Skip to content

feat: prep npm release — activate publish workflow, add registry metadata#2

Open
a-tokyo wants to merge 1 commit into
mainfrom
chore/npm-release-prep
Open

feat: prep npm release — activate publish workflow, add registry metadata#2
a-tokyo wants to merge 1 commit into
mainfrom
chore/npm-release-prep

Conversation

@a-tokyo

@a-tokyo a-tokyo commented Jul 15, 2026

Copy link
Copy Markdown
Member

Summary

  • Un-dormants release.yml: enables OIDC-based npm publish --provenance (no NPM_TOKEN secret), and creates the GitHub Release after publish succeeds so a failed publish can never leave a tag/release with no matching npm version.
  • Adds registry-ready package.json metadata: drops private: true, adds publishConfig.access: public, repository, homepage, bugs. Bumps version 0.1.3 -> 0.1.4.
  • Updates README: real npm i -D @zoldytech/javascript install command (replacing the GitHub-URL-pinned-tag install), adds npm version/downloads + CI badges.

Context

Prompted by creating the zoldytech npm org and auditing this repo's CI/release setup against a-tokyo/apple-signin-auth. That repo creates its GitHub Release before npm publish, and its NPM_TOKEN has been silently expired for over a month — its latest release has no matching npm version with no alerting. This PR sequences the opposite way (publish first, release second) so that failure mode can't happen here.

Prerequisite (not part of this PR)

Before the first tag push will actually publish, OIDC trusted publishing needs to be enabled on npmjs.com for this package: Settings -> Trusted Publisher -> GitHub Actions -> Zoldytech/javascript -> release.yml.

Test plan

  • npm run lint passes
  • npm test passes (22/22)
  • release.yml YAML validated
  • After merge: enable npm trusted publisher, then push tag v0.1.4 and confirm the release workflow publishes to npm and creates a GitHub Release
  • Backfill missing GitHub Releases for tags 0.1.1, 0.1.2, 0.1.3 (tracked separately, not in this PR)

…data — 0.1.4

Un-dormants release.yml now that the zoldytech npm org exists: enables
OIDC-based `npm publish --provenance`, and creates the GitHub Release only
after publish succeeds (so a failed publish can never leave a tag/release
with no matching npm version). Adds package.json registry metadata
(publishConfig, repository, homepage, bugs) and drops `private: true`.
Updates README to the real npm install command and adds npm/CI badges.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant