From 9aee728a9fe81c89273cf3ab6258073694154b76 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 4 Apr 2026 07:47:01 +0000 Subject: [PATCH 1/6] Update npm publish workflow to use Trusted Publishing (OIDC), bump all actions, and add publishing docs Agent-Logs-Url: https://github.com/Sans3108/DDNet/sessions/3f88e6bd-af8e-4c81-97d7-7e069b4ba057 Co-authored-by: Sans3108 <39863198+Sans3108@users.noreply.github.com> --- .github/dependabot.yml | 6 +++ .github/workflows/npm-publish.yml | 37 +++++++++-------- .github/workflows/prettier.yml | 15 +++---- PUBLISHING.md | 67 +++++++++++++++++++++++++++++++ 4 files changed, 99 insertions(+), 26 deletions(-) create mode 100644 PUBLISHING.md diff --git a/.github/dependabot.yml b/.github/dependabot.yml index a21cb84..24c534b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -1,6 +1,12 @@ version: 2 updates: - package-ecosystem: "npm" + directory: "/" + schedule: + interval: "weekly" + target-branch: dev + + - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index ff27d10..4903f2d 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -1,39 +1,38 @@ -# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created -# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages +# Publishes the package to npm when a GitHub release is created. +# Uses npm Trusted Publishing (OIDC) — no NPM_TOKEN secret required. +# See PUBLISHING.md for setup instructions. -name: Node.js Package - -permissions: - contents: read - packages: write +name: Publish to npm on: release: types: [created] jobs: - publish-npm: + publish: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write # Required for npm Trusted Publishing (OIDC) steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@v6 + + - name: Install pnpm + uses: pnpm/action-setup@v5 - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: - node-version-file: 'package.json' # Grabs node version from package.json + node-version-file: 'package.json' registry-url: https://registry.npmjs.org/ + cache: pnpm - - name: Install pnpm - run: npm install -g pnpm - - - name: Install deps - run: pnpm i + - name: Install dependencies + run: pnpm install --frozen-lockfile - name: Build package run: pnpm build - name: Publish package - run: pnpm publish --no-git-checks - env: - NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} + run: npm publish --provenance --access public diff --git a/.github/workflows/prettier.yml b/.github/workflows/prettier.yml index c3aa6b0..ebb160e 100644 --- a/.github/workflows/prettier.yml +++ b/.github/workflows/prettier.yml @@ -20,22 +20,23 @@ jobs: runs-on: ubuntu-latest steps: - name: Check out code - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: ref: ${{ github.head_ref }} fetch-depth: 0 # Ensures history is checked out token: ${{ secrets.GITHUB_TOKEN }} # Use the GitHub token for authentication + - name: Install pnpm + uses: pnpm/action-setup@v5 + - name: Set up Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: - node-version-file: 'package.json' # Grabs node version from package.json - - - name: Install pnpm - run: npm install -g pnpm + node-version-file: 'package.json' + cache: pnpm - name: Install dependencies - run: pnpm install + run: pnpm install --frozen-lockfile - name: Run prettier run: pnpm prettier diff --git a/PUBLISHING.md b/PUBLISHING.md new file mode 100644 index 0000000..8c5f35d --- /dev/null +++ b/PUBLISHING.md @@ -0,0 +1,67 @@ +# Publishing to npm + +This project uses **npm Trusted Publishing** (OIDC) via GitHub Actions. +When a GitHub release is created, the [npm-publish workflow](.github/workflows/npm-publish.yml) automatically builds and publishes the package to npm — no long-lived tokens required. + +## One-time setup (npmjs.com) + +> You must have published at least one version of the package to npm before you can enable trusted publishing. + +1. Go to [npmjs.com](https://www.npmjs.com) and sign in to the account that owns the `ddnet` package. +2. Navigate to the **package settings** page: +3. Under **Publishing access**, find the **Trusted Publishers** section. +4. Click **Add a trusted publisher** and fill in: + - **Organization or user:** `Sans3108` + - **Repository:** `DDNet` + - **Workflow filename:** `npm-publish.yml` + - **Environment:** _(leave