From 9a110c1a48a97368e640eaa0dfea4191a194ff44 Mon Sep 17 00:00:00 2001 From: ProxyMesh AI Date: Sat, 21 Mar 2026 21:45:06 +0000 Subject: [PATCH 1/3] ci: derive TAG_NAME from package.json when not a release Use github.event.release.tag_name when set; otherwise set TAG_NAME to v-${version} from package.json so workflow_dispatch matches semver. Accept v0.2.0, 0.2.0, and v-0.2.0 in the version check. Made-with: Cursor --- .github/workflows/publish.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 0e17ea3..b672985 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -29,12 +29,15 @@ jobs: PKG_VERSION="$(node -p "require('./package.json').version")" JSR_VERSION="$(node -p "require('./jsr.json').version")" TAG_NAME="${{ github.event.release.tag_name }}" + if [[ -z "$TAG_NAME" ]]; then + TAG_NAME="v-${PKG_VERSION}" + fi if [[ "$PKG_VERSION" != "$JSR_VERSION" ]]; then echo "Version mismatch: package.json=$PKG_VERSION, jsr.json=$JSR_VERSION" exit 1 fi - if [[ "$TAG_NAME" != "v$PKG_VERSION" && "$TAG_NAME" != "$PKG_VERSION" ]]; then - echo "Release tag '$TAG_NAME' does not match version '$PKG_VERSION' (expected '$PKG_VERSION' or 'v$PKG_VERSION')." + if [[ "$TAG_NAME" != "v$PKG_VERSION" && "$TAG_NAME" != "$PKG_VERSION" && "$TAG_NAME" != "v-${PKG_VERSION}" ]]; then + echo "Release tag '$TAG_NAME' does not match version '$PKG_VERSION' (expected '$PKG_VERSION', 'v$PKG_VERSION', or 'v-${PKG_VERSION}')." exit 1 fi From b9f29149b593a42c572eab9a71a20c9f14d6ba49 Mon Sep 17 00:00:00 2001 From: ProxyMesh AI Date: Sat, 21 Mar 2026 21:57:07 +0000 Subject: [PATCH 2/3] ci: fix npm publish OIDC (omit registry-url placeholder token) setup-node with registry-url injects a dummy NODE_AUTH_TOKEN when unset, so npm publish used that instead of trusted publishing and returned 404. Use Node 22 + npm >=11.5.1 per npm trusted publishing requirements. Made-with: Cursor --- .github/workflows/publish.yml | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index b672985..523b9db 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -15,13 +15,17 @@ jobs: steps: - uses: actions/checkout@v6 + # Omit registry-url: setup-node otherwise sets NODE_AUTH_TOKEN to a placeholder and npm publish uses that instead of OIDC. - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: - node-version: 20 - registry-url: https://registry.npmjs.org + node-version: 22 + check-latest: true cache: npm + - name: Upgrade npm for trusted publishing (OIDC) + run: npm install -g npm@">=11.5.1" + - name: Ensure versions match shell: bash run: | From e1ffa958b317c4c8226e81993e0c7e282ca3e703 Mon Sep 17 00:00:00 2001 From: ProxyMesh AI Date: Sat, 21 Mar 2026 22:05:11 +0000 Subject: [PATCH 3/3] ci: drop unsupported --provenance from jsr publish deno publish (used by jsr) rejects --provenance; use plain npx jsr publish with id-token: write per JSR docs. Made-with: Cursor --- .github/workflows/publish.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 523b9db..96878c5 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -52,7 +52,5 @@ jobs: run: npm publish --access public --provenance - name: Publish to JSR - run: | - # Trusted publishing should authenticate via OIDC; token is intentionally not required here. - npx jsr publish --provenance + run: npx jsr publish