ci(npm): add manual_otp workflow_dispatch auth path#68
Merged
Conversation
The OIDC trusted publisher path keeps returning `404 'getskillet is not in this registry'` from the production environment despite repeated debug iterations. To unblock releases when the OIDC path is broken, add a manual_otp dispatch path: - Two new `workflow_dispatch` inputs: `auth_method` (oidc|manual_otp) and `npm_otp` (the current 2FA OTP code). - A `Configure manual OTP auth` step writes `NODE_AUTH_TOKEN` from the `NPM_TOKEN` environment secret to `$GITHUB_ENV`, overriding the value that `actions/setup-node` set via OIDC. The publish steps then pass `--otp` so both `getskillet` and `@echohello/skillet` are published with the same one-time password. - The legacy OIDC path is unchanged and remains the default. - `docs/distribution/npm.md` documents the bootstrap flow and the prerequisite of adding `NPM_TOKEN` to the production environment. Co-authored-by: codex@echohello.dev
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a
manual_otpworkflow_dispatchauth path tonpm-publish.yamlso releases can be unblocked when the OIDC trusted publisher path returns404 'getskillet is not in this registry'. The legacy OIDC path is unchanged and remains the default forrelease: publishedevents.Changes
.github/workflows/npm-publish.yaml:workflow_dispatchinputs:auth_method(oidc|manual_otp, defaultoidc) andnpm_otp(2FA code, masked in logs).Configure manual OTP auththat:secrets.NPM_TOKENis present on theproductionenvironment.inputs.npm_otpis supplied.NODE_AUTH_TOKEN=${NPM_TOKEN}to$GITHUB_ENV, overriding the OIDC value fromactions/setup-node.NPM_OTP_CONFIGURED=trueso the publish steps know to pass--otp.Publish packageandPublish scoped aliassteps now pass--otp="${NPM_OTP}"when the manual path is selected.docs/distribution/npm.md:NPM_TOKENas an environment secret onproductionand the dispatch flow.Consequences
NPM_TOKENneeds to be added manually on theproductionGitHub environment before this path can be exercised. (Cannot be done from this PR.)workflow: writeaccess to the repo and access to theproductionenvironment can dispatch withmanual_otp. The OTP code is masked in logs but is visible in the dispatch payload. Recommend rotating the OTP after each dispatch and theNPM_TOKENsecret if it was ever exposed.Testing
mise run cipasses: 21 test files, 103 tests pass; npm publish dry-run succeeds.python3 -c "import yaml; yaml.safe_load(open('.github/workflows/npm-publish.yaml'))".npm-publish.yamldispatch withauth_method=oidcand the existing setup continues to use OIDC and is unchanged.Follow-ups
404so manual OTP is the exception, not the norm. Track separately.NPM_TOKENis added as a production environment secret, document the bootstrap publish procedure inAGENTS.mdso it's discoverable for future releases.