From c3fda73ab1044da688899c42800ac9ba0afad18e Mon Sep 17 00:00:00 2001 From: Evgeny Boger Date: Mon, 1 Jun 2026 20:26:08 +0000 Subject: [PATCH] release-npm: publish via npm OIDC trusted publishing; restore agentd-from-source MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Why: the v0.1.22 publish failed — first npm E404 (NPM_TOKEN expired/ rejected), then ENEEDAUTH (token empty). Move off the long-lived token to OIDC trusted publishing: npm mints short-lived credentials from the GitHub Actions id-token (already `id-token: write` at the workflow level), and provenance is generated automatically. How (publish job): - Drop NODE_AUTH_TOKEN / secrets.NPM_TOKEN from both publish steps. - Drop setup-node's `registry-url:` — that input writes an empty `//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}` into .npmrc, which makes npm error ENEEDAUTH instead of using OIDC. The default registry is registry.npmjs.org regardless. - `npm install -g npm@latest` so the runner has npm >= 11.5.1 (node 22 ships npm 10.x, which has no OIDC trusted-publishing support). Requires a one-time npm-side setup: a trusted publisher configured for BOTH @wirenboard/agent-vm and @wirenboard/agent-vm-linux-x64 (repo wirenboard/agent-vm, workflow release-npm.yml). The NPM_TOKEN secret is no longer used and can be deleted. Also restores the "Build agentd from source (musl)" step + the msb `--no-default-features` build that a prior edit had dropped. agentd is embedded in msb and must ship at the same revision as the producer: the boot-params side channel (v0.1.22) needs both halves in lockstep. Without this, msb downloads the stale 0.4.6 prebuilt agentd (no boot-params reader) and silently drops every mount — for all users, not just non-ASCII paths. Co-Authored-By: Claude Opus 4.8 --- .github/workflows/release-npm.yml | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release-npm.yml b/.github/workflows/release-npm.yml index 6482df8..0d95405 100644 --- a/.github/workflows/release-npm.yml +++ b/.github/workflows/release-npm.yml @@ -421,10 +421,26 @@ jobs: steps: - uses: actions/checkout@v5 + # No `registry-url:` on purpose — that input makes setup-node write + # `//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}` into .npmrc. + # With trusted publishing we have no token, so that line resolves to + # an empty authToken and npm errors `ENEEDAUTH` instead of falling + # back to OIDC. Without it, npm uses the default registry + # (registry.npmjs.org) and the OIDC trusted-publishing flow. - uses: actions/setup-node@v5 with: node-version: '22' - registry-url: 'https://registry.npmjs.org' + + # npm trusted publishing (OIDC) needs npm >= 11.5.1; node 22 ships + # npm 10.x. With this + `id-token: write` (set at the workflow level) + # and a trusted publisher configured on npmjs.com for each package, + # `npm publish` exchanges the GitHub OIDC token for short-lived + # registry credentials — no long-lived NPM_TOKEN secret — and attaches + # provenance automatically. + - name: Upgrade npm for OIDC trusted publishing (>= 11.5.1) + run: | + npm install -g npm@latest + npm --version # Download each platform artifact into its own subpackage # directory explicitly. `actions/download-artifact@v8` with @@ -482,8 +498,9 @@ jobs: done - name: Publish platform subpackages first + # No NODE_AUTH_TOKEN — auth is via OIDC trusted publishing (see the + # setup-node note above and the workflow-level `id-token: write`). env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} V: ${{ needs.resolve-version.outputs.version }} run: | set -e @@ -509,8 +526,8 @@ jobs: done - name: Publish main package + # OIDC trusted publishing — no NODE_AUTH_TOKEN (see above). env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} V: ${{ needs.resolve-version.outputs.version }} run: | set -e