Skip to content

Publish-Profile #226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
phillipc wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Publish-Profile #226

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6374a71
workflow) publish - first interation
phillipc Dec 23, 2025
ad777ad
workflow) update to lerna
phillipc Dec 23, 2025
3dd304c
workflow) disable publishing for live testing
phillipc Dec 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Publish Package Workflow for https://docs.npmjs.com/trusted-publishers
name: Publish Package

on:
push:
tags:
- 'v*'

permissions:
id-token: write # Required for OIDC
contents: read

jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4

- name: Setup Node.js
uses: actions/setup-node@v6
with:
node-version: 24
registry-url: 'https://registry.npmjs.org'

- run: npm install

- run: make
- run: make tsc
- run: make test-headless
- run: make test-headless-jquery

- run: make link
- run: npx lerna publish from-package --yes --skip-npm --no-git-tag-version
Comment on lines +19 to +33
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find and examine package.json for Lerna version
fd -t f "package.json" | head -5 | while read f; do
  echo "=== File: $f ==="
  cat "$f" | jq -r '.devDependencies.lerna // .dependencies.lerna // empty' 2>/dev/null || echo "No lerna found"
done

Repository: knockout/tko

Length of output: 271

🏁 Script executed:

#!/bin/bash
# Check for .npmrc files and their content
fd -t f ".npmrc" | while read f; do
  echo "=== File: $f ==="
  cat "$f"
done

Repository: knockout/tko

Length of output: 38

🏁 Script executed:

#!/bin/bash
# Examine the complete workflow file for context
cat .github/workflows/publish.yml | head -50

Repository: knockout/tko

Length of output: 766

🌐 Web query:

Lerna publish command npm OIDC trusted publishers GitHub Actions

💡 Result:

Summary — using Lerna publish with npm OIDC (Trusted Publishers) from GitHub Actions

  • Lerna v9+ supports npm’s Trusted Publishing (OIDC) flow — no npm token required; Lerna will use the workflow-issued OIDC token when publishing. [1]
  • npm Trusted Publishers (OIDC) lets you register a GitHub Actions workflow (org/repo + workflow filename + environment) as the only allowed publisher for a package; publishing uses short‑lived credentials and emits provenance. Requires npm CLI >= 11.5.1. [2][3]
  • GitHub Actions requirements: enable the id-token permission (id-token: write) for the workflow and use GitHub-hosted runners; configure actions/setup-node (registry URL) so npm publish runs in that environment. Exact workflow filename and environment must match the configuration on npm. [2][4]
  • Practical notes with Lerna/GHA:
    • With OIDC/trusted-publisher configured on npm, simply run lerna publish in the workflow — Lerna v9+ will work with the OIDC exchange. [1][5]
    • If you instead use an npm automation token, older Lerna checks may fail (403 on npm whoami). If using an automation token you may need --no-verify-access with lerna publish to bypass Lerna’s access verification. Prefer OIDC for security. [6][1]
    • Trusted publishing currently requires cloud-hosted runners (GitHub-hosted); self-hosted runners are not supported for OIDC trusted publishing. [2]

References

  1. Lerna docs — Using OIDC trusted publishing with Lerna. [Lerna docs]. [1]
  2. npm Docs — Trusted publishing for npm packages. [npm docs]. [2]
  3. GitHub Changelog — npm trusted publishing with OIDC (GA). [GitHub blog]. [3]
  4. npm Docs — Trusted publishing troubleshooting / GitHub Actions note. [npm docs]. [2]
  5. Example repos / samples showing Lerna v9 OIDC examples (JamesHenry / lerna-v9-oidc example). [5]
  6. Community note / workaround: use --no-verify-access when publishing with npm automation tokens (Stack Overflow / GitHub issue). [6][1]

Would you like a ready-to-use GitHub Actions workflow example that runs lerna publish via OIDC?

