerelease canary --provenance --log-level verbose diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index bce6e960..eecdd9b7 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,8 +14,6 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 - permissions: - id-token: write steps: - uses: actions/checkout@v4 @@ -32,10 +30,6 @@ jobs: - run: npm ci - run: npm run clean - run: npm run build:packages - - run: npx --yes -w packages wet-run@1.2.5 release prerelease --prerelease canary --provenance --log-level verbose - if: ${{ github.ref == 'refs/heads/main' }} - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} lint: # Don't run if the CI is triggered by Release Please From c07b5506b338c18af1fd0448c4789cfe4e49949d Mon Sep 17 00:00:00 2001 From: Santiago Puppo Date: Thu, 25 Jun 2026 17:55:40 -0300 Subject: [PATCH 2/2] refactor: removed comments --- .github/workflows/cd.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml index bae4c7a0..37195dbe 100644 --- a/.github/workflows/cd.yml +++ b/.github/workflows/cd.yml @@ -90,8 +90,6 @@ jobs: SLACK_ICON: https://avatars.githubusercontent.com/muxinc?size=48 SLACK_FOOTER: '' - # Canary prereleases run from this (the trusted-publisher) workflow rather than - # CI, because npm trusted publishing only trusts a single workflow per package. canary: # Only publish canaries from main, and never on the Release Please commit # (that path publishes the real release via `release` above). @@ -117,7 +115,4 @@ jobs: - run: npm ci - run: npm run clean - run: npm run build:packages - # Auth is handled by npm trusted publishing (OIDC) via `id-token: write`. - # Do not add NODE_AUTH_TOKEN here — the long-lived NPM token is unused and - # flagged by security scanning. - run: npx --yes -w packages wet-run@1.2.5 release prerelease --prerelease canary --provenance --log-level verbose