Configure npm trusted publishing for 0.1.0-alpha.3

[hopeatina]

Summary

The code/release repo is ready to publish @useorgx/orgx-opencode-plugin@0.1.0-alpha.2, but npm registry publication is blocked by npm package auth/trusted-publisher settings.

Current evidence

• Main branch package metadata: version: 0.1.0-alpha.2, license: MIT, LICENSE included in package files.
• GitHub prerelease exists: https://github.com/useorgx/orgx-opencode-plugin/releases/tag/v0.1.0-alpha.2
• Publish workflow run: https://github.com/useorgx/orgx-opencode-plugin/actions/runs/26264036962
• Run passed install, typecheck, test, build, and dist-tag resolution.
• Run failed at npm publish --access public --tag alpha with E404 / not permitted.
• Local npm whoami returns E401 Unauthorized.
• npm view @useorgx/orgx-opencode-plugin still reports 0.1.0-alpha.1 and UNLICENSED.

Repo-side cleanup already completed

• PR docs: license OpenCode plugin for public distribution #4 added MIT license metadata and LICENSE: docs: license OpenCode plugin for public distribution #4
• PR chore: prepare OpenCode plugin alpha 2 #5 bumped package to 0.1.0-alpha.2: chore: prepare OpenCode plugin alpha 2 #5
• PR docs: align npm trusted publishing setup #6 aligned the release workflow/docs with current npm trusted-publishing guidance: docs: align npm trusted publishing setup #6

npm settings to verify

In npm package settings for @useorgx/orgx-opencode-plugin, configure trusted publishing:

• Publisher: GitHub Actions
• Organization or user: useorgx
• Repository: orgx-opencode-plugin
• Workflow filename: publish.yml
• Allowed action: npm publish
• Environment name: empty, unless a GitHub environment is later added to the workflow

After npm settings are fixed

Because the original v0.1.0-alpha.2 release ran against the older workflow commit, publish from current main by either recreating the v0.1.0-alpha.2 release/tag after verifying npm settings or making a follow-up alpha release. Then verify with:

npm view @useorgx/orgx-opencode-plugin version license dist-tags --json

Expected: version/dist-tag points to 0.1.0-alpha.2 and license reports MIT.

[hopeatina]

Follow-up alpha release attempt completed from current main.

New evidence

• PR bump OpenCode plugin alpha release #10 merged: bump OpenCode plugin alpha release #10
• Release created: https://github.com/useorgx/orgx-opencode-plugin/releases/tag/v0.1.0-alpha.3
• Publish workflow: https://github.com/useorgx/orgx-opencode-plugin/actions/runs/26268088861
• Workflow passed checkout, setup-node, runtime logging, install, typecheck, tests, build, and dist-tag resolution.
• Publish artifact was @useorgx/orgx-opencode-plugin@0.1.0-alpha.3 with 28 files, including dist/, LICENSE, README.md, package.json, and plugin.manifest.json.
• npm publish --access public --tag alpha still failed with E404/not permitted:
  The requested resource @useorgx/orgx-opencode-plugin@0.1.0-alpha.3 could not be found or you do not have permission to access it.

Current conclusion

Repo-side release packaging is ready. The remaining blocker is still npm package ownership/trusted-publisher authorization for useorgx/orgx-opencode-plugin / @useorgx/orgx-opencode-plugin.

After npm settings are fixed, rerun publication from current main with a follow-up alpha release or rerun an authorized publish flow, then verify:

npm view @useorgx/orgx-opencode-plugin version license dist-tags --json

Expected next successful value: 0.1.0-alpha.3, MIT, alpha dist-tag 0.1.0-alpha.3.

[hopeatina]

Current follow-up: alpha.3 is now the publish target.

Evidence from the latest release run:

• Release: https://github.com/useorgx/orgx-opencode-plugin/releases/tag/v0.1.0-alpha.3
• Publish run: https://github.com/useorgx/orgx-opencode-plugin/actions/runs/26268088861
• Release target: b4210dd2969d3370ed8d393e28197a149f9f4664
• Main branch package metadata is now @useorgx/orgx-opencode-plugin@0.1.0-alpha.3 with MIT license.
• The npm publish job packed the expected alpha.3 tarball with LICENSE, README.md, dist, and plugin.manifest.json.
• Publish still failed at npm publish --access public --tag alpha with E404 Not Found ... @useorgx/orgx-opencode-plugin@0.1.0-alpha.3 could not be found or you do not have permission to access it.
• Local npm whoami still returns E401 Unauthorized.
• Registry still reports 0.1.0-alpha.1 / UNLICENSED.

So the current unblock is npm package ownership/trusted publishing or an authenticated npm session, then rerun/publish alpha.3 or a newer alpha and verify with:

npm view @useorgx/orgx-opencode-plugin version license dist-tags --json

Expected after unblock: 0.1.0-alpha.3 or newer with MIT metadata and the alpha dist-tag pointing at that version.