blank)_ +5. Save the configuration. + +Once this is done, the GitHub Actions workflow can publish to npm using OIDC without any stored secrets (`NPM_TOKEN` is no longer needed and can be removed from the repository secrets if it exists). + +## How to publish a new release + +1. **Update the version** in `package.json`: + ```bash + # Bump the patch version (e.g., 0.10.2 → 0.10.3) + npm version patch + + # Or for a minor version bump (e.g., 0.10.2 → 0.11.0) + npm version minor + + # Or for a major version bump (e.g., 0.10.2 → 1.0.0) + npm version major + ``` + This updates `package.json` and creates a git tag automatically. + +2. **Push the commit and tag** to GitHub: + ```bash + git push origin master --follow-tags + ``` + +3. **Create a GitHub release** from the tag: + - Go to + - Select the tag you just pushed (e.g., `v0.10.3` or `0.10.3`) + - Fill in the release title and notes + - Click **Publish release** + +4. The **npm-publish** workflow will trigger automatically, build the package, and publish it to npm with [provenance](https://docs.npmjs.com/generating-provenance-statements) attached. + +## What the workflow does + +``` +checkout → install pnpm → setup node → pnpm install → pnpm build → npm publish --provenance +``` + +- Uses OIDC (`id-token: write` permission) so npm can verify the package was published from this repository. +- Runs `pnpm install --frozen-lockfile` for reproducible builds. +- Publishes with `--provenance` so consumers can verify the package origin on npmjs.com. + +## Troubleshooting + +| Problem | Fix | +|---|---| +| **"No matching trusted publisher"** error in CI | Ensure the workflow filename in npmjs.com settings matches exactly: `npm-publish.yml` | +| **403 Forbidden** during publish | Verify that trusted publishing is configured for the correct user/org and repo on npmjs.com | +| **Version already exists** | You need to bump the version in `package.json` before publishing. npm does not allow re-publishing the same version. | +| **Provenance error** | Make sure the workflow has `permissions: id-token: write` and is running in a public repository | From 90c493183ac8ad3e55178ee76a466235aa5486c3 Mon Sep 17 00:00:00 2001 From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com> Date: Sat, 4 Apr 2026 08:15:33 +0000 Subject: [PATCH 2/6] Pin pnpm/action-setup to commit SHA for security Agent-Logs-Url: https://github.com/Sans3108/DDNet/sessions/0533fb26-551c-4f10-a882-6b13145c394b Co-authored-by: Sans3108 <39863198+Sans3108@users.noreply.github.com> --- .github/workflows/npm-publish.yml | 2 +- .github/workflows/prettier.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 4903f2d..f2116fc 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -19,7 +19,7 @@ jobs: uses: actions/checkout@v6 - name: Install pnpm - uses: pnpm/action-setup@v5 + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 - name: Set up Node.js uses: actions/setup-node@v6 diff --git a/.github/workflows/prettier.yml b/.github/workflows/prettier.yml index ebb160e..5074f75 100644 --- a/.github/workflows/prettier.yml +++ b/.github/workflows/prettier.yml @@ -27,7 +27,7 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} # Use the GitHub token for authentication - name: Install pnpm - uses: pnpm/action-setup@v5 + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 - name: Set up Node.js uses: actions/setup-node@v6 From 8b73797db0303b9f04b9a37b4fcbf741d297c92d Mon Sep 17 00:00:00 2001 From: Sans Date: Sat, 4 Apr 2026 11:26:11 +0300 Subject: [PATCH 3/6] CI: specify pnpm version for action-setup --- .github/workflows/prettier.yml | 62 +--------------------------------- 1 file changed, 1 insertion(+), 61 deletions(-) diff --git a/.github/workflows/prettier.yml b/.github/workflows/prettier.yml index 5074f75..6c0b82d 100644 --- a/.github/workflows/prettier.yml +++ b/.github/workflows/prettier.yml @@ -1,61 +1 @@ -name: Prettier Formatting -permissions: - contents: write - pull-requests: write - -env: - files_modified: - -on: - pull_request: - push: - branches: [master] - -jobs: - format: - # Check if the PR is not from a fork - if: > - github.event.pull_request.head.repo.full_name == github.repository || - (github.event_name == 'push' && startsWith(github.event.head_commit.message, 'Format