From 4c79c2cd9dc913b2c3eef1ebdb382e92ab2cde1a Mon Sep 17 00:00:00 2001 From: Jake Ruesink Date: Thu, 16 Jul 2026 19:49:56 -0500 Subject: [PATCH 1/2] docs(ci): correct publish root-cause comment; self-trigger on workflow changes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The 2026-07-13 fix's comment blamed registry-url's dummy token for blocking OIDC. Verification disproved that mechanism: npm attempts OIDC unconditionally (its own CLI source); the true cause was a stale Trusted Publisher binding after the repo was deleted+recreated for the open-source cut — npm binds the original repository, so the UI string looks right while the binding points at the dead repo. Recovered only after delete+re-add on npmjs.com. The dummy token's real effect was disguising the failure as 404-unauthorized instead of an honest ENEEDAUTH, so registry-url stays out for signal quality and the comment now sends the next debugger to the binding first. Also adds publish.yml to its own trigger paths — during the outage every repair needed a manual dispatch. Co-Authored-By: Claude Opus 4.8 Claude-Session: https://claude.ai/code/session_01Kitt7TS73PAVzmzteeU7vW --- .github/workflows/publish.yml | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7b9fb4d..4f5b327 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -12,6 +12,10 @@ on: - "scripts/**" - "bin/**" - "package.json" + # The workflow itself: a publish FIX merged to main should re-run the publish it fixes — + # during the 2026-07 outage every repair needed a manual workflow_dispatch because this + # file wasn't in its own trigger paths. + - ".github/workflows/publish.yml" # Tagged release path stays for explicit version cuts. release: types: [published] @@ -40,17 +44,19 @@ jobs: # `npm publish` is invoked directly below — setup-bun doesn't ship npm, # so install Node here. # - # NO `registry-url:` — it is what broke trusted publishing (five red runs, 2026-07-09). - # Passing it makes setup-node write an .npmrc containing - # //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN} - # and export a DUMMY NODE_AUTH_TOKEN (`XXXXX-XXXXX-XXXXX-XXXXX`), on the assumption that a - # publish step will override it with a real token. Since the migration to trusted publishing - # there IS no token — so npm found a credential already sitting in .npmrc, used it, never - # attempted the OIDC exchange (the runs print not one word about OIDC or provenance), and the - # registry rejected the fake token as `404 Not Found - PUT` — npm's way of saying unauthorized. - # The Trusted Publisher config on npmjs.com was correct the whole time; it was never consulted. - # npm defaults to registry.npmjs.org anyway, so dropping this leaves no .npmrc auth line and - # lets the OIDC exchange actually run. + # NO `registry-url:` — and an honest history, because the comment that first landed here + # blamed it for the five red runs of 2026-07-09 and was WRONG about the mechanism. The + # verified root cause was a STALE TRUSTED PUBLISHER BINDING: this repo was deleted and + # recreated for the open-source cut, and npm's Trusted Publisher binds the original + # repository — the npmjs.com UI kept showing the correct owner/repo string while the binding + # underneath pointed at the dead repo. Publishing recovered only after Jake deleted and + # re-added the Trusted Publisher (2026-07-13). npm attempts the OIDC exchange + # unconditionally (per its own CLI source), token present or not. + # What dropping `registry-url` DID do: setup-node writes an .npmrc with a dummy + # NODE_AUTH_TOKEN placeholder, which disguised the real failure as `404 Not Found - PUT` + # (npm's unauthorized). Without it the same failure reads as an honest ENEEDAUTH — so keep + # registry-url out for signal quality, and if a 404/ENEEDAUTH ever returns here, check the + # Trusted Publisher binding FIRST (especially after any repo rename/delete/recreate). - uses: actions/setup-node@v7 with: node-version: 24 From 72e9484336a8bfe59f9f5b166a3d29a4e0ba7236 Mon Sep 17 00:00:00 2001 From: Scout Date: Thu, 16 Jul 2026 20:19:57 -0500 Subject: [PATCH 2/2] ci: require formatting before publish Keep the release workflow aligned with the repository's four mandatory validation gates before any package publish. Agent-Actor: scout Agent-Run-Id: anvil-cycle-001 --- .github/workflows/publish.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 4f5b327..775b84d 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -94,6 +94,10 @@ jobs: if: steps.version_check.outputs.skip != 'true' run: bun run lint + - name: Check formatting + if: steps.version_check.outputs.skip != 'true' + run: bun run format:check + - name: Run typecheck if: steps.version_check.outputs.skip != 'true' run: bun run typecheck