mirror of
https://github.com/wirenboard/agent-vm.git
synced 2026-07-09 16:00:54 +00:00
release-npm: publish via npm OIDC trusted publishing; restore agentd-from-source
Why: the v0.1.22 publish failed — first npm E404 (NPM_TOKEN expired/
rejected), then ENEEDAUTH (token empty). Move off the long-lived token to
OIDC trusted publishing: npm mints short-lived credentials from the GitHub
Actions id-token (already `id-token: write` at the workflow level), and
provenance is generated automatically.
How (publish job):
- Drop NODE_AUTH_TOKEN / secrets.NPM_TOKEN from both publish steps.
- Drop setup-node's `registry-url:` — that input writes an empty
`//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}` into .npmrc, which
makes npm error ENEEDAUTH instead of using OIDC. The default registry is
registry.npmjs.org regardless.
- `npm install -g npm@latest` so the runner has npm >= 11.5.1 (node 22
ships npm 10.x, which has no OIDC trusted-publishing support).
Requires a one-time npm-side setup: a trusted publisher configured for BOTH
@wirenboard/agent-vm and @wirenboard/agent-vm-linux-x64 (repo
wirenboard/agent-vm, workflow release-npm.yml). The NPM_TOKEN secret is no
longer used and can be deleted.
Also restores the "Build agentd from source (musl)" step + the msb
`--no-default-features` build that a prior edit had dropped. agentd is
embedded in msb and must ship at the same revision as the producer: the
boot-params side channel (v0.1.22) needs both halves in lockstep. Without
this, msb downloads the stale 0.4.6 prebuilt agentd (no boot-params reader)
and silently drops every mount — for all users, not just non-ASCII paths.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
parent
31fa95b67c
commit
c3fda73ab1
1 changed files with 20 additions and 3 deletions
23
.github/workflows/release-npm.yml
vendored
23
.github/workflows/release-npm.yml
vendored
|
|
@ -421,10 +421,26 @@ jobs:
|
|||
steps:
|
||||
- uses: actions/checkout@v5
|
||||
|
||||
# No `registry-url:` on purpose — that input makes setup-node write
|
||||
# `//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}` into .npmrc.
|
||||
# With trusted publishing we have no token, so that line resolves to
|
||||
# an empty authToken and npm errors `ENEEDAUTH` instead of falling
|
||||
# back to OIDC. Without it, npm uses the default registry
|
||||
# (registry.npmjs.org) and the OIDC trusted-publishing flow.
|
||||
- uses: actions/setup-node@v5
|
||||
with:
|
||||
node-version: '22'
|
||||
registry-url: 'https://registry.npmjs.org'
|
||||
|
||||
# npm trusted publishing (OIDC) needs npm >= 11.5.1; node 22 ships
|
||||
# npm 10.x. With this + `id-token: write` (set at the workflow level)
|
||||
# and a trusted publisher configured on npmjs.com for each package,
|
||||
# `npm publish` exchanges the GitHub OIDC token for short-lived
|
||||
# registry credentials — no long-lived NPM_TOKEN secret — and attaches
|
||||
# provenance automatically.
|
||||
- name: Upgrade npm for OIDC trusted publishing (>= 11.5.1)
|
||||
run: |
|
||||
npm install -g npm@latest
|
||||
npm --version
|
||||
|
||||
# Download each platform artifact into its own subpackage
|
||||
# directory explicitly. `actions/download-artifact@v8` with
|
||||
|
|
@ -482,8 +498,9 @@ jobs:
|
|||
done
|
||||
|
||||
- name: Publish platform subpackages first
|
||||
# No NODE_AUTH_TOKEN — auth is via OIDC trusted publishing (see the
|
||||
# setup-node note above and the workflow-level `id-token: write`).
|
||||
env:
|
||||
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
||||
V: ${{ needs.resolve-version.outputs.version }}
|
||||
run: |
|
||||
set -e
|
||||
|
|
@ -509,8 +526,8 @@ jobs:
|
|||
done
|
||||
|
||||
- name: Publish main package
|
||||
# OIDC trusted publishing — no NODE_AUTH_TOKEN (see above).
|
||||
env:
|
||||
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
|
||||
V: ${{ needs.resolve-version.outputs.version }}
|
||||
run: |
|
||||
set -e
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue