Skip to content

Fix npm trusted publishing and remove redundant test step #99

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ranyitz merged 2 commits into from
Jan 26, 2026
Merged

Fix npm trusted publishing and remove redundant test step #99

ranyitz merged 2 commits into from
Jan 26, 2026

Conversation

@ranyitz
Copy link
Owner

@ranyitz ranyitz commented Jan 26, 2026

Summary

  • Remove pnpm test step from publish workflow (tests already run on PR merge)
  • Upgrade to Node.js 24 for npm trusted publishing OIDC support

Why

Publishing was failing with "Access token expired" / 404 errors despite correct trusted publisher configuration. The root cause is that npm trusted publishing with OIDC requires npm v11.5.1+, which ships with Node.js 24. Node 22 includes npm v10 which doesn't properly handle the OIDC token exchange for authentication.

Reference: https://medium.com/@kenricktan11/npm-trusted-publishers-the-weird-404-error-and-the-node-js-24-fix-a9f1d717a5dd

@ranyitz
no need to run tests before publish since we require PRs
13e43f0
@ranyitz
Upgrade to Node 24 for npm trusted publishing OIDC support
a1ecdf1 
npm trusted publishing with OIDC requires npm v11.5.1+, which ships
with Node.js 24. Node 22 includes npm v10 which doesn't properly
handle OIDC token exchange for authentication, causing "Access token
expired" errors despite correct configuration.
@ranyitz ranyitz merged commit b89cb61 into main Jan 26, 2026
5 of 8 checks passed
@ranyitz ranyitz deleted the no-test-before-publish branch January 26, 2026 20:59
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Jan 26, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: a1ecdf1aa2

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

.github/workflows/publish.yml
Comment on lines 28 to 29
- run: pnpm install --frozen-lockfile
- run: pnpm test
- run: npm publish --provenance --access public
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Jan 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Build artifacts before npm publish

In the tag publish job, pnpm test was the only step that ran pnpm build, and the repo doesn’t check in dist. With the test step removed, the workflow now goes straight from pnpm install to npm publish, so the package is published without compiled dist artifacts even though package.json’s main/bin and files depend on dist. This will produce a broken package on npm for tag pushes; add an explicit build step (or restore a step that runs pnpm build) before publishing.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ranyitz