[hopeatina]

Additional ownership check from the current marketplace continuation:

npm owner ls @useorgx/orgx-opencode-plugin
npm view @useorgx/orgx-opencode-plugin@0.1.0-alpha.1 repository license version --json

Current result: npm owner lookup resolves to the package owner account, while the published package remains 0.1.0-alpha.1 with UNLICENSED metadata and the repository URL points at useorgx/orgx-opencode-plugin. The repo main branch is still 0.1.0-alpha.3 with MIT metadata, and workflow run 26268088861 only failed at the final npm publish step.

Sharper unblock: configure trusted publishing or publish manually from an npm session that has package-owner permission for @useorgx/orgx-opencode-plugin. This is not a packaging/build failure in the GitHub repo; the current evidence points to npm package-owner/trusted-publisher authorization.

[hopeatina]

Reran the alpha.3 release workflow to check whether npm trusted publishing had been fixed externally.

Rerun evidence

• Workflow run: https://github.com/useorgx/orgx-opencode-plugin/actions/runs/26268088861
• Latest publish job: https://github.com/useorgx/orgx-opencode-plugin/actions/runs/26268088861/job/77334736532
• Completed at: 2026-05-22T07:22:47Z
• Install, typecheck, tests, build, and dist-tag resolution passed again.
• Test result: 2 files / 11 tests passed.
• Publish artifact was again @useorgx/orgx-opencode-plugin@0.1.0-alpha.3 with 28 files.
• npm publish --access public --tag alpha still failed with:
  E404 Not Found - PUT https://registry.npmjs.org/@useorgx%2forgx-opencode-plugin
The requested resource @useorgx/orgx-opencode-plugin@0.1.0-alpha.3 could not be found or you do not have permission to access it.
• Registry still reports 0.1.0-alpha.1 / UNLICENSED.

Conclusion is unchanged but now current: repo packaging is ready; npm package-owner/trusted-publisher authorization is still the blocker.

[hopeatina]

Reran the failed Publish to NPM workflow for release v0.1.0-alpha.3 on 2026-05-22.

Evidence:

• Workflow run: https://github.com/useorgx/orgx-opencode-plugin/actions/runs/26268088861
• Rerun job: https://github.com/useorgx/orgx-opencode-plugin/actions/runs/26268088861/job/77345080352
• Job completed: 2026-05-22T08:35:59Z; workflow updated: 2026-05-22T08:36:00Z
• Steps that passed: trusted-publishing runtime check, install dependencies, type check, tests, build, dist-tag resolution
• Failed step: Publish to npm
• npm attempted to publish @useorgx/orgx-opencode-plugin@0.1.0-alpha.3 with tag alpha, then returned E404 Not Found - PUT https://registry.npmjs.org/@useorgx%2forgx-opencode-plugin and could not be found or you do not have permission to access it
• Registry still reports @useorgx/orgx-opencode-plugin as 0.1.0-alpha.1, license UNLICENSED, dist-tags alpha/latest -> 0.1.0-alpha.1

Conclusion unchanged: the package contents and CI prereqs are valid, but npm package ownership/trusted-publisher authorization is still blocking publication of 0.1.0-alpha.3.

[hopeatina]

Reran the failed Publish to NPM workflow for release v0.1.0-alpha.3 again on 2026-05-22 to check whether npm trusted-publisher settings had been fixed.

Evidence:

• Workflow run: https://github.com/useorgx/orgx-opencode-plugin/actions/runs/26268088861
• Rerun job: https://github.com/useorgx/orgx-opencode-plugin/actions/runs/26268088861/job/77347600810
• Job completed: 2026-05-22T08:52:58Z; workflow updated: 2026-05-22T08:52:59Z
• Steps that passed: trusted-publishing runtime check, install dependencies, type check, tests, build, dist-tag resolution
• Failed step: Publish to npm
• npm packed @useorgx/orgx-opencode-plugin@0.1.0-alpha.3 with 28 files, then npm publish --access public --tag alpha returned E404 Not Found - PUT https://registry.npmjs.org/@useorgx%2forgx-opencode-plugin and could not be found or you do not have permission to access it
• Registry still reports @useorgx/orgx-opencode-plugin as 0.1.0-alpha.1, license UNLICENSED, dist-tags alpha/latest -> 0.1.0-alpha.1

Conclusion unchanged: repo packaging and CI prereqs are valid, but npm package ownership/trusted-publisher authorization is still blocking publication of 0.1.0-alpha.3.

[hopeatina]

Additional trusted-publisher diagnostic from the marketplace continuation on 2026-05-22.

Evidence:

• Local runtime is npm 11.11.0 on Node v24.13.0, satisfying npm trusted-publishing runtime requirements.
• GitHub package metadata on main is @useorgx/orgx-opencode-plugin@0.1.0-alpha.3 with MIT license.
• Publish workflow .github/workflows/publish.yml has permissions: id-token: write, uses GitHub-hosted ubuntu-latest, runs on release publish, and publishes with npm publish --access public --tag alpha.
• Public npm metadata still shows 0.1.0-alpha.1, UNLICENSED, and maintainer hopeatina <hopeatina@gmail.com>.
• npm trust list @useorgx/orgx-opencode-plugin --json from the current machine returns E401 Unauthorized ... You must be logged in to publish packages.
• npm whoami also returns E401 Unauthorized.

Conclusion: no additional repo/workflow patch is indicated from this diagnostic. The remaining unblock is an npm package-owner session or npmjs.com trusted-publisher configuration for useorgx/orgx-opencode-plugin / .github/workflows/publish.yml, then rerun the existing release workflow.

[hopeatina]

Fresh continuation check at 2026-05-22T10:20:50Z.

Current evidence:

• Public npm still reports @useorgx/orgx-opencode-plugin as 0.1.0-alpha.1, license UNLICENSED, with alpha/latest -> 0.1.0-alpha.1.
• npm owner ls @useorgx/orgx-opencode-plugin still resolves to hopeatina <hopeatina@gmail.com>.
• Local runtime is npm 11.11.0 and Node v24.13.0, which satisfies the current npm trusted-publishing runtime floor.
• Current npm trusted-publishing docs require GitHub Actions, GitHub-hosted runners, id-token: write, repository/workflow match, workflow filename publish.yml, and allowed action npm publish; the repo workflow on main matches those repo-side requirements.
• .github/workflows/publish.yml uses actions/setup-node@v6, node-version: 24, registry-url: https://registry.npmjs.org, package-manager-cache: false, permissions.id-token: write, and npm publish --access public --tag alpha.
• package.json on main is @useorgx/orgx-opencode-plugin@0.1.0-alpha.3 with MIT license and repository URL git+https://github.com/useorgx/orgx-opencode-plugin.git.
• npm trust list @useorgx/orgx-opencode-plugin --json still returns E401 Unauthorized ... You must be logged in to publish packages; npm whoami also returns E401 Unauthorized.

Conclusion remains: no repo/workflow patch is indicated. The remaining action must happen from an npm package-owner session on npmjs.com: add or fix the Trusted Publisher entry for GitHub Actions with GitHub owner useorgx, repository orgx-opencode-plugin, workflow filename publish.yml, allowed action npm publish, and no environment name, then rerun the existing v0.1.0-alpha.3 release workflow or publish a newer alpha.

Verification after unblock remains:

npm view @useorgx/orgx-opencode-plugin version license dist-tags --json

Expected: 0.1.0-alpha.3 or newer, license MIT, and alpha pointing to that version.

[hopeatina]

Fresh rerun check at 2026-05-22T10:46:26Z.\n\nEvidence:\n- Workflow run: https://github.com/useorgx/orgx-opencode-plugin/actions/runs/26268088861\n- Latest rerun job: https://github.com/useorgx/orgx-opencode-plugin/actions/runs/26268088861/job/77364585693\n- Release target: b4210dd\n- Passed: checkout, setup-node, trusted-publishing runtime check, install, typecheck, tests, build, and dist-tag resolution.\n- Failed step: npm publish --access public --tag alpha.\n- npm packed @useorgx/orgx-opencode-plugin@0.1.0-alpha.3 with 28 files, including LICENSE, README.md, dist/, package.json, and plugin.manifest.json.\n- Publish still failed with E404 Not Found / permission: PUT https://registry.npmjs.org/@useorgx%2forgx-opencode-plugin; requested resource @useorgx/orgx-opencode-plugin@0.1.0-alpha.3 could not be found or you do not have permission to access it.\n- Public npm still reports version 0.1.0-alpha.1, license UNLICENSED, alpha/latest -> 0.1.0-alpha.1, maintainer hopeatina hopeatina@gmail.com.\n\nConclusion remains current: this is still npm package-owner/trusted-publisher authorization, not a repo packaging/build/test failure.

[hopeatina]

Latest alpha.3 rerun remains blocked at npm publish.

Evidence from the current failed job:

• Workflow run: https://github.com/useorgx/orgx-opencode-plugin/actions/runs/26268088861
• Latest rerun job: https://github.com/useorgx/orgx-opencode-plugin/actions/runs/26268088861/job/77366715183
• Completed: 2026-05-22T11:01:05Z
• Passed before publish: install dependencies, typecheck, tests, build, dist-tag resolution
• Publish artifact: @useorgx/orgx-opencode-plugin@0.1.0-alpha.3, 28 files, includes dist/, LICENSE, README.md, package.json, and plugin.manifest.json
• Publish failure: npm publish --access public --tag alpha returned E404 on PUT https://registry.npmjs.org/@useorgx%2forgx-opencode-plugin, with npm reporting the package version could not be found or the publisher lacks permission.

Current registry state after the failed rerun:

{
  "version": "0.1.0-alpha.1",
  "license": "UNLICENSED",
  "dist-tags": {
    "alpha": "0.1.0-alpha.1",
    "latest": "0.1.0-alpha.1"
  },
  "maintainers": [
    "hopeatina <hopeatina@gmail.com>"
  ]
}

This still points to npm package-owner publish authorization or trusted-publisher settings outside the repo, not repo packaging/build/test failure.