files with Prettier') == false) - runs-on: ubuntu-latest - steps: - - name: Check out code - uses: actions/checkout@v6 - with: - ref: ${{ github.head_ref }} - fetch-depth: 0 # Ensures history is checked out - token: ${{ secrets.GITHUB_TOKEN }} # Use the GitHub token for authentication - - - name: Install pnpm - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 - - - name: Set up Node.js - uses: actions/setup-node@v6 - with: - node-version-file: 'package.json' - cache: pnpm - - - name: Install dependencies - run: pnpm install --frozen-lockfile - - - name: Run prettier - run: pnpm prettier - - - name: Check for modified files - id: git-check - run: | - if git diff --quiet; then - echo "files_modified=false" >> $GITHUB_ENV - else - echo "files_modified=true" >> $GITHUB_ENV - fi - - - name: Commit and push changes - if: env.files_modified == 'true' - run: | - git config --global user.name '${{ github.repository_owner }}' - git config --global user.email 'actions@github.com' - git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} - git add -A - git commit -m "Format files with Prettier" - git push +name: Prettier\n\non: [push, pull_request]\n\njobs:\n format:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v2\n - name: Install pnpm\n uses: pnpm/action-setup@v2\n with:\n version: 9\n - name: Run Prettier\n run: pnpm prettier --check .\n volume: \"./node_modules\"\n \ No newline at end of file From 075b230785d0c14cecca9f7eb75c1939ba1403e8 Mon Sep 17 00:00:00 2001 From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com> Date: Sat, 4 Apr 2026 08:28:54 +0000 Subject: [PATCH 4/6] Fix prettier.yml and add pnpm version specification to workflows Agent-Logs-Url: https://github.com/Sans3108/DDNet/sessions/6a0e46ba-4888-4186-9803-f537311cc118 Co-authored-by: Sans3108 <39863198+Sans3108@users.noreply.github.com> --- .github/workflows/npm-publish.yml | 2 + .github/workflows/prettier.yml | 64 ++++++++++++++++++++++++++++++- 2 files changed, 65 insertions(+), 1 deletion(-) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index f2116fc..e37b7b0 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -20,6 +20,8 @@ jobs: - name: Install pnpm uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 + with: + version: 9 - name: Set up Node.js uses: actions/setup-node@v6 diff --git a/.github/workflows/prettier.yml b/.github/workflows/prettier.yml index 6c0b82d..a3885cc 100644 --- a/.github/workflows/prettier.yml +++ b/.github/workflows/prettier.yml @@ -1 +1,63 @@ -name: Prettier\n\non: [push, pull_request]\n\njobs:\n format:\n runs-on: ubuntu-latest\n steps:\n - name: Checkout\n uses: actions/checkout@v2\n - name: Install pnpm\n uses: pnpm/action-setup@v2\n with:\n version: 9\n - name: Run Prettier\n run: pnpm prettier --check .\n volume: \"./node_modules\"\n \ No newline at end of file +name: Prettier Formatting +permissions: + contents: write + pull-requests: write + +env: + files_modified: + +on: + pull_request: + push: + branches: [master] + +jobs: + format: + # Check if the PR is not from a fork + if: > + github.event.pull_request.head.repo.full_name == github.repository || + (github.event_name == 'push' && startsWith(github.event.head_commit.message, 'Format files with Prettier') == false) + runs-on: ubuntu-latest + steps: + - name: Check out code + uses: actions/checkout@v6 + with: + ref: ${{ github.head_ref }} + fetch-depth: 0 # Ensures history is checked out + token: ${{ secrets.GITHUB_TOKEN }} # Use the GitHub token for authentication + + - name: Install pnpm + uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0 + with: + version: 9 + + - name: Set up Node.js + uses: actions/setup-node@v6 + with: + node-version-file: 'package.json' + cache: pnpm + + - name: Install dependencies + run: pnpm install --frozen-lockfile + + - name: Run prettier + run: pnpm prettier + + - name: Check for modified files + id: git-check + run: | + if git diff --quiet; then + echo "files_modified=false" >> $GITHUB_ENV + else + echo "files_modified=true" >> $GITHUB_ENV + fi + + - name: Commit and push changes + if: env.files_modified == 'true' + run: | + git config --global user.name '${{ github.repository_owner }}' + git config --global user.email 'actions@github.com' + git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }} + git add -A + git commit -m "Format files with Prettier" + git push From df1ab084be17771de86e63404dced0511d377683 Mon Sep 17 00:00:00 2001 From: Sans3108 Date: Sat, 4 Apr 2026 08:33:47 +0000 Subject: [PATCH 5/6] Format files with Prettier --- PUBLISHING.