release-npm: publish via npm OIDC trusted publishing; restore agentd-from-source

Why: the v0.1.22 publish failed — first npm E404 (NPM_TOKEN expired/
rejected), then ENEEDAUTH (token empty). Move off the long-lived token to
OIDC trusted publishing: npm mints short-lived credentials from the GitHub
Actions id-token (already `id-token: write` at the workflow level), and
provenance is generated automatically.

How (publish job):
  - Drop NODE_AUTH_TOKEN / secrets.NPM_TOKEN from both publish steps.
  - Drop setup-node's `registry-url:` — that input writes an empty
    `//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}` into .npmrc, which
    makes npm error ENEEDAUTH instead of using OIDC. The default registry is
    registry.npmjs.org regardless.
  - `npm install -g npm@latest` so the runner has npm >= 11.5.1 (node 22
    ships npm 10.x, which has no OIDC trusted-publishing support).

Requires a one-time npm-side setup: a trusted publisher configured for BOTH
@wirenboard/agent-vm and @wirenboard/agent-vm-linux-x64 (repo
wirenboard/agent-vm, workflow release-npm.yml). The NPM_TOKEN secret is no
longer used and can be deleted.

Also restores the "Build agentd from source (musl)" step + the msb
`--no-default-features` build that a prior edit had dropped. agentd is
embedded in msb and must ship at the same revision as the producer: the
boot-params side channel (v0.1.22) needs both halves in lockstep. Without
this, msb downloads the stale 0.4.6 prebuilt agentd (no boot-params reader)
and silently drops every mount — for all users, not just non-ASCII paths.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Evgeny Boger 2026-06-01 20:26:08 +00:00
parent 31fa95b67c
commit c3fda73ab1

View file

@ -421,10 +421,26 @@ jobs:
steps:
- uses: actions/checkout@v5
# No `registry-url:` on purpose — that input makes setup-node write
# `//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}` into .npmrc.
# With trusted publishing we have no token, so that line resolves to
# an empty authToken and npm errors `ENEEDAUTH` instead of falling
# back to OIDC. Without it, npm uses the default registry
# (registry.npmjs.org) and the OIDC trusted-publishing flow.
- uses: actions/setup-node@v5
with:
node-version: '22'
registry-url: 'https://registry.npmjs.org'
# npm trusted publishing (OIDC) needs npm >= 11.5.1; node 22 ships
# npm 10.x. With this + `id-token: write` (set at the workflow level)
# and a trusted publisher configured on npmjs.com for each package,
# `npm publish` exchanges the GitHub OIDC token for short-lived
# registry credentials — no long-lived NPM_TOKEN secret — and attaches
# provenance automatically.
- name: Upgrade npm for OIDC trusted publishing (>= 11.5.1)
run: |
npm install -g npm@latest
npm --version
# Download each platform artifact into its own subpackage
# directory explicitly. `actions/download-artifact@v8` with
@ -482,8 +498,9 @@ jobs:
done
- name: Publish platform subpackages first
# No NODE_AUTH_TOKEN — auth is via OIDC trusted publishing (see the
# setup-node note above and the workflow-level `id-token: write`).
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
V: ${{ needs.resolve-version.outputs.version }}
run: |
set -e
@ -509,8 +526,8 @@ jobs:
done
- name: Publish main package
# OIDC trusted publishing — no NODE_AUTH_TOKEN (see above).
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
V: ${{ needs.resolve-version.outputs.version }}
run: |
set -e