fix: use pnpm 11 for OIDC publishing + add manual publish trigger#20
Merged
Conversation
OIDC trusted publishing landed only in pnpm 11.x (v11.0.7+); pnpm 10.19.0 has no OIDC code path, so the publish step ran unauthenticated and npm returned a masked 404. Bump packageManager to pnpm@11.10.0 (latest, past the closed #11513 OIDC regression). Verified the existing lockfile installs cleanly under pnpm 11 (--frozen-lockfile, same lockfileVersion). Also add a workflow_dispatch trigger so the publish job can be run on demand against the current package versions, without cutting a new release each time.
pnpm 11 promotes ignored build scripts from a warning to a hard error (ERR_PNPM_IGNORED_BUILDS), failing 'pnpm install --frozen-lockfile' in CI. Declare esbuild (needed by tsx) as an allowed build in pnpm-workspace.yaml.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
With everything else fixed, the publish step still 404s at the npm auth layer:
Root cause: OIDC trusted publishing was only added to pnpm in the 11.x line (changelog entries first appear at v11.0.7). pnpm 10.19.0 — which #12/#17 pinned — has no OIDC code path, so it published unauthenticated and npm masked the rejection as a 404. (The
10.19.1-oidc-testtag was a throwaway test build, not the stable feature.)Fix
packageManager→pnpm@11.10.0(latest; past the now-closed #11513 OIDC-on-pnpm-11 regression). The workflows already read the version frompackageManager(noversion:pins after ci: single-source the pnpm version via packageManager #17).pnpm install --frozen-lockfile(CI=true) — samelockfileVersion, no regeneration needed.workflow_dispatchtrigger + condition on the publish job so we can run the OIDC publish on demand against the already-pending0.1.1versions, without manufacturing newfix:commits.Context
@ambosstech/core@0.1.1and@ambosstech/payments@0.1.1are pending (npm only has0.0.1); once auth works they publish as-is.Test plan
After merge, trigger the
release-pleaseworkflow via workflow_dispatch and confirm thepublishjob uploads both packages via OIDC.