[PR #54] [MERGED] ci: wire up npm publishing with OIDC trusted publishing #272

New issue

Closed

opened 2026-05-06 12:38:54 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:38:54 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/54
Author: @southpolesteve
Created: 2/25/2026
Status: ✅ Merged
Merged: 2/25/2026
Merged by: @southpolesteve

Base: main ← Head: opencode/mighty-mountain

📝 Commits (1)

6eabcce ci: wire up npm publishing with OIDC trusted publishing

📊 Changes

3 files changed (+45 additions, -7 deletions)

View changed files

📝 .github/workflows/ci.yml (+1 -0)
📝 .github/workflows/publish.yml (+43 -6)
📝 packages/vinext/package.json (+1 -1)

📄 Description

Summary

Adds version bump input (patch/minor/major) to the manual publish workflow
Gates publish on the full CI suite (lint, typecheck, vitest, all 5 e2e projects)
Uses npm OIDC trusted publishing instead of a long-lived NPM_TOKEN secret
Tags releases in git after publish (v0.0.6, etc.)

Changes

.github/workflows/publish.yml — rewrote with version input, CI gate via reusable workflow, OIDC auth (no secrets needed), and git tagging
.github/workflows/ci.yml — added workflow_call trigger so publish can reuse it
packages/vinext/package.json — fixed repository.url to canonical git+https://...git format for OIDC validation

Setup required

After merging, configure trusted publishing on npmjs.com:

Go to https://www.npmjs.com/package/vinext/access
Under Trusted Publisher, click GitHub Actions
Set Organization = cloudflare, Repository = vinext, Workflow filename = publish.yml
Save

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/54 **Author:** [@southpolesteve](https://github.com/southpolesteve) **Created:** 2/25/2026 **Status:** ✅ Merged **Merged:** 2/25/2026 **Merged by:** [@southpolesteve](https://github.com/southpolesteve) **Base:** `main` ← **Head:** `opencode/mighty-mountain` --- ### 📝 Commits (1) - [`6eabcce`](https://github.com/cloudflare/vinext/commit/6eabccec87e7be9d557ebc183094f81e0830effa) ci: wire up npm publishing with OIDC trusted publishing ### 📊 Changes **3 files changed** (+45 additions, -7 deletions) <details> <summary>View changed files</summary> 📝 `.github/workflows/ci.yml` (+1 -0) 📝 `.github/workflows/publish.yml` (+43 -6) 📝 `packages/vinext/package.json` (+1 -1) </details> ### 📄 Description ## Summary - Adds version bump input (patch/minor/major) to the manual publish workflow - Gates publish on the full CI suite (lint, typecheck, vitest, all 5 e2e projects) - Uses npm OIDC trusted publishing instead of a long-lived `NPM_TOKEN` secret - Tags releases in git after publish (`v0.0.6`, etc.) ## Changes - **`.github/workflows/publish.yml`** — rewrote with version input, CI gate via reusable workflow, OIDC auth (no secrets needed), and git tagging - **`.github/workflows/ci.yml`** — added `workflow_call` trigger so publish can reuse it - **`packages/vinext/package.json`** — fixed `repository.url` to canonical `git+https://...git` format for OIDC validation ## Setup required After merging, configure trusted publishing on npmjs.com: 1. Go to https://www.npmjs.com/package/vinext/access 2. Under **Trusted Publisher**, click **GitHub Actions** 3. Set **Organization** = `cloudflare`, **Repository** = `vinext`, **Workflow filename** = `publish.yml` 4. Save --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>