Fix npm publish workflow for trusted publishing (#143)

Shigoto-dev19 · web-flow · commit a210b2aec61f · 2026-02-09T15:38:30.000+03:00
Cloeses o1-labs/o1js-site#3. Sibling of PR #142. ## Summary - Remove `registry-url` from `actions/setup-node`: it generates an `.npmrc` that conflicts with npm's OIDC trusted publishing authentication - Add `--provenance` to `npm publish`: signs the package with a build attestation linking it to this repo and workflow - Add `workflow_dispatch` trigger: allows manual publishes from the GitHub Actions UI - NOTE: - This PR does everything as PR [#142 ](#142.). However #142 didn't add `--provenance`. Without it, the `id-token: write` permission is set up but never actually used. The OIDC token gets requested but `npm publish` doesn't attach it as a signed attestation to the package. So it's a fix on top of what PR #142 had. ## Publishing process ### Pre-release steps 1. Bump the version in `package.json` (e.g. `npm version patch` / `minor` / `major`) 2. Commit the version bump 3. Tag the commit: `git tag v<version>` (e.g. `git tag v0.1.0`) 4. Push both: `git push origin main --tags` The workflow triggers automatically on the `v*` tag push. It will: 1. Install dependencies (`npm ci`) 2. Build the package (`npm run build`) 3. Run tests (`npm test`) 4. Publish to npm with provenance attestation Alternatively, you can trigger the workflow manually from the [Actions tab](../../actions/workflows/publish-npm.yml) using "Run workflow" on any branch. ### Prerequisites - npm trusted publishing must be configured for this package on npmjs.com, linking it to this GitHub repo (already done by Leon) - The version in `package.json` must not already be published on npm ## Test plan - [ ] Trigger workflow manually via `workflow_dispatch` to verify it authenticates and publishes correctly - [ ] Verify the published package on `npmjs.com` shows provenance information
diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
@@ -1,6 +1,7 @@
 name: Publish Package
 
 on:
+  workflow_dispatch:
   push:
     tags:
       - 'v*'
@@ -18,12 +19,11 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: '20'
-          registry-url: 'https://registry.npmjs.org'
 
       # Ensure npm 11.5.1 or later is installed
       - name: Update npm
         run: npm install -g npm@latest
       - run: npm ci
       - run: npm run build --if-present
       - run: npm test
-      - run: npm publish
+      - run: npm publish --provenance