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/PUBLISHING.md b/PUBLISHING.md index 8c5f35d..9969a47 100644 --- a/PUBLISHING.md +++ b/PUBLISHING.md @@ -22,6 +22,7 @@ Once this is done, the GitHub Actions workflow can publish to npm using OIDC wit ## How to publish a new release 1. **Update the version** in `package.json`: + ```bash # Bump the patch version (e.g., 0.10.2 → 0.10.3) npm version patch @@ -32,9 +33,11 @@ Once this is done, the GitHub Actions workflow can publish to npm using OIDC wit # Or for a major version bump (e.g., 0.10.2 → 1.0.0) npm version major ``` + This updates `package.json` and creates a git tag automatically. 2. **Push the commit and tag** to GitHub: + ```bash git push origin master --follow-tags ``` @@ -59,9 +62,9 @@ checkout → install pnpm → setup node → pnpm install → pnpm build → npm ## Troubleshooting -| Problem | Fix | -|---|---| -| **"No matching trusted publisher"** error in CI | Ensure the workflow filename in npmjs.com settings matches exactly: `npm-publish.yml` | -| **403 Forbidden** during publish | Verify that trusted publishing is configured for the correct user/org and repo on npmjs.com | -| **Version already exists** | You need to bump the version in `package.json` before publishing. npm does not allow re-publishing the same version. | -| **Provenance error** | Make sure the workflow has `permissions: id-token: write` and is running in a public repository | +| Problem | Fix | +| ----------------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | +| **"No matching trusted publisher"** error in CI | Ensure the workflow filename in npmjs.com settings matches exactly: `npm-publish.yml` | +| **403 Forbidden** during publish | Verify that trusted publishing is configured for the correct user/org and repo on npmjs.com | +| **Version already exists** | You need to bump the version in `package.json` before publishing. npm does not allow re-publishing the same version. | +| **Provenance error** | Make sure the workflow has `permissions: id-token: write` and is running in a public repository | From 17986a3677109be0e5696b42e00c2311501d8450 Mon Sep 17 00:00:00 2001 From: "anthropic-code-agent[bot]" <242468646+Claude@users.noreply.github.com> Date: Sat, 4 Apr 2026 08:37:02 +0000 Subject: [PATCH 6/6] Generalize PUBLISHING.md to remove personal details Agent-Logs-Url: https://github.com/Sans3108/DDNet/sessions/0d716c38-b39e-4a54-99b9-5207ffd311b3 Co-authored-by: Sans3108 <39863198+Sans3108@users.noreply.github.com> --- PUBLISHING.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/PUBLISHING.md b/PUBLISHING.md index 9969a47..d4376d5 100644 --- a/PUBLISHING.md +++ b/PUBLISHING.md @@ -7,12 +7,12 @@ When a GitHub release is created, the [npm-publish workflow](.github/workflows/n > You must have published at least one version of the package to npm before you can enable trusted publishing. -1. Go to [npmjs.com](https://www.npmjs.com) and sign in to the account that owns the `ddnet` package. -2. Navigate to the **package settings** page: +1. Go to [npmjs.com](https://www.npmjs.com) and sign in to the account that owns your package. +2. Navigate to your **package settings** page: `https://www.npmjs.com/package//access` 3. Under **Publishing access**, find the **Trusted Publishers** section. 4. Click **Add a trusted publisher** and fill in: - - **Organization or user:** `Sans3108` - - **Repository:** `DDNet` + - **Organization or user:** Your GitHub username or organization + - **Repository:** Your repository name - **Workflow filename:** `npm-publish.yml` - **Environment:** _(leave blank)_ 5. Save the configuration. @@ -43,7 +43,7 @@ Once this is done, the GitHub Actions workflow can publish to npm using OIDC wit ``` 3. **Create a GitHub release** from the tag: - - Go to + - Go to your repository's releases page and click **Draft a new release** - Select the tag you just pushed (e.g., `v0.10.3` or `0.10.3`) - Fill in the release title and notes - Click **Publish release**