Skip to content

Add package to JSR #462

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
w3nl wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Add package to JSR #462

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
2b4d801
Add package also to JSR
pieterwigboldus-visma Sep 12, 2025
8c005b3
Finetune the types
pieterwigboldus-visma Sep 12, 2025
2c8e88c
Merge branch 'main' into feature/jsr-deno
pieterwigboldus-visma Jan 16, 2026
ce6c471
Merge remote-tracking branch 'origin/main' into feature/jsr-deno
pieterwigboldus-visma Jan 16, 2026
7c3c85e
Updates deno.lock and src/server.js
pieterwigboldus-visma Jan 16, 2026
bb8af90
Update the deno version in the lint actions
pieterwigboldus-visma Jan 16, 2026
31bad14
Merge remote-tracking branch 'origin/main' into feature/jsr-deno
pieterwigboldus-visma Jan 22, 2026
51c8b3b
Merge remote-tracking branch 'origin/main' into feature/jsr-deno
pieterwigboldus-visma Jan 23, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,22 @@ jobs:
uses: actions/setup-node@v5
with:
node-version: 22
cache: "npm"
cache: 'npm'

- name: npm lint
run: |
npm ci
npm run lint
npm run lint:types
env:
CI: true

- name: Install Deno
uses: denoland/setup-deno@v1
with:
deno-version: v1.x

- name: Deno lint
run: deno lint
- name: Deno check
run: deno task check
10 changes: 8 additions & 2 deletions .github/workflows/npm-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,9 @@ jobs:
publish-npm:
needs: build
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v5
with:
Expand Down Expand Up @@ -53,10 +56,13 @@ jobs:
git reset --hard "refs/tags/${TAG}" # Ensure code matches the tag
git pull origin ${{ steps.get_branch.outputs.branch }}
npm version $TAG --no-git-tag-version
git add package.json package-lock.json
jq '.version = "'$TAG'"' jsr.json > jsr.json.tmp && mv jsr.json.tmp jsr.json
jq '.version = "'$TAG'"' deno.json > deno.json.tmp && mv deno.json.tmp deno.json
git add package.json package-lock.json jsr.json deno.json
git commit -m "ci: set version to $TAG [skip ci]" || true
git push origin ${{ steps.get_branch.outputs.branch }}
- run: npm run build --if-present
- run: npm publish --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
- run: npx jsr publish
Comment on lines +67 to +68
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Jan 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

JSR publish CLI authentication requirements GitHub OIDC

💡 Result:

Summary — authentication requirements for using the JSR CLI to publish (including GitHub Actions / OIDC):

  • Local machine publish:

    • Run jsr publish (or deno publish / npx jsr publish); the CLI opens your browser and you authenticate to your JSR account (OAuth flow). No CLI token required. [1]

  • Publish from GitHub Actions (OIDC / CI):

    • Link the JSR package to the GitHub repository in your package’s publish settings on jsr.io. [1]
    • In your workflow grant the runner permissions to request an ID token and read repo contents, e.g.:
      permissions:
      contents: read
      id-token: write
    • Run npx jsr publish (or deno publish) in the workflow; the publish uses the OIDC token from Actions (no stored secrets needed). [1][2]

Sources:

  • JSR publishing docs (local + GitHub Actions instructions). [1]
  • GitHub docs on using OIDC from Actions (auth pattern / id-token usage). [2]

Would you like me to show an example GitHub Actions workflow for JSR publish?

🌐 Web query:

JSR CLI jsr publish token authentication GitHub Actions

💡 Result:

Short answer — two supported ways to authenticate jsr publish in GitHub Actions:

  1. GitHub Actions OIDC (recommended / no secrets)
  • Link your JSR package to the GitHub repo in JSR package settings.
  • Give the workflow permission: permissions: contents: read and id-token: write.
  • Run the CLI in the job (no secret needed): e.g.
    • uses: actions/checkout@v5
    • run: npx jsr publish
  • The Actions runner exchanges GitHub OIDC for a short-lived JSR token (sent as Authorization: githuboidc ...). [1][2]
  1. Personal access token (when not using OIDC)
  • Create a JSR personal access token with publish permission in your JSR account.
  • Store it as a GitHub secret (e.g. JSR_TOKEN) and pass it to the job step (env or arg). Example: env: JSR_TOKEN: ${{ secrets.JSR_TOKEN }} then npx jsr publish (CLI will read it). This approach requires configuring the token scope and repo/package settings. [3][1]

Notes / gotchas

  • OIDC tokens only support package publish permission and require the package→repo link in JSR settings. [2]
  • If you get actor/scope membership errors, check scope membership or JSR GitHub Actions security settings. [1][4]

Sources:
[1] JSR — Publishing from GitHub Actions (docs).
[2] JSR — API / Authentication (docs).
[3] Stainless / third‑party guide — using JSR personal access tokens.
[4] JSR — Troubleshooting (actorNotScopeMember).

