From 5493455f69ec79e41e86b903866978da819f82aa Mon Sep 17 00:00:00 2001 From: "vorflux[bot]" <249966464+vorflux[bot]@users.noreply.github.com> Date: Thu, 16 Apr 2026 19:41:58 -0700 Subject: [PATCH] ci: switch npm packages to trusted publishing (OIDC) (#863) Co-authored-by: Dhravya Shah --- .github/workflows/publish-ai-sdk.yml | 25 ++++++++++++++++++---- .github/workflows/publish-memory-graph.yml | 25 ++++++++++++++++++---- .github/workflows/publish-tools.yml | 25 ++++++++++++++++++---- packages/tools/package.json | 2 +- 4 files changed, 64 insertions(+), 13 deletions(-) diff --git a/.github/workflows/publish-ai-sdk.yml b/.github/workflows/publish-ai-sdk.yml index 3f69b421..848c7a71 100644 --- a/.github/workflows/publish-ai-sdk.yml +++ b/.github/workflows/publish-ai-sdk.yml @@ -23,8 +23,12 @@ jobs: - name: Setup Node uses: actions/setup-node@v4 with: + node-version: '24' registry-url: 'https://registry.npmjs.org' + - name: Upgrade npm for trusted publishing support + run: npm install -g npm@latest + - name: Setup Bun uses: oven-sh/setup-bun@v2 @@ -34,11 +38,24 @@ jobs: - name: Install dependencies run: bun install + - name: Check if version changed + id: version-check + run: | + PACKAGE_NAME=$(jq -r '.name' package.json) + LOCAL_VERSION=$(jq -r '.version' package.json) + NPM_VERSION=$(npm view "$PACKAGE_NAME" version 2>/dev/null || echo "0.0.0") + if [ "$LOCAL_VERSION" = "$NPM_VERSION" ]; then + echo "Version $LOCAL_VERSION already published, skipping." + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "Publishing $LOCAL_VERSION (npm has $NPM_VERSION)" + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + - name: Build + if: steps.version-check.outputs.changed == 'true' run: bun run build - name: Publish - run: pnpm publish --access public --verbose - env: - NPM_CONFIG_PROVENANCE: true - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} \ No newline at end of file + if: steps.version-check.outputs.changed == 'true' + run: npm publish --access public --provenance diff --git a/.github/workflows/publish-memory-graph.yml b/.github/workflows/publish-memory-graph.yml index 65b24e8d..295a45f6 100644 --- a/.github/workflows/publish-memory-graph.yml +++ b/.github/workflows/publish-memory-graph.yml @@ -23,8 +23,12 @@ jobs: - name: Setup Node uses: actions/setup-node@v4 with: + node-version: '24' registry-url: 'https://registry.npmjs.org' + - name: Upgrade npm for trusted publishing support + run: npm install -g npm@latest + - name: Setup Bun uses: oven-sh/setup-bun@v2 @@ -34,11 +38,24 @@ jobs: - name: Install dependencies run: bun install + - name: Check if version changed + id: version-check + run: | + PACKAGE_NAME=$(jq -r '.name' package.json) + LOCAL_VERSION=$(jq -r '.version' package.json) + NPM_VERSION=$(npm view "$PACKAGE_NAME" version 2>/dev/null || echo "0.0.0") + if [ "$LOCAL_VERSION" = "$NPM_VERSION" ]; then + echo "Version $LOCAL_VERSION already published, skipping." + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "Publishing $LOCAL_VERSION (npm has $NPM_VERSION)" + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + - name: Build + if: steps.version-check.outputs.changed == 'true' run: bun run build - name: Publish - run: pnpm publish --access public --verbose - env: - NPM_CONFIG_PROVENANCE: true - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + if: steps.version-check.outputs.changed == 'true' + run: npm publish --access public --provenance diff --git a/.github/workflows/publish-tools.yml b/.github/workflows/publish-tools.yml index b8d271de..9d745203 100644 --- a/.github/workflows/publish-tools.yml +++ b/.github/workflows/publish-tools.yml @@ -23,8 +23,12 @@ jobs: - name: Setup Node uses: actions/setup-node@v4 with: + node-version: '24' registry-url: 'https://registry.npmjs.org' + - name: Upgrade npm for trusted publishing support + run: npm install -g npm@latest + - name: Setup Bun uses: oven-sh/setup-bun@v2 @@ -34,11 +38,24 @@ jobs: - name: Install dependencies run: bun install + - name: Check if version changed + id: version-check + run: | + PACKAGE_NAME=$(jq -r '.name' package.json) + LOCAL_VERSION=$(jq -r '.version' package.json) + NPM_VERSION=$(npm view "$PACKAGE_NAME" version 2>/dev/null || echo "0.0.0") + if [ "$LOCAL_VERSION" = "$NPM_VERSION" ]; then + echo "Version $LOCAL_VERSION already published, skipping." + echo "changed=false" >> "$GITHUB_OUTPUT" + else + echo "Publishing $LOCAL_VERSION (npm has $NPM_VERSION)" + echo "changed=true" >> "$GITHUB_OUTPUT" + fi + - name: Build + if: steps.version-check.outputs.changed == 'true' run: bun run build - name: Publish - run: pnpm publish --access public --verbose - env: - NPM_CONFIG_PROVENANCE: true - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + if: steps.version-check.outputs.changed == 'true' + run: npm publish --access public --provenance diff --git a/packages/tools/package.json b/packages/tools/package.json index f58a48f7..c4a39da4 100644 --- a/packages/tools/package.json +++ b/packages/tools/package.json @@ -1,7 +1,7 @@ { "name": "@supermemory/tools", "type": "module", - "version": "1.4.02", + "version": "1.4.4", "description": "Memory tools for AI SDK and OpenAI function calling with supermemory", "scripts": { "build": "tsdown",