Draft
Conversation
Consolidates publish.yml improvements (address-book choice, Read package info, Tag release) from reo-deployment branches plus new interfaces and toolshed package choices and a dry_run boolean input so auth/packaging can be verified without burning a version.
Replace GRAPHPROTOCOL_NPM_TOKEN with GitHub OIDC (id-token: write) and pnpm --provenance so the workflow mints a short-lived credential and attaches a SLSA build attestation. Each target package needs its own Trusted Publisher entry on npmjs.com (owner: graphprotocol, repo: contracts, workflow: publish.yml); verify per-package via a dry_run dispatch before a real publish. Pattern follows graphprotocol/graph-node#6460. contents: write is retained so the existing Tag release step can push the annotated tag.
pnpm publish delegates registry auth to the underlying npm CLI, which needs to be >= 11.5.1 to exchange the GitHub OIDC token for an npm publish credential. The shared setup action brings Node 22 which ships an older npm; install the latest npm globally in the publish job before pnpm publish runs. Pattern follows eslint/config-inspector#174.
The repo's root package.json declares pnpm@10.28.0 as the packageManager, but the shared setup action's corepack prepare step pinned the older 10.17.0. Resolve the drift by matching the declared version. Minor-version bump within pnpm 10.x; affects lint, build-test, verifydeployed, and publish workflows that share this setup.
Contributor
There was a problem hiding this comment.
Pull request overview
Migrates the manual publish workflow from an npm token (GRAPHPROTOCOL_NPM_TOKEN) to npm OIDC trusted publishing via GitHub Actions, adding provenance and optional dry-run behavior for safer releases.
Changes:
- Switch publishing auth from a registry token to GitHub OIDC, enabling
--provenance. - Add
dry_runinput and expand the package selection list in the publish workflow. - Sync the composite setup action’s Corepack-activated pnpm version with the repo’s
packageManager.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| .github/workflows/publish.yml | Updates workflow_dispatch inputs, adds OIDC permissions, upgrades npm for OIDC publish, adds provenance + optional dry-run, and pushes a <pkg>@<version> git tag on real publishes. |
| .github/actions/setup/action.yml | Bumps Corepack pnpm activation version to match root packageManager. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Reproducibility: pinning avoids surprise behavior changes or Node engine bumps from a future npm "latest". Bump the pin intentionally; only constraint is npm >= 11.5.1 for OIDC trusted publishing.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1324 +/- ##
========================================
Coverage 88.55% 88.55%
========================================
Files 75 75
Lines 4615 4615
Branches 981 823 -158
========================================
Hits 4087 4087
Misses 507 507
Partials 21 21
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Token-based auth using
GRAPHPROTOCOL_NPM_TOKENis no longer working and we need to migrate to NPM OIDC trusted publishing.Changes
id-token: writepermission and--provenanceto the publish command, which also attaches a sigstore attestation tying each tarball to this commit.pnpm publishshells out to npm for registry auth; npm ≥ 11.5.1 is required for OIDC trusted publishing, so wenpm install -g npm@latestbefore publishing.address-book,interfaces, andtoolshedto the package dropdown; add adry_runinput that runspnpm publish --dry-runand skips the git tag step; on real runs, push a<pkg>@<version>git tag (requirescontents: write).packageManagerfield, avoiding a version mismatch warning.Enabling trusted publishing
Trusted publishing needs to be enabled per package on npmjs.com before the first run, otherwise auth will fail:
@graphprotocol/contracts— Settings → Trusted Publisher → GitHub Actions, repographprotocol/contracts, workflowpublish.yml, env (none)@graphprotocol/sdk@graphprotocol/interfaces@graphprotocol/toolshed@graphprotocol/address-bookExisting 2FA / publish-token settings can stay; trusted publishing is additive.
Testing
Local validation with
actwas attempted but doesn't exercise the meaningful steps (no real OIDC token, npm self-upgrade breaks under act's tool cache). Plan post-merge:package=toolshed,dry_run=truefrom the Actions tab — expect setup → npm upgrade →pnpm publish --dry-runto succeed, no tag pushed.dry_run=falsefor a real publish of one package.<pkg>@<version>tag lands on the repo and the published tarball shows a provenance badge on npmjs.com.