joaoh82 / rust_sqlite / 24928649142
69%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 29
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 66.922%. Remained the same
24928649142

push

github

web-flow 
release.yml: drop registry-url to fix publish-nodejs OIDC (#32)

The v0.1.5 canary's publish-nodejs job failed with:

  404 Not Found - PUT https://registry.npmjs.org/@joaoh82%2fsqlrite
  '@joaoh82/sqlrite@0.1.5' is not in this registry.

The package exists (placeholder published manually), trusted
publisher is configured. The 404 is npm's misleading way of
saying "your auth doesn't grant publish access" — same response
they use for non-existent packages, presumably to avoid leaking
existence info to attackers.

Root cause: I had `registry-url: 'https://registry.npmjs.org'`
on `actions/setup-node@v4`. That makes setup-node generate an
`.npmrc` containing `_authToken=${NODE_AUTH_TOKEN}`, which
forces npm CLI into token-based auth and bypasses the OIDC
trusted-publisher pathway entirely. Even though
`permissions: id-token: write` is granted on the job, npm never
mints an OIDC token because the .npmrc tells it to use
NODE_AUTH_TOKEN — which is empty/unset in our setup, so the
"auth" is no auth, and npm rejects with 404.

Fix:

  - Drop `registry-url` from setup-node so no `.npmrc` is
    generated. npm CLI ≥ 11.5 then auto-detects the GitHub
    Actions OIDC environment via ACTIONS_ID_TOKEN_REQUEST_URL
    and exchanges an OIDC token at npm for a one-time publish
    token. This is the documented npm trusted-publishing flow
    (https://docs.npmjs.com/trusted-publishers).

  - Add an explicit `npm install -g npm@latest` step. Node 20
    LTS ships with npm 10.x; trusted-publishing auto-detection
    landed in npm 11.5. Without the upgrade, the runner's
    bundled npm wouldn't recognize the OIDC environment at all
    and would also fall back to NODE_AUTH_TOKEN (empty) auth.

  - Drop the explicit `--provenance` flag and the
    `NPM_CONFIG_PROVENANCE: true` env. With OIDC trusted
    publishing, provenance is automatically attached by the
    publish flow. The explicit flag combined with no auth
    token would error under the older token-auth pathway.
... (continued)

4012 of 5995 relevant lines covered (66.92%)

1.23 hits per line

Jobs
ID Job ID Ran Files Coverage
1 24928649142.1 29
66.92
 GitHub Action Run
Source Files on build 24928649142