fix(versioner): publish with npm via OIDC

[charliecreates]

This PR contains a:

• bugfix
• feature
• refactor
• documentation
• other

Are tests included?

• yes
• no

Breaking Changes?

• yes
• no

Description

• Updates @dot/versioner to publish using an OIDC-capable npm CLI (pnpm pack + pnpm dlx npm@11.5.1 publish --provenance) instead of pnpm publish.
• Adds --registry support (defaulting to https://registry.npmjs.org) and logs the publish target registry.
• Validates pnpm pack output by requiring exactly one .tgz tarball (fail fast if 0 or >1).
• Updates .github/workflows/release.yml + .npmrc to remove NPM_TOKEN/NODE_AUTH_TOKEN usage and request id-token: write, and fixes release integrity by checking out the triggering ref (no ref: master) with fetch-depth: 0.

Refs shellscape/jsx-email#395.

Verification

$ pnpm install --frozen-lockfile
$ pnpm -r build
$ pnpm lint
$ AWS_REGION=us-east-1 pnpm -r test --if-present

• Ava: 65 tests passed (3 packages)
• reviewChanges skipped: tarball strictness warning - intentionally enforced tarballs.length === 1 per PR review request to avoid publishing the wrong artifact.
• reviewChanges skipped: registry default/always-pass --registry warnings - this PR intentionally forces deterministic publishing to the npm registry (unless overridden) per reviewer direction.

[charliecreates]

Main concern: the workflow currently checks out ref: master, which can publish a different commit than the one that triggered the run—this is a release integrity problem. In versioner.ts, tarball selection is under-specified (first match wins) and should enforce exactly one artifact to avoid publishing the wrong file. Consider using fetch-depth: 0 for tag/history-dependent release tooling and explicitly pinning the npm registry during npm publish for safer CI behavior.

Summary of changes

What changed

GitHub Actions release workflow

• Added top-level permissions: contents: read and job-level permissions: contents: write + id-token: write to enable OIDC-based publishing.
• Modernized actions:
  • actions/checkout@v1 → actions/checkout@v4 with fetch-tags: true and fetch-depth: 100.
  • actions/setup-node@v1 → actions/setup-node@v4 and Node 18 → 20.
• Removed the custom “Checkout Master” shell step and instead checks out ref: master directly.
• Added an OIDC Preflight step that fails early if ACTIONS_ID_TOKEN_REQUEST_URL/TOKEN are missing.
• Removed NPM_TOKEN/NODE_AUTH_TOKEN from the publish step env.

npm configuration

• Removed token-based auth line (//registry.npmjs.org/:_authToken=${NPM_TOKEN}) and added a comment indicating CI publishing uses OIDC Trusted Publisher.

@dot/versioner publish mechanics

• Replaced pnpm publish with:
  • pnpm pack --pack-destination <tempdir>
  • pnpm dlx npm@11.5.1 publish ... <tarball>
• Automatically adds --provenance when running in GitHub Actions OIDC environment.
• Ensures temp pack directory cleanup via finally.

[charliecreates]

readdirSync(packDir).filter(...); const [tarball] = tarballs; silently picks the first .tgz if multiple exist. That can publish the wrong artifact (e.g., leftover files if packDir is reused unexpectedly, or if pnpm pack ever emits more than one tarball). You should validate that exactly one tarball is present and fail otherwise.

Also consider sorting to make the selection deterministic if you intentionally support multiple outputs later.

Suggestion

Tighten the tarball discovery to be explicit and deterministic:

const tarballs = readdirSync(packDir)
  .filter((file) => file.endsWith('.tgz'))
  .sort();

if (tarballs.length !== 1) {
  throw new Error(
    `Expected exactly 1 packed tarball in ${packDir}, found ${tarballs.length}: ${tarballs.join(', ')}`
  );
}

const tarballPath = join(packDir, tarballs[0]);

Reply with "@CharlieHelps yes please" if you'd like me to add a commit with this suggestion.

[shellscape]

@CharlieHelps yes please

[charliecreates]

Expand this to see my work.

• Previously documented the maintainer-approved changes to publish in packages/versioner/src/versioner.ts, including DEFAULT_NPM_REGISTRY, normalizeRegistry, isValidRegistry, stricter tarball error messaging, and the updated .github/workflows/release.yml OIDC/npm setup for PR #6.
• Updated packages/versioner/src/versioner.ts so publish derives and normalizes the registry internally from registryOverride or DEFAULT_NPM_REGISTRY, always passes --registry explicitly to pnpm dlx, and tightened CLI validation and error messages around the --registry argument.
• Enhanced tarball selection in publish to require exactly one .tgz file and throw a detailed error including packDir, cwd, and the discovered tarball list when the count is not 1.
• Adjusted the call site to await publish(cwd); after pull() so it relies on the internal registry resolution logic, then confirmed all merge conflict markers were removed from packages/versioner/src/versioner.ts.
• Completed an interactive rebase preserving fix(repo,versioner): harden npm publish while skipping the redundant fix(versioner): validate registry arg commit once its logic was folded into the resolved publish implementation.
• Verified the post-rebase history with git log --oneline --graph -n 10 (showing d145af1 fix(repo,versioner): harden npm publish on fix/versioner/npm-oidc-publish) and confirmed the expected normalizeRegistry, --registry usage, and improved tarball error are present in packages/versioner/src/versioner.ts.
• Inspected .github/workflows/release.yml to ensure the OIDC-based npm publish job (with actions/setup-node@v4, id-token: write, fetch-depth: 0, and pnpm build/install steps) remains aligned with the hardened publish behavior in versioner.
• Rebased fix/versioner/npm-oidc-publish onto remote commit 3ce093e, resolving the conflict in packages/versioner/src/versioner.ts to keep both the {grey Registry:} log.info line and inline .replace(/\/+$/, '') behavior alongside the stricter registry validation and tarball checks, then pushed updated commit 85a0689.
• Ran pnpm -r build && pnpm lint && AWS_REGION=us-east-1 pnpm -r test --if-present successfully, with all workspace builds and tests passing and only the known no-param-reassign warning in packages/cdk/src/methods/security.ts, confirming the latest versioner changes are clean.
• Requested fresh review and assignment on PR #6 via gh pr edit 6 --add-assignee shellscape --add-reviewer shellscape --add-reviewer CharlieHelps, re-ran CI=1 pnpm install --frozen-lockfile to validate workspace prepare hooks (including packages/versioner build) in a CI-like environment, and confirmed with git status that the working tree is clean and only behind origin/fix/versioner/npm-oidc-publish by one remote commit (no local changes).

[charliecreates]

#6 (comment)
#6 (comment)

Applied the requested changes on PR #6.

Changes

• @dot/versioner now sorts .tgz artifacts from pnpm pack and fails unless exactly one tarball is produced (to avoid publishing the wrong artifact).
• @dot/versioner publish supports --registry (defaults to https://registry.npmjs.org), logs the chosen registry, and rejects empty/whitespace values.
• .github/workflows/release.yml now checks out the triggering ref (no ref: master) and uses fetch-depth: 0 for tag/history-dependent release logic.

Verification

# Install
$ CI=1 pnpm install --frozen-lockfile

# Build
$ pnpm -r build

# Lint (1 warning)
$ pnpm lint

# Tests
$ AWS_REGION=us-east-1 pnpm -r test --if-present

• Ava: 65 tests passed (3 packages)

[charliecreates]

The workflow currently checks out ref: master, which can cause publishing a commit that is not the one that triggered the run—this is a release integrity risk. The checkout depth is capped at 100, which is brittle for tag/history-based release tooling and should be fetch-depth: 0. In versioner.ts, tarball discovery picks the first .tgz and should enforce exactly one artifact to avoid publishing the wrong package.

Summary of changes

Summary

This PR updates the release pipeline and @dot/versioner publishing flow to use npm Trusted Publisher via GitHub OIDC instead of token-based auth.

GitHub Actions (.github/workflows/release.yml)

• Adds workflow/job permissions (contents + id-token) needed for OIDC.
• Modernizes actions: actions/checkout@v4, actions/setup-node@v4, and bumps Node 18 → 20.
• Adds PNPM setup earlier in the job.
• Adds an OIDC preflight step to fail early when OIDC env vars are missing.
• Removes NPM_TOKEN/NODE_AUTH_TOKEN from the publish step.

npm configuration (.npmrc)

• Removes token-based auth configuration and documents that CI publishing uses OIDC.

Versioner publish implementation (packages/versioner/src/versioner.ts)

• Replaces pnpm publish with pnpm pack to a temp directory and pnpm dlx npm@11.5.1 publish.
• Adds --provenance when OIDC env vars are present.
• Adds --registry support with a default of https://registry.npmjs.org/ and logs the chosen registry.
• Ensures temp pack directory cleanup via finally.

[shellscape]

@CharlieHelps are you checking the type of argv.registry here twice unnecessarily? this is very sloppy

[charliecreates]

Investigating this PR comment about the duplicated argv.registry type checks and I’m likely to propose a cleaner single-check version that keeps the same safety guarantees.

Updated: Jan 11, 20:31 UTC
I’m working and can’t be interrupted or see replies—feel free to start another task with me while I finish.

[charliecreates]

Expand this to see my work.

• Clarified the reviewer’s concern about the duplicate argv.registry checks in packages/versioner/src/versioner.ts so the response can focus on simplifying validation without changing behavior.
• Opened the surrounding publish logic in packages/versioner/src/versioner.ts to pinpoint where argv.registry was being both type-checked and then re-checked via a conditional expression.
• Introduced a single const registryOverrideRaw = argv.registry; in publish and updated the type guard to if (registryOverrideRaw != null && typeof registryOverrideRaw !== 'string') so the type check happens once on a stable value.
• Adjusted the TypeError message to report typeof registryOverrideRaw and registryOverrideRaw instead of reading from argv.registry again, keeping the error consistent with the new local variable.
• Replaced const registryOverride = typeof argv.registry === 'string' ? argv.registry.trim() : null; with const registryOverride = registryOverrideRaw == null ? null : registryOverrideRaw.trim(); to avoid re-checking the type while preserving trimming behavior.
• Re-verified the updated block via git diff to confirm that the only changes to publish are the new registryOverrideRaw variable, the consolidated type check, and the adjusted error message/trim logic.
• Committed the refinement as fix(versioner): simplify --registry validation on branch fix/versioner/npm-oidc-publish, which updates only packages/versioner/src/versioner.ts with a small, focused diff and passed the pre-commit lint-staged/eslint --fix --cache checks.
• Ran pnpm lint successfully, with the only reported issue being an existing no-param-reassign warning in packages/cdk/src/methods/security.ts and no new problems introduced by the versioner changes.
• Executed AWS_REGION=us-east-1 pnpm -r test --if-present, confirming all existing package tests (including packages/log, packages/access, and packages/config) pass despite pre-existing client.send TypeScript errors in packages/config’s src/aws.ts during its pretest build step.
• Pushed the updated branch fix/versioner/npm-oidc-publish to origin so PR #6 now includes the cleaned-up argv.registry handling and is ready for the reviewer to re-check.

[charliecreates]

#6 (comment)

Good catch — yep, that was redundant. I refactored the --registry validation to read argv.registry once (registryOverrideRaw), type-check it once, then trim/validate without a second typeof check. Fix is in 60b10d0.

Changes

• Deduped argv.registry handling in publish() by caching argv.registry and reusing it for both the type guard and trimming.
• Updated the TypeError message to reference the cached value (so the code path reads cleanly without re-checking argv.registry).

