Skip to content

feat: bootstrap workflow for a new package's first npm publish#1785

Draft
nit23uec wants to merge 1 commit into
mainfrom
chore/bootstrap-npm-publish-workflow
Draft

feat: bootstrap workflow for a new package's first npm publish#1785
nit23uec wants to merge 1 commit into
mainfrom
chore/bootstrap-npm-publish-workflow

Conversation

@nit23uec

@nit23uec nit23uec commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds .github/workflows/bootstrap-npm-publish.yaml: a manual (workflow_dispatch) workflow for the one-time first publish of a brand-new workspace package (still "private": true). OIDC Trusted Publishing can't authenticate a package's first-ever publish since no trust binding can exist for a package not yet on the registry.
    • Validates the target package is private and not already published.
    • Flips "private": true off and pushes that commit to main as adobe-bot.
    • Publishes once via npm publish --access public, authenticated with the classic ADOBE_BOT_NPM_TOKEN secret.
    • Opens a draft PR adding the package to the PACKAGES array in scripts/setup-npm-trusted-publishers.sh (source-only — running the script to actually register OIDC trust is still a manual follow-up).
    • Shares the npm-publish environment (main-only branch policy) and npm-publish-main concurrency group with the routine release job so it can't run off main or race a real release.
  • Updates docs/RELEASE-RUNBOOK.md:
    • New "Bootstrapping a new package's first publish" section documenting the flow.
    • Reworks "ADOBE_BOT_NPM_TOKEN retirement" → "ADOBE_BOT_NPM_TOKEN" — the token is reinstated (scoped to the npm-publish environment) to back this workflow; main.yaml's routine release job stays 100% OIDC.
    • Cross-reference to the new workflow file.

Setup required before this workflow can run

  • Recreate the ADOBE_BOT_NPM_TOKEN secret (an npm automation token for the adobe-bot account), ideally scoped to the npm-publish GitHub Environment rather than repo-wide.

Test plan

  • bash -n on every extracted run: step passes (verified locally)
  • YAML parses cleanly (verified locally with yaml.safe_load)
  • Dry-run the workflow against a real still-private package (e.g. spacecat-shared-akamai-client) once ADOBE_BOT_NPM_TOKEN is in place, confirm: private flip commits to main, package publishes, draft trust-registration PR opens with correct PACKAGES insertion

🤖 Generated with Claude Code

New workspace packages start "private": true and OIDC Trusted Publishing
can't authenticate a package's first-ever publish (no trust binding can
exist for a package that isn't on the registry yet). This adds a manual
workflow_dispatch workflow that flips private off, does the one-time
publish with the ADOBE_BOT_NPM_TOKEN classic token, and opens a draft PR
to register the package in setup-npm-trusted-publishers.sh. Documents the
flow in RELEASE-RUNBOOK.md.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant