Skip to content

Commit 53dc6d8

Browse files
orb(reactotron): chore(ci): bump publish-docs orb to @0.5 (#1610)
## Please verify the following: - [x] `yarn build-and-test:local` passes - [ ] I have added tests for any new features, if relevant - [x] `README.md` (or relevant documentation) has been updated with your changes ## Describe your PR Bumps the `infinitered/publish-docs` orb from `@0.4` (resolves to v0.4.13) to `@0.5` (resolves to v0.5.1). This unbreaks `publish-docs/publish_docs` on master pushes when the merge commit body contains markdown / multi-line content. ### Why The orb's v0.4.13 wrote unescaped multi-line shell content to `$BASH_ENV` via `echo "export VAR=\"$VAL\""`. When the merge commit's body had colons (e.g. inline JSON snippets) or newlines, bash interpreted each line as a command after sourcing `$BASH_ENV` at the start of the next step. Symptom on the master push for #1609: ``` /tmp/.bash_env-...-build: line 39: README.md: command not found /tmp/.bash_env-...-build: line 39: NPM_TOKEN: command not found ... [40+ more] Error: Not a GitHub URL. Exited with code exit status 1 ``` ### Changes - `.circleci/config.yml` — bump `publish-docs: infinitered/publish-docs@0.4` → `@0.5`. ### Notes - Fix is upstream in [infinitered/orb-publish-docs#40](infinitered/orb-publish-docs#40), released as `v0.5.1` today. Replaces the unsafe `echo "export VAR=\"$VAL\""` patterns with `printf 'export VAR=%q\n' "$VAL"` in 5 internal scripts. - The `0.4 → 0.5` diff is internal only — no job, command, or parameter signatures change. All existing usage (`publish-docs/build_docs` and `publish-docs/publish_docs` with `ir_docs_config` params) remains compatible. - Verified `npx nx affected --target=version --base=origin/master --head=HEAD` returns 0 projects, so this merge will not cascade-trigger any unintended package releases. - Using `@0.5` (auto-resolves to latest 0.5.x) rather than pinned `@0.5.1` so future patch fixes apply automatically. Matches the prior `@0.4` style. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> infinitered/reactotron#1610
1 parent 6279767 commit 53dc6d8

1 file changed

Lines changed: 33 additions & 0 deletions

File tree

docs/reactotron/contributing/releasing.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,3 +68,36 @@ CircleCi is used to run the release tasks. The `config.yml` file is located in t
6868
CircleCi is configured to check for whether new release commits and tags are needed on every commit to a release branch: `master`, `beta`, and `alpha`.
6969

7070
Once a new release tag is created, CircleCi will run a job to publish the artifacts for the workspace.
71+
72+
## npm Authentication (Trusted Publishing via OIDC)
73+
74+
npm packages are published using [npm Trusted Publishing](https://docs.npmjs.com/trusted-publishers/) — CircleCI mints a short-lived OIDC token that Yarn 4.14+ exchanges for a single-use publish token. There is no long-lived `NPM_TOKEN` to rotate.
75+
76+
### How it works in CI
77+
78+
The `release_package` job in `.circleci/config.yml` runs two steps:
79+
80+
1. **Mint npm OIDC token** — runs `circleci run oidc get --claims '{"aud":"npm:registry.npmjs.org"}'` and exports the result as `NPM_ID_TOKEN`.
81+
2. **Release to npm and github**`yarn release:artifacts $CIRCLE_TAG` calls `scripts/release.artifacts.mjs`. The script (not Yarn) exchanges `NPM_ID_TOKEN` for a single-use npm publish token via a direct `POST` to `https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/<name>`, then exposes the result as `NPM_TOKEN` so `.yarnrc.yml`'s `npmAuthToken: "${NPM_TOKEN-}"` picks it up at config-load time. Finally it invokes `yarn npm publish`.
82+
83+
The reason the script does the exchange rather than Yarn: Yarn 4.14.1's `yarn npm publish` gates the OIDC code path on `GITHUB_ACTIONS || GITLAB_CI`, even though its `getOidcToken` helper already handles `CIRCLECI`. The companion fix is tracked upstream at [yarnpkg/berry#7122](https://github.com/yarnpkg/berry/pull/7122). Once Yarn ships the one-line gate fix and we bump, the exchange block in `release.artifacts.mjs` can be deleted and `yarn npm publish` will pick up `NPM_ID_TOKEN` directly.
84+
85+
The job still requires the `reactotron-npm-context` CircleCI context for `$GITHUB_TOKEN` (used to create the GitHub release).
86+
87+
### Adding a trusted publisher to a new package
88+
89+
When publishing a new `reactotron-*` package, configure its Trusted Publisher on npm before the first release tag, otherwise the publish will fail with a "no trusted publisher configured" error.
90+
91+
For each package:
92+
93+
1. Navigate to `https://www.npmjs.com/package/<pkg>/access`.
94+
2. Scroll to "Trusted Publisher" and select **CircleCI**.
95+
3. Fill in the org/project/context IDs (ask a maintainer for current values; they live in the CircleCI project settings, not in this repo).
96+
4. Save.
97+
98+
`npm trust` (npm v11.10.0+) supports batch configuration after `npm login`. See [npm bulk trusted publishing config](https://github.blog/changelog/2026-02-18-npm-bulk-trusted-publishing-config-and-script-security-now-generally-available/).
99+
100+
### Out-of-scope packages
101+
102+
- `reactotron-app` is published as GitHub release artifacts, not to npm.
103+
- `reactotron-mcp` is private (`"private": true`) and intentionally not on npm. An unrelated `reactotron-mcp` package by `steve228uk` exists on npm — that is his own project and is not affiliated with Infinite Red.

0 commit comments

Comments
 (0)