ci: publish /snapshot alphas to GitHub Packages instead of npmjs#109
Closed
RuudBurger wants to merge 1 commit into
Closed
ci: publish /snapshot alphas to GitHub Packages instead of npmjs#109RuudBurger wants to merge 1 commit into
RuudBurger wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #108. The
/snapshotOIDC publish 404s because npm trusted publishing is bound torelease-packages.yml, notsnapshot.yml(npm masks the permission failure as 404 on the restricted-scope@plextv/*packages). Rather than fight npm's single-trusted-publisher limit, this points/snapshotat GitHub Packages (theplextvorg registry) so alphas stay internal and never touch public npm.What changed
@plextvscope →https://npm.pkg.github.com/(viasetup-noderegistry-url+scope, and apublishConfig.registryrewrite per package at publish time).PLEXTV_PACKAGES_TOKENsecret instead of OIDC.@plextv/*map to the plextv GitHub org, and this repo is in plexinc, so the defaultGITHUB_TOKENcan't publish them cross-org.publishConfigandNPM_CONFIG_PROVENANCE=false— GitHub Packages has no sigstore attestation, so the npmjs provenance would fail.id-token: write(no OIDC anymore).Required before this works — you need to do these:
write:packageson the plextv org (classic PAT, or a GitHub App installed on plextv) and add it as thePLEXTV_PACKAGES_TOKENrepo secret here.GITHUB_TOKENwon't do it (wrong org).main.Consuming an alpha in the Plex client (temporary, for testing):
Then pin each
@plextv/*catalog:entry inpnpm-workspace.yamlto the published0.0.0-<PR#>-<datetime>version andpnpm install. The client's~/.npmrcGitHub token needsread:packageson the plextv org. Because a scope resolves from a single registry, this routes all@plextv/*to GitHub Packages while testing — fine, since the snapshot publishes every@plextv/*package at that version. Revert the.npmrcline and catalog pins when done.Once merged and the token's in place, comment
/snapshoton a react-lightning PR to get an internal alpha.