From 91164df048e7656539fff192fdc3dee01d57c674 Mon Sep 17 00:00:00 2001 From: Dion Low Date: Tue, 16 Dec 2025 14:48:44 -0800 Subject: [PATCH 1/7] fix: add --access public flag to npm publish command MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Fixes npm publish failure for scoped package @amp-labs/react - npm requires explicit --access public for scoped packages - Without this flag, npm assumes private access which causes "Not found" error - Bump version to 2.9.12 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- .github/workflows/npm-publish.yml | 2 +- package.json | 2 +- src/services/version.ts | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 3f1040f0..dc6e66e7 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -43,7 +43,7 @@ jobs: - name: Publish to npm id: publish_to_npm - run: echo "//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}" > ~/.npmrc && yarn publish --non-interactive --tag ${{ github.event.inputs.tag }} + run: echo "//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}" > ~/.npmrc && yarn publish --non-interactive --access public --tag ${{ github.event.inputs.tag }} env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/package.json b/package.json index ced9063f..6e8d8aa6 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@amp-labs/react", - "version": "2.9.11", + "version": "2.9.12", "description": "Ampersand React library.", "author": { "name": "Ampersand Labs", diff --git a/src/services/version.ts b/src/services/version.ts index 78ca0919..43fb0d1b 100644 --- a/src/services/version.ts +++ b/src/services/version.ts @@ -1 +1 @@ -export const LIB_VERSION = "2.9.11"; +export const LIB_VERSION = "2.9.12"; From b49b7776213cd6102dfcd32e8f9dc74e331d977d Mon Sep 17 00:00:00 2001 From: Dion Low Date: Tue, 16 Dec 2025 14:50:37 -0800 Subject: [PATCH 2/7] feat: add dry-run support to npm publish workflow MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add dry_run input parameter (boolean, defaults to false) - When enabled, runs npm publish --dry-run instead of actual publish - Skips git push when dry_run is enabled - Use github.ref instead of hardcoded 'main' to support running from branches This allows testing the publish workflow without actually publishing to npm. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- .github/workflows/npm-publish.yml | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index dc6e66e7..0c3a885c 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -10,6 +10,11 @@ on: description: 'Tag for the SDK version' required: true default: 'latest' + dry_run: + description: 'Dry run (test without actually publishing)' + required: false + type: boolean + default: false jobs: publish: @@ -20,7 +25,7 @@ jobs: with: fetch-depth: 0 token: ${{ secrets.AMPERSAND_OPS_PAT }} - ref: main + ref: ${{ github.ref }} - name: Set up Node.js uses: actions/setup-node@v3 @@ -43,12 +48,19 @@ jobs: - name: Publish to npm id: publish_to_npm - run: echo "//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}" > ~/.npmrc && yarn publish --non-interactive --access public --tag ${{ github.event.inputs.tag }} + run: | + echo "//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}" > ~/.npmrc + if [ "${{ github.event.inputs.dry_run }}" = "true" ]; then + echo "Running dry-run publish..." + npm publish --dry-run --access public --tag ${{ github.event.inputs.tag }} + else + yarn publish --non-interactive --access public --tag ${{ github.event.inputs.tag }} + fi env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Push changes back to repository - if: steps.publish_to_npm.conclusion == 'success' + if: steps.publish_to_npm.conclusion == 'success' && github.event.inputs.dry_run != 'true' run: | git config --global user.email "devops@withampersand.com" git config --global user.name "Ampersand Ops" From abdc0ad74c74a6594130b23b6983485452372313 Mon Sep 17 00:00:00 2001 From: Dion Low Date: Tue, 16 Dec 2025 14:58:24 -0800 Subject: [PATCH 3/7] fix: use npm publish instead of yarn publish for consistency --- .github/workflows/npm-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 0c3a885c..b8603334 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -54,7 +54,7 @@ jobs: echo "Running dry-run publish..." npm publish --dry-run --access public --tag ${{ github.event.inputs.tag }} else - yarn publish --non-interactive --access public --tag ${{ github.event.inputs.tag }} + npm publish --access public --tag ${{ github.event.inputs.tag }} fi env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} From 039d6ca12ca218cbc51f3345ba97c7261503dd16 Mon Sep 17 00:00:00 2001 From: Dion Low Date: Tue, 16 Dec 2025 15:43:24 -0800 Subject: [PATCH 4/7] feat: migrate to npm trusted publishers (OIDC) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add id-token: write permission for OIDC authentication - Add contents: write permission for git push operations - Use --provenance flag to generate attestation - Remove NPM_TOKEN secret dependency (no longer needed) - More secure: uses short-lived tokens from GitHub OIDC Requires trusted publisher to be configured on npm for @amp-labs/react. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- .github/workflows/npm-publish.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index b8603334..a251fd49 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -19,6 +19,9 @@ on: jobs: publish: runs-on: ubuntu-latest + permissions: + contents: write + id-token: write steps: - uses: actions/checkout@v2 @@ -49,15 +52,12 @@ jobs: - name: Publish to npm id: publish_to_npm run: | - echo "//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}" > ~/.npmrc if [ "${{ github.event.inputs.dry_run }}" = "true" ]; then echo "Running dry-run publish..." npm publish --dry-run --access public --tag ${{ github.event.inputs.tag }} else - npm publish --access public --tag ${{ github.event.inputs.tag }} + npm publish --provenance --access public --tag ${{ github.event.inputs.tag }} fi - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - name: Push changes back to repository if: steps.publish_to_npm.conclusion == 'success' && github.event.inputs.dry_run != 'true' From 353850bcebacb443e3c63f15095c0bfcba90a365 Mon Sep 17 00:00:00 2001 From: Dion Low Date: Tue, 16 Dec 2025 15:49:49 -0800 Subject: [PATCH 5/7] fix: configure registry-url for OIDC authentication --- .github/workflows/npm-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index a251fd49..94d77566 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -35,7 +35,7 @@ jobs: with: node-version: '20' cache: 'npm' - always-auth: true + registry-url: 'https://registry.npmjs.org' - name: Install yarn run: npm i -g yarn From 2620862407a2d7e24f95feb4630fc9413cfbc1b9 Mon Sep 17 00:00:00 2001 From: Dion Low Date: Tue, 16 Dec 2025 16:01:51 -0800 Subject: [PATCH 6/7] chore: simplify npm publish commands for OIDC MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove --access public flag (not needed with OIDC) - Remove --provenance flag (handled automatically by OIDC) - Follow npm trusted publisher documentation recommendations 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- .github/workflows/npm-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 94d77566..417a5c88 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -54,9 +54,9 @@ jobs: run: | if [ "${{ github.event.inputs.dry_run }}" = "true" ]; then echo "Running dry-run publish..." - npm publish --dry-run --access public --tag ${{ github.event.inputs.tag }} + npm publish --dry-run --tag ${{ github.event.inputs.tag }} else - npm publish --provenance --access public --tag ${{ github.event.inputs.tag }} + npm publish --tag ${{ github.event.inputs.tag }} fi - name: Push changes back to repository From e604f754997d3c258402387ad019ae49b43b6769 Mon Sep 17 00:00:00 2001 From: Dion Low Date: Tue, 16 Dec 2025 16:09:14 -0800 Subject: [PATCH 7/7] fix: add --access public flag back for scoped package --- .github/workflows/npm-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml index 417a5c88..3975ba03 100644 --- a/.github/workflows/npm-publish.yml +++ b/.github/workflows/npm-publish.yml @@ -54,9 +54,9 @@ jobs: run: | if [ "${{ github.event.inputs.dry_run }}" = "true" ]; then echo "Running dry-run publish..." - npm publish --dry-run --tag ${{ github.event.inputs.tag }} + npm publish --dry-run --access public --tag ${{ github.event.inputs.tag }} else - npm publish --tag ${{ github.event.inputs.tag }} + npm publish --access public --tag ${{ github.event.inputs.tag }} fi - name: Push changes back to repository