Skip to content

chore(release): bump to v0.4.5 + fix npm OIDC publishing #71

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
derek-palmer merged 1 commit into from
May 29, 2026
Merged

chore(release): bump to v0.4.5 + fix npm OIDC publishing #71

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 5 additions & 1 deletion .github/workflows/npm-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,12 @@ jobs:
- uses: actions/checkout@v6.0.2
- uses: actions/setup-node@v6.4.0
with:
node-version: "22" # npm OIDC trusted publishing requires Node >= 22.14.0
node-version: "22"
registry-url: "https://registry.npmjs.org"
- name: Upgrade npm for OIDC trusted publishing
# OIDC trusted publishing needs npm >= 11.5.1; Node 22 still bundles
# npm 10.x, which silently falls back to anonymous publish and 404s.
run: npm install -g npm@latest
- name: Verify tag matches package.json version
run: |
set -e
Expand Down
27 changes: 26 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,29 @@ All notable changes to `codeforerunner` are documented here.
The format is loosely based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/);
this project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [0.4.5] — 2026-05-29

### Added

- **Task Registry** (`src/codeforerunner/tasks.json`) — single source of truth for task identity, scan-exemption policy, the refresh sequence, and installable skill slugs. (#66)
- Node installer (`bin/install.js`) now reads installable skill slugs from the Task Registry instead of a hardcoded list, backed by a Node↔Python parity test and a `node --test` suite wired into CI. (#70)
- Scan-first gate persists across restarts via `.forerunner/` session state and is enforced consistently across the CLI and MCP server. (#56, #68)
- `arch-review` task and skill surface.

### Fixed

- **npm publishing** — the publish workflow now upgrades the npm CLI before publishing. Node 22 bundles npm 10.x, which lacks OIDC trusted-publishing support and silently falls back to anonymous publish (registry returns `404`); OIDC trusted publishing requires npm ≥ 11.5.1. (`.github/workflows/npm-publish.yml`)
- Socket badge version stays in sync on release. (#67)
- Installer shim pins corrected, with future-drift detection.
- Docker login credentials in the publish workflow. (#41)
- `package.json` paths and README install instructions. (#40)

### Changed

- Retired `SPEC.md`; GitHub Issues now own work tracking.
- `CONTEXT.md` and agent docs: added npm release and GitHub Issues glossary terms.
- CodeRabbit automatic review disabled.

## [0.4.4] — 2026-05-26

### Added
Expand Down Expand Up @@ -164,7 +187,9 @@ Initial release-ready surface around the prompt pack.
- `init` and `scan` are honest wrappers over the prompt pack; they emit bundled prompt text to stdout for the calling agent to act on.
- Model invocation is out of scope; `provider` / `model` config fields are honored only by future wrappers.

[Unreleased]: https://github.com/derek-palmer/codeforerunner/compare/v0.3.2...HEAD
[Unreleased]: https://github.com/derek-palmer/codeforerunner/compare/v0.4.5...HEAD
[0.4.5]: https://github.com/derek-palmer/codeforerunner/compare/v0.4.4...v0.4.5
[0.4.4]: https://github.com/derek-palmer/codeforerunner/compare/v0.4.3...v0.4.4
[0.3.2]: https://github.com/derek-palmer/codeforerunner/compare/v0.3.1...v0.3.2
[0.3.1]: https://github.com/derek-palmer/codeforerunner/compare/v0.3.0...v0.3.1
[0.3.0]: https://github.com/derek-palmer/codeforerunner/compare/v0.2.0...v0.3.0
Expand Down
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

# codeForerunner

[![Socket Badge](https://badge.socket.dev/npm/package/codeforerunner/0.4.4)](https://socket.dev/npm/package/codeforerunner)
[![Socket Badge](https://badge.socket.dev/npm/package/codeforerunner/0.4.5)](https://socket.dev/npm/package/codeforerunner)

Model-agnostic repository documentation tooling. Ships a prompt pack for codebase analysis and doc generation, a thin Python CLI, an MCP server, drift-detection rules that keep docs honest — and native slash-command skills for Claude Code, Codex, Gemini CLI, and other agent CLIs.

Expand Down Expand Up @@ -121,7 +121,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6.0.2
- uses: derek-palmer/codeforerunner@v0.4.4
- uses: derek-palmer/codeforerunner@v0.4.5
with:
fail-on-drift: "true" # set "false" to warn-only
```
Expand Down
4 changes: 2 additions & 2 deletions install.ps1
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,9 @@ param([Parameter(ValueFromRemainingArguments=$true)][string[]]$Args)
$ErrorActionPreference = "Stop"

# Security: pinned to a specific version so one-liners don't execute unreviewed code.
$NpmPkg = "codeforerunner@0.4.4"
$NpmPkg = "codeforerunner@0.4.5"
$Repo = "derek-palmer/codeforerunner"
$RepoTag = "v0.4.4"
$RepoTag = "v0.4.5"
$ScriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$LocalJs = Join-Path $ScriptDir "bin\install.js"

Expand Down
4 changes: 2 additions & 2 deletions install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ set -euo pipefail

# Security: pinned to a specific version so curl|bash one-liners don't silently
# execute whatever the npm registry or GitHub currently serves as "latest".
NPM_PKG="codeforerunner@0.4.4"
NPM_PKG="codeforerunner@0.4.5"
REPO="derek-palmer/codeforerunner"
REPO_TAG="v0.4.4"
REPO_TAG="v0.4.5"

# Locate bin/install.js relative to this script (works even when piped through bash)
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]:-install.sh}")" 2>/dev/null && pwd || echo "")"
Expand Down
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "codeforerunner",
"version": "0.4.4",
"version": "0.4.5",
"description": "Model-agnostic repository documentation tooling — installs /forerunner-* slash commands into 30+ agent CLIs",
"main": "./bin/install.js",
"bin": {
Expand Down
4 changes: 2 additions & 2 deletions plugins/codex/marketplace.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,14 @@
"id": "codeforerunner",
"name": "codeforerunner",
"description": "Model-agnostic repo documentation prompts as an installable Codex plugin.",
"version": "0.4.4",
"version": "0.4.5",
"homepage": "https://github.com/derek-palmer/codeforerunner"
},
"plugins": [
{
"id": "codeforerunner",
"name": "codeforerunner",
"version": "0.4.4",
"version": "0.4.5",
"description": "Prompt-first repository documentation skill.",
"source": {
"kind": "git",
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"

[project]
name = "codeforerunner"
version = "0.4.4"
version = "0.4.5"
description = "Model-agnostic repository documentation tooling (prompt-first; thin CLI)."
readme = "README.md"
requires-python = ">=3.11"
Expand Down