Verification

$ pnpm install --frozen-lockfile

$ pnpm -r build
# tsc: 3 errors in @dot/config, 4 errors in @dot/cdk (preexisting; build script exits 0)

$ pnpm lint
# ESLint: 1 warning (no-param-reassign) in packages/cdk/src/methods/security.ts (preexisting)

$ AWS_REGION=us-east-1 pnpm -r test --if-present
# Ava: 65 tests passed (3 packages)

[charliecreates]

The publish flow is materially safer (strict tarball selection + explicit --registry), but the --registry normalization is unnecessarily duplicated and should be simplified for maintainability. Also, provenance is currently optional based on env detection; if OIDC/provenance is a policy requirement for CI, publish() should fail fast (or at least warn) when OIDC vars are absent to avoid silent non-provenanced releases.

Summary of changes

What changed

GitHub Actions release workflow (.github/workflows/release.yml)

• Added top-level permissions: contents: read and job-level permissions including id-token: write to enable OIDC.
• Modernized actions (actions/checkout@v4, actions/setup-node@v4) and bumped Node 18 → 20.
• Switched checkout to a full history/tag fetch via fetch-depth: 0 + fetch-tags: true.
• Moved PNPM setup earlier in the job.
• Added an OIDC Preflight bash step to fail early if OIDC env vars are missing.
• Removed token-based auth env vars (NPM_TOKEN/NODE_AUTH_TOKEN) from the publish step.

npm config (.npmrc)

• Removed token-based auth line and documented that CI publishing uses GitHub OIDC / npm Trusted Publisher.

@dot/versioner publishing (packages/versioner/src/versioner.ts)

• Replaced pnpm publish with pnpm pack to a temp directory and pnpm dlx npm@11.5.1 publish.
• Added --registry support (default https://registry.npmjs.org), normalizes trailing slashes, and logs the chosen registry.
• Hardened artifact selection by requiring exactly one packed .tgz tarball.
• Added conditional --provenance when OIDC env vars are present.
• Ensured temp directory cleanup via finally + rmSync(..., { recursive: true, force: true }).

[charliecreates]

The main issue is incorrect/underspecified --registry validation in publish(): using truthiness (argv.registry && ... and argv.registry || ...) can silently bypass validation and/or fall back to the default registry, contradicting the PR’s stated behavior. Additionally, --provenance is optional based on env detection; given the workflow enforces OIDC, publish() should fail fast (or at least warn) in CI when OIDC vars are missing to avoid silent non-provenanced releases.

Summary of changes

Summary of changes

GitHub Actions release workflow (.github/workflows/release.yml)

• Added top-level workflow permissions: contents: read and job-level permissions: contents: write + id-token: write to enable GitHub OIDC.
• Updated checkout to actions/checkout@v4 with fetch-depth: 0 and fetch-tags: true (full history + tags).
• Updated Node setup to actions/setup-node@v4 and bumped Node from 18 → 20.
• Reordered PNPM setup earlier in the job.
• Added an OIDC Preflight step to fail early if ACTIONS_ID_TOKEN_REQUEST_URL/TOKEN aren’t present.
• Removed token-based env vars (NPM_TOKEN / NODE_AUTH_TOKEN) from the publish step.

npm configuration (.npmrc)

• Removed token-based auth config line and documented that CI publishing uses OIDC Trusted Publisher, while local publishing uses ~/.npmrc.

Versioner publishing (packages/versioner/src/versioner.ts)

• Switched from pnpm publish to pnpm pack into a temp dir + pnpm dlx npm@11.5.1 publish.
• Added --registry support with default https://registry.npmjs.org and included the registry in publish logs.
• Hardened packed artifact selection by requiring exactly one .tgz tarball.
• Added conditional --provenance based on presence of GitHub OIDC env vars.
• Ensured temp pack directory cleanup via finally + rmSync(..., { recursive: true, force: true }).