Skip to content

Use NPM trusted publishing #725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
amacneil merged 11 commits into from
Jan 12, 2026
Merged

Use NPM trusted publishing #725

amacneil merged 11 commits into from
Jan 12, 2026

Conversation

@amacneil
Copy link
Owner

@amacneil amacneil commented Jan 11, 2026
edited
Loading

NPM classic tokens are no more, trusted publishing is the future.

Prevent failures like https://github.com/amacneil/dbmate/actions/runs/20837451898/job/59865223681

Note

Adopts NPM OIDC trusted publishing and tidies GitHub workflows and package metadata.

  • CI npm job: grants id-token permissions, enables corepack, removes registry/token usage; typescript/publish.ts unsets NODE_AUTH_TOKEN and publishes via corepack npm publish --provenance
  • Moves Dependabot auto-approve into new dependabot.yml; minor naming tweaks in post-release workflow
  • Adds empty .prettierrc.json; sets packageManager in typescript/package.json
  • Updates package metadata for dbmate and template packages (repository format, bin mapping, homepage/author)
  • Bumps pkg/dbmate/version.go to 2.29.1

Written by Cursor Bugbot for commit 00b792f. This will update automatically on new commits. Configure here.

@amacneil amacneil force-pushed the adrian/npm-publishing branch from a5fe0d1 to 4cc96f7 Compare January 11, 2026 23:45
cursor[bot]
cursor bot reviewed Jan 11, 2026
View reviewed changes
@amacneil amacneil force-pushed the adrian/npm-publishing branch from e64c4a9 to 401bf68 Compare January 11, 2026 23:57
@amacneil amacneil force-pushed the adrian/npm-publishing branch from e624d1a to b3f1939 Compare January 12, 2026 00:26
cursor[bot]
cursor bot reviewed Jan 12, 2026
View reviewed changes
typescript/publish.ts

for (const pkg of packages) {
await exec("npm", ["publish", "--access", "public", pkg]);
await exec("corepack", ["npm", "--version"]);
Copy link

@cursor cursor bot Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Debug version check runs redundantly inside publish loop

Low Severity

A debugging statement await exec("corepack", ["npm", "--version"]) was added inside the for loop that iterates over all packages. This causes the npm version to be printed once for every package being published, which is unnecessary and appears to be leftover debug code. If the version check was intentional for verification, it would only need to run once before the loop, not for each package iteration.

Fix in Cursor Fix in Web

@amacneil amacneil force-pushed the adrian/npm-publishing branch from a98dc9b to f2c7400 Compare January 12, 2026 02:35
cursor[bot]
cursor bot reviewed Jan 12, 2026
View reviewed changes
@amacneil amacneil merged commit fc613e0 into main Jan 12, 2026
11 checks passed
@amacneil amacneil deleted the adrian/npm-publishing branch January 12, 2026 03:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@amacneil