Skip to content

Fix npm trusted publishing#14

Merged
wallstop merged 1 commit into
mainfrom
dev/wallstop/fix-npm
Jul 7, 2026
Merged

Fix npm trusted publishing#14
wallstop merged 1 commit into
mainfrom
dev/wallstop/fix-npm

Conversation

@wallstop

@wallstop wallstop commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Summary

  • Switch the manual npm publish workflow from token/provenance publishing to npm Trusted Publishing through GitHub OIDC.
  • Move the workflow to Node 24, disable release-build package-manager caching, and add a fail-fast npm CLI version gate for >=11.5.1.
  • Add a package.json.files allowlist so the npm tarball contains only the Unity package surface and required root Unity .meta files.

Root Cause

The publish job still exported NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} and used npm publish --provenance. The secret is no longer populated, so npm did not authenticate through Trusted Publishing and failed with ENEEDAUTH. Node 22 also risks bundling npm below the Trusted Publishing minimum.

Validation

  • npm pack --dry-run --json
  • Local package allowlist assertion over the dry-run file list: 126 files, required Unity package files present, forbidden repo/local paths absent.
  • ruby -e "require 'yaml'; YAML.load_file('.github/workflows/npm-publish.yml')"
  • git diff --check
  • Two adversarial review passes; the first replaced a fragile .npmignore blocklist with the current package.json.files allowlist, the second found zero issues.

Risk / Rollback

Risk is limited to the manual npm publish workflow and package tarball contents. Rollback is reverting this commit and restoring token-based publishing while npm Trusted Publisher settings are corrected.


Note

Medium Risk
Changes only affect the manual publish workflow and tarball contents; wrong OIDC/npm setup or a bad files list could block releases or omit required Unity assets.

Overview
Fixes manual npm publishing that failed with ENEEDAUTH after NPM_TOKEN was removed: the workflow now relies on npm Trusted Publishing via GitHub OIDC (id-token: write), drops NODE_AUTH_TOKEN and --provenance, and documents that model in comments.

The publish job moves to Node 24, sets package-manager-cache: false, and adds a fail-fast check that npm ≥ 11.5.1 (Trusted Publishing minimum) before publish.

package.json gains a files allowlist so npm pack ships only the Unity package layout (Editor, Runtime, Tests, docs, and required root .meta files) instead of unrelated repo content.

Reviewed by Cursor Bugbot for commit 0b5db76. Bugbot is set up for automated code reviews on this repo. Configure here.

@wallstop

wallstop commented Jul 7, 2026

Copy link
Copy Markdown
Owner Author

@cursor review

@wallstop wallstop marked this pull request as ready for review July 7, 2026 04:17
Copilot AI review requested due to automatic review settings July 7, 2026 04:18

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit 0b5db76. Configure here.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the manual npm publish workflow to use npm Trusted Publishing via GitHub OIDC (instead of token/provenance publishing) and tightens the published tarball contents to the Unity package surface.

Changes:

  • Switch publish authentication to OIDC-based npm Trusted Publishing and add an npm version gate (>= 11.5.1) to fail fast.
  • Move the workflow to Node 24 and adjust Node setup behavior.
  • Add a package.json.files allowlist so npm pack includes only the intended Unity package directories and required root .meta files.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
package.json Adds a files allowlist to constrain what goes into the npm tarball to the Unity package surface (and root .meta files).
.github/workflows/npm-publish.yml Migrates the manual publish workflow to OIDC-based Trusted Publishing, updates Node version, and adds an npm CLI minimum-version check.
Comments suppressed due to low confidence (1)

.github/workflows/npm-publish.yml:32

  • actions/checkout@v7 does not appear to be a released major version of actions/checkout (v4 is the latest). This will cause the workflow to fail at checkout time and block publishing.
      - name: Checkout
        uses: actions/checkout@v7
        with:

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/npm-publish.yml

wallstop commented Jul 7, 2026

Copy link
Copy Markdown
Owner Author

Follow-up on Copilot's suppressed low-confidence note: verified against GitHub's tags API that actions/checkout has v7 / latest v7.0.0, and actions/setup-node has v6 / latest v6.4.0. No workflow version change needed.

wallstop commented Jul 7, 2026

Copy link
Copy Markdown
Owner Author

Validation update: manually dispatched Publish to NPM in dry-run mode against dev/wallstop/fix-npm; run https://github.com/wallstop/DataVisualizer/actions/runs/28841341424 completed successfully. It exercised checkout, Node setup, npm pack, version/dist-tag resolution, the npm >=11.5.1 gate, and the dry-run summary while skipping the actual publish step.

@wallstop wallstop merged commit 4aaeb57 into main Jul 7, 2026
3 checks passed
@wallstop wallstop deleted the dev/wallstop/fix-npm branch July 7, 2026 04:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants