From ebf15130690be66304b8f8ba0d0dae039cf4b7ea Mon Sep 17 00:00:00 2001 From: Alex Verkhovsky Date: Mon, 9 Mar 2026 22:55:07 -0600 Subject: [PATCH] fix: remove duplicate publish workflows (#1883) * fix: remove duplicate publish workflows * chore: add publish workflow diagnostics --- .github/workflows/publish-latest.yaml | 82 --------------------------- .github/workflows/publish-next.yaml | 65 --------------------- .github/workflows/publish.yaml | 62 ++++++++++++++++++++ 3 files changed, 62 insertions(+), 147 deletions(-) delete mode 100644 .github/workflows/publish-latest.yaml delete mode 100644 .github/workflows/publish-next.yaml diff --git a/.github/workflows/publish-latest.yaml b/.github/workflows/publish-latest.yaml deleted file mode 100644 index a70dc5738..000000000 --- a/.github/workflows/publish-latest.yaml +++ /dev/null @@ -1,82 +0,0 @@ -name: Publish Latest - -on: - workflow_dispatch: - inputs: - bump: - description: "Version bump type" - required: true - default: "patch" - type: choice - options: - - patch - - minor - - major - -concurrency: - group: publish-latest - -permissions: - id-token: write - contents: write - -jobs: - publish: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - with: - fetch-depth: 0 - token: ${{ secrets.GITHUB_TOKEN }} - - - name: Setup Node - uses: actions/setup-node@v4 - with: - node-version-file: ".nvmrc" - cache: "npm" - registry-url: "https://registry.npmjs.org" - - - name: Configure git user - run: | - git config user.name "github-actions[bot]" - git config user.email "github-actions[bot]@users.noreply.github.com" - - - name: Install dependencies - run: npm ci - - - name: Run tests - run: npm test - - - name: Bump version - run: 'npm version ${{ inputs.bump }} -m "chore(release): v%s [skip ci]"' - - - name: Publish to npm - run: npm publish --tag latest --provenance - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - - - name: Push version commit and tag - run: git push origin main --follow-tags - - - name: Create GitHub Release - run: | - TAG="v$(node -p 'require("./package.json").version')" - gh release create "$TAG" --generate-notes - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Notify Discord - continue-on-error: true - run: | - set -o pipefail - source .github/scripts/discord-helpers.sh - [ -z "$WEBHOOK" ] && exit 0 - - VERSION=$(node -p 'require("./package.json").version') - RELEASE_URL="${{ github.server_url }}/${{ github.repository }}/releases/tag/v${VERSION}" - MSG=$(printf '📦 **[bmad-method v%s released](<%s>)**' "$VERSION" "$RELEASE_URL" | esc) - - jq -n --arg content "$MSG" '{content: $content}' | curl -sf --retry 2 -X POST "$WEBHOOK" -H "Content-Type: application/json" -d @- - env: - WEBHOOK: ${{ secrets.DISCORD_WEBHOOK }} diff --git a/.github/workflows/publish-next.yaml b/.github/workflows/publish-next.yaml deleted file mode 100644 index 7bf0a4b18..000000000 --- a/.github/workflows/publish-next.yaml +++ /dev/null @@ -1,65 +0,0 @@ -name: Publish Next - -on: - push: - branches: [main] - paths: - - "src/**" - - "tools/cli/**" - - "package.json" - -concurrency: - group: publish-next - cancel-in-progress: true - -permissions: - id-token: write - contents: read - -jobs: - publish: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Setup Node - uses: actions/setup-node@v4 - with: - node-version-file: ".nvmrc" - cache: "npm" - registry-url: "https://registry.npmjs.org" - - - name: Install dependencies - run: npm ci - - - name: Run tests - run: npm test - - - name: Derive next prerelease version - run: | - NEXT_VER=$(npm view bmad-method@next version 2>/dev/null || echo "") - LATEST_VER=$(npm view bmad-method@latest version 2>/dev/null || echo "") - - # Determine the best base version for the next prerelease - BASE=$(node -e " - const semver = require('semver'); - const next = process.argv[1] || null; - const latest = process.argv[2] || null; - if (!next && !latest) process.exit(0); - if (!next) { console.log(latest); process.exit(0); } - if (!latest) { console.log(next); process.exit(0); } - // If latest is newer than next's base, use latest (next prerelease will be based on it) - const nextBase = next.replace(/-next\.\d+$/, ''); - console.log(semver.gt(latest, nextBase) ? latest : next); - " "$NEXT_VER" "$LATEST_VER") - - if [ -n "$BASE" ]; then - npm version "$BASE" --no-git-tag-version --allow-same-version - fi - npm version prerelease --preid=next --no-git-tag-version - - - name: Publish to npm - run: npm publish --tag next --provenance - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 3e1dc82e5..305556869 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -45,6 +45,57 @@ jobs: cache: "npm" registry-url: "https://registry.npmjs.org" + - name: Debug trusted publishing identity + run: | + echo "GitHub workflow context:" + echo " repository: ${{ github.repository }}" + echo " repository_owner: ${{ github.repository_owner }}" + echo " ref: ${{ github.ref }}" + echo " event_name: ${{ github.event_name }}" + echo " workflow: ${{ github.workflow }}" + echo " workflow_ref: ${{ github.workflow_ref }}" + echo " actor: ${{ github.actor }}" + + WORKFLOW_FILE=$(node -e " + const ref = process.argv[1] || ''; + const match = ref.match(/\.github\/workflows\/([^@]+)@/); + process.stdout.write(match ? match[1] : ''); + " "${{ github.workflow_ref }}") + echo " workflow_filename_for_npm: ${WORKFLOW_FILE:-unknown}" + + echo "OIDC claims (sanitized):" + RESPONSE=$(curl -fsS -H "Authorization: Bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=npm:registry.npmjs.org") + ID_TOKEN=$(node -e " + const fs = require('fs'); + const data = JSON.parse(fs.readFileSync(0, 'utf8')); + process.stdout.write(data.value || ''); + " <<<"$RESPONSE") + + node -e " + const token = process.argv[1]; + if (!token) { + console.log(JSON.stringify({ error: 'missing_id_token' }, null, 2)); + process.exit(0); + } + const payloadPart = token.split('.')[1] || ''; + const padded = payloadPart.replace(/-/g, '+').replace(/_/g, '/') + '='.repeat((4 - (payloadPart.length % 4)) % 4); + const claims = JSON.parse(Buffer.from(padded, 'base64').toString('utf8')); + const out = { + iss: claims.iss, + sub: claims.sub, + aud: claims.aud, + repository: claims.repository, + repository_owner: claims.repository_owner, + workflow: claims.workflow, + workflow_ref: claims.workflow_ref, + job_workflow_ref: claims.job_workflow_ref, + ref: claims.ref, + environment: claims.environment || null, + runner_environment: claims.runner_environment || null, + }; + console.log(JSON.stringify(out, null, 2)); + " "$ID_TOKEN" + - name: Configure git user if: github.event_name == 'workflow_dispatch' run: | @@ -84,6 +135,17 @@ jobs: if: github.event_name == 'workflow_dispatch' run: 'npm version ${{ inputs.bump }} -m "chore(release): v%s [skip ci]"' + - name: Debug publish target and registry state + run: | + echo "Local package target:" + node -e " + const pkg = require('./package.json'); + console.log(JSON.stringify({ name: pkg.name, version: pkg.version }, null, 2)); + " + + echo "Registry package view (bmad-method):" + npm view bmad-method name version dist-tags --json || true + - name: Publish prerelease to npm if: github.event_name == 'push' run: npm publish --tag next --provenance