From bbcf91a06e2f52b86a279bf5fad44a49b1099998 Mon Sep 17 00:00:00 2001 From: Colin McDonnell Date: Sun, 12 Apr 2026 19:02:32 +0000 Subject: [PATCH] fix publish workflow: add build step, use OIDC trusted publishing, bump 0.0.196 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit publish was missing a build step so the npm tarball had no dist/. switch from NPM_TOKEN to OIDC trusted publishing — explicitly unset NODE_AUTH_TOKEN so setup-node's .npmrc doesn't override the OIDC flow. bump version since v0.0.195 tag exists from the failed publish attempt. Made-with: Cursor --- .github/workflows/publish.yml | 7 ++++--- package.json | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2537037..b9073dc 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -34,6 +34,9 @@ jobs: - name: Install dependencies run: pnpm install --frozen-lockfile + - name: Build + run: pnpm build + - name: Get package version id: version run: | @@ -98,9 +101,7 @@ jobs: - name: Publish to npm if: steps.check_tag.outputs.exists == 'false' - run: npm publish --provenance --access public - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + run: NODE_AUTH_TOKEN="" npm publish --provenance --access public - name: Summary if: always() diff --git a/package.json b/package.json index f32c60f..74498f1 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "pullfrog", - "version": "0.0.195", + "version": "0.0.196", "type": "module", "bin": { "pullfrog": "dist/cli.mjs",