Skip to content

πŸ“¦ Publish to npm #163

πŸ“¦ Publish to npm

πŸ“¦ Publish to npm #163

Workflow file for this run

name: πŸ“¦ Publish to npm
# Dependencies:
# - SocketDev/socket-registry/.github/actions/setup-and-install
# Publishing is INLINED here (not delegated to socket-registry's reusable
# provenance.yml) on purpose. npm's OIDC trusted-publisher matcher keys on the
# workflow that contains the publish step. When the publish step lives in a
# reusable workflow, the OIDC `job_workflow_ref` claim carries the reusable's
# SHA-pinned ref β€” which changes every time we cascade a new socket-registry
# SHA, so no stable npm trusted-publisher config can match it (the token
# exchange 404s β†’ publish runs unauthenticated β†’ PUT 404 / stage 403).
#
# Inlining keeps `job_workflow_ref` = SocketDev/socket-lib/.github/workflows/
# provenance.yml@<ref>, a stable identity the trusted publisher matches.
on:
workflow_dispatch:
inputs:
dry-run:
description: 'Dry run (default: true)'
required: false
default: true
type: boolean
mode:
description: 'Publish mode (staged is recommended; direct is the escape hatch)'
required: false
default: staged
type: choice
options:
- staged
- direct
permissions:
contents: read
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: false # Don't cancel publishing.
jobs:
publish:
name: Build and Publish
runs-on: ubuntu-latest
timeout-minutes: 15
permissions:
# Needed for npm provenance via OIDC trusted publishing.
id-token: write
steps:
- uses: SocketDev/socket-registry/.github/actions/setup-and-install@5298430fdc1c6a31d1301379e86c46b9c8343853 # main (2026-05-28)
with:
socket-api-token: ${{ secrets.SOCKET_API_TOKEN || secrets.SOCKET_API_KEY }}
- name: Build
run: pnpm run build
- name: Publish to npm
# Default mode: --staged. Socket Firewall v1.12+ allowlists the
# /-/stage/* endpoints, so `pnpm stage publish` works end-to-end.
# The mode input is a `choice` of staged|direct; --direct is the
# escape hatch for environments where the stage path can't reach
# npm. publish.mts refuses --direct if prior package versions
# used staging (would downgrade trust evidence).
env:
DRY_RUN: ${{ inputs.dry-run }}
MODE: ${{ inputs.mode }}
run: |
ARGS="--${MODE:-staged}"
if [ "$DRY_RUN" = "true" ]; then
ARGS="$ARGS --dry-run"
fi
node scripts/fleet/publish.mts $ARGS