feat: bootstrap workflow for a new package's first npm publish#1785
Draft
nit23uec wants to merge 1 commit into
Draft
feat: bootstrap workflow for a new package's first npm publish#1785nit23uec wants to merge 1 commit into
nit23uec wants to merge 1 commit into
Conversation
New workspace packages start "private": true and OIDC Trusted Publishing can't authenticate a package's first-ever publish (no trust binding can exist for a package that isn't on the registry yet). This adds a manual workflow_dispatch workflow that flips private off, does the one-time publish with the ADOBE_BOT_NPM_TOKEN classic token, and opens a draft PR to register the package in setup-npm-trusted-publishers.sh. Documents the flow in RELEASE-RUNBOOK.md. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/bootstrap-npm-publish.yaml: a manual (workflow_dispatch) workflow for the one-time first publish of a brand-new workspace package (still"private": true). OIDC Trusted Publishing can't authenticate a package's first-ever publish since no trust binding can exist for a package not yet on the registry."private": trueoff and pushes that commit tomainasadobe-bot.npm publish --access public, authenticated with the classicADOBE_BOT_NPM_TOKENsecret.PACKAGESarray inscripts/setup-npm-trusted-publishers.sh(source-only — running the script to actually register OIDC trust is still a manual follow-up).npm-publishenvironment (main-only branch policy) andnpm-publish-mainconcurrency group with the routine release job so it can't run offmainor race a real release.docs/RELEASE-RUNBOOK.md:npm-publishenvironment) to back this workflow;main.yaml's routine release job stays 100% OIDC.Setup required before this workflow can run
ADOBE_BOT_NPM_TOKENsecret (an npm automation token for theadobe-botaccount), ideally scoped to thenpm-publishGitHub Environment rather than repo-wide.Test plan
bash -non every extractedrun:step passes (verified locally)yaml.safe_load)spacecat-shared-akamai-client) onceADOBE_BOT_NPM_TOKENis in place, confirm: private flip commits tomain, package publishes, draft trust-registration PR opens with correctPACKAGESinsertion🤖 Generated with Claude Code