Skip to content

fix: release-npm workflow checkout and npm publish token#112

Merged
lwshang merged 2 commits into
mainfrom
lwshang/fix_release_npm
May 12, 2026
Merged

fix: release-npm workflow checkout and npm publish token#112
lwshang merged 2 commits into
mainfrom
lwshang/fix_release_npm

Conversation

@lwshang
Copy link
Copy Markdown
Contributor

@lwshang lwshang commented May 11, 2026
edited
Loading

SDK-2707

Summary

Two bugs prevented the first npm publish from succeeding:

  1. Missing npm/ directory at release tag — the workflow checked out at ref: ${{ inputs.version }}, but the npm/ directory was introduced after the 0.9.11 release tag. The workflow only needs scripts from the default branch (binaries are downloaded from the specified release), so the ref pin is removed.

  2. Missing release GitHub environmentnpm publish --provenance requires an npm token with publish access to @icp-sdk. This repo does not have the release environment set up yet, which is the organizational convention for trusted publishing to npm. The workflow fell back to a narrower-scoped repo-level token that returned 404 when trying to create new packages. Adding environment: release to the workflow job declares the dependency; the environment itself still needs to be created (see Prerequisites below).

Prerequisites (action required before merging)

  • InfraSec: Set up the release environment in this repo's GitHub settings following the organizational convention for trusted publishing to npm.

Test plan

lwshang and others added 2 commits May 11, 2026 09:07
@lwshang @claude
fix: checkout default branch in release-npm workflow
6a4b005 
The npm/ directory was added after the 0.9.11 release tag, so checking
out at the release ref caused a missing working directory error. The
workflow only needs the scripts from the default branch; binaries are
downloaded from the specified release version by the script itself.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@lwshang @claude
fix: add release environment for npm publish token access
340a718 
The npm token with publish access to @icp-sdk is stored in the release
GitHub environment, not as a repo-level secret. Without this declaration
the job used a narrower-scoped token that could not create new packages.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@lwshang lwshang changed the title fix: checkout default branch in release-npm workflow fix: release-npm workflow checkout and npm publish token May 11, 2026
@lwshang lwshang deployed to release May 12, 2026 13:49 — with GitHub Actions Active
@lwshang lwshang marked this pull request as ready for review May 12, 2026 13:53
@lwshang lwshang requested a review from a team as a code owner May 12, 2026 13:53
@lwshang lwshang merged commit 3e13d85 into main May 12, 2026
13 checks passed
@lwshang lwshang deleted the lwshang/fix_release_npm branch May 12, 2026 14:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adamspofford-dfinity adamspofford-dfinity adamspofford-dfinity approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lwshang @adamspofford-dfinity