🌐 Web query:

JSR package registry authentication methods npm CLI alternative

💡 Result:

Summary — JSR authentication methods and alternatives to the npm CLI

  • Publishing from your workstation: the official jsr CLI (and deno publish) open your browser to authenticate and ask you to “Allow” the CLI to publish (browser-based OAuth flow). No manual token entry is required for local publish. [1][2]

  • CI / automated publishing: you can publish from GitHub Actions by linking the package to your GitHub repo; the workflow runs npx jsr publish and uses the GitHub integration (no repository secret required). [1]

  • Installing/consuming packages: JSR exposes an npm-compatible registry at https://npm.jsr.io; consumption is handled by configuring your package manager via an .npmrc entry (e.g. @jsr:registry=https://npm.jsr.io). Public package installs need no extra credentials; private/enterprise setups can use private registries that upstream from JSR. [3][1]

  • npm CLI alternative / helper tools:

    • jsr (the JSR CLI / jsr-npm helper) — provides npx jsr add / jsr publish and auto-updates .npmrc to point @jsr at npm.jsr.io (useful alternative/integration for npm-based projects). [2]
    • Use other package managers (pnpm, Yarn, vlt) which support configuring @jsr scope or auto-configure newer versions to read from npm.jsr.io. Private registries (e.g. Cloudsmith) can be configured to use JSR as an upstream. [3][4]

Sources

  • JSR docs — Publishing (browser auth + GitHub Actions publishing). [1]
  • jsr-npm (JSR CLI / npm helper) GitHub README. [2]
  • JSR docs — npm compatibility / .npmrc instructions. [3]
  • Cloudsmith announcement — JSR upstream support (private registry integration). [4]

Add OIDC permissions for JSR publish.

npx jsr publish requires GitHub Actions OIDC by default. The workflow must include permissions to request an ID token:

permissions:
  contents: read
  id-token: write

Additionally, ensure the JSR package is linked to this GitHub repository in JSR package settings (via jsr.io). Alternatively, if OIDC cannot be used, configure JSR_TOKEN environment variable with a personal access token instead.

🤖 Prompt for AI Agents 
In @.github/workflows/npm-publish.yml around lines 67 - 68, Update the GitHub
Actions workflow so the step that runs "npx jsr publish" can request an OIDC ID
token: add a permissions block with "contents: read" and "id-token: write" to
the workflow and ensure the JSR package is linked to this repo in the JSR
package settings; if OIDC is not possible, instead configure the publish step to
use a JSR_TOKEN environment variable with a personal access token.

14 changes: 14 additions & 0 deletions deno.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{
"name": "@trojs/openapi-server",
"version": "3.4.1",
"license": "MIT",
"exports": "./src/server.js",
Comment on lines +2 to +5
Copy link

Copilot AI Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

deno.json hardcodes version 3.4.1, which is currently out of sync with package.json (3.5.1). Keeping these aligned avoids accidental publishes with mismatched versions (especially if jsr publish / Deno publishing is run outside the release workflow).

Copilot uses AI. Check for mistakes.
"compilerOptions": {
"lib": [
"esnext"
]
},
"tasks": {
"check": "deno check src/server.js"
}
}
20 changes: 18 additions & 2 deletions jsconfig.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,30 @@
{
"compilerOptions": {
"allowJs": true,
"checkJs": true,
"target": "ESNext",
"module": "NodeNext",
"moduleResolution": "nodenext",
"lib": [
"ESNext"
],
"rootDirs": [
"src"
"src",
"types"
],
"baseUrl": ".",
"resolveJsonModule": true,
"types": [
"node"
],
"resolveJsonModule": true
"skipLibCheck": true,
"esModuleInterop": true,
"noEmit": true
},
"include": [
"src/**/*",
"types/**/*"
],
"exclude": [
"node_modules",
"**/node_modules/*"
Expand Down
6 changes: 6 additions & 0 deletions jsr.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"name": "@trojs/openapi-server",
"version": "3.4.1",
Copy link

Copilot AI Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

jsr.json hardcodes version 3.4.1, which is currently out of sync with package.json (3.5.1). Keeping these aligned avoids accidental publishes with mismatched versions (especially if jsr publish is run outside the release workflow).

Suggested change
"version": "3.4.1",
"version": "3.5.1",

Copilot uses AI. Check for mistakes.
"license": "MIT",
"exports": "./src/server.js"
}
Loading
Loading