🌐 Web query:

setup-node v6 npm OIDC authentication .npmrc configuration

💡 Result:

Short how-to + examples.

Key points

  • setup-node v6 configures registry and can create a project .npmrc but OIDC publish uses npm's "Trusted publishing" (no long‑lived token) and is handled by the npm CLI (npm ≥ 11.5.1). [1][2]
  • Your workflow must grant id-token: write so Actions can mint OIDC tokens. For installs of private packages you still need a read token (NODE_AUTH_TOKEN); only publish can use OIDC/TRUSTED PUBLISHING. [2][3]

Minimal workflow (publish with OIDC + install private deps)

  • permissions:
    contents: read
    id-token: write
  • steps:
    • uses: actions/checkout@v5
    • uses: actions/setup-node@v6
      with:
      node-version: 24
      registry-url: 'https://registry.npmjs.org' # optional for npmjs
    • name: Install deps (private deps require token)
      env:
      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_READONLY }}
      run: npm ci
    • name: Publish (Trusted publishing / OIDC)
      run: npm publish

      do NOT set NODE_AUTH_TOKEN for this step so npm uses OIDC

Example .npmrc patterns

  • For npmjs installs using a CI token (set NODE_AUTH_TOKEN in env):
    //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}
  • For GitHub Packages scoped registry:
    @your-scope:registry=https://npm.pkg.github.com
    //npm.pkg.github.com/:_authToken=${NODE_AUTH_TOKEN}

Notes / requirements

  • Enable Trusted Publisher for your package on npmjs.com (configure repo + workflow filename). Then npm CLI will exchange the GitHub OIDC ID token for a registry write token automatically when publishing. [2][4]
  • Ensure npm CLI >= 11.5.1 (Trusted publishing support) and use GitHub-hosted runners (OIDC currently limited to cloud runners). [2][4]
  • setup-node v6 can write .npmrc and set registry-url/scope inputs to help auth setup. [1]

Sources
[1] actions/setup-node (README).
[2] npm — Trusted publishing / OIDC docs.
[3] npm docs example (Trusted publishing workflow).
[4] blog/examples and community guides on OIDC trusted publishing.

Remove --skip-npm flag from Lerna publish command.

The workflow is correctly configured for OIDC trusted publishing (Lerna v9.0.3 supports it, id-token: write permission is set, setup-node@v6 configures the registry), but the --skip-npm flag on line 33 prevents npm publishing entirely. This flag should be removed so the publish command actually pushes to npm. The OIDC token from GitHub Actions will be automatically used by npm CLI for authentication with the configured trusted publisher.

🤖 Prompt for AI Agents 
.github/workflows/publish.yml around lines 19 to 33: the Lerna publish
invocation includes the --skip-npm flag which prevents packages from being
pushed to npm; remove the --skip-npm flag from the npx lerna publish command so
it actually publishes to npm (keep the other flags like --yes and
--no-git-tag-version as needed) and commit the updated workflow.

Copy link
Contributor

@coderabbitai coderabbitai bot Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Remove --skip-npm flag to enable publishing.

The --skip-npm flag prevents the workflow from actually publishing to npm. Based on the commit message, this was intentionally disabled for testing, but it means the workflow won't fulfill its stated purpose.

🔎 Proposed fix to enable publishing 
-      - run: npx lerna publish from-package --yes --skip-npm --no-git-tag-version
+      - run: npx lerna publish from-package --yes --no-git-tag-version
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- run: npx lerna publish from-package --yes --skip-npm --no-git-tag-version
- run: npx lerna publish from-package --yes --no-git-tag-version
🤖 Prompt for AI Agents 
In .github/workflows/publish.yml around line 33 the lerna publish command uses
the --skip-npm flag which prevents packages from being published to npm; remove
the --skip-npm flag from the run command so it becomes: npx lerna publish
from-package --yes --no-git-tag-version (or simply drop --skip-npm while
preserving other flags), commit the change so the workflow will perform actual
npm publishing.