From 190b847e2fbb19ebeacf2f4cf56222a2f8389c63 Mon Sep 17 00:00:00 2001 From: James Kebinger Date: Thu, 20 Nov 2025 16:05:29 -0600 Subject: [PATCH 01/15] Re-enable corepack after npm upgrade for prepack script --- .github/workflows/release.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3b4c99e..02b16d3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -79,7 +79,11 @@ jobs: - run: yarn install --immutable - run: yarn build - name: Upgrade npm for OIDC trusted publishing - run: npm install -g npm@latest + run: | + npm install -g npm@latest + # Re-enable corepack after npm upgrade (npm install -g disables it) + corepack enable + corepack prepare yarn@4.10.3 --activate - name: Publish to npm run: | # Use npm CLI directly - requires npm >= 11.5.1 for OIDC trusted publishing From 5b6ad257168c95670d5427ef86de0171b1201e5c Mon Sep 17 00:00:00 2001 From: James Kebinger Date: Thu, 20 Nov 2025 16:08:36 -0600 Subject: [PATCH 02/15] Enable workflow to run on pull requests for testing --- .github/workflows/release.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 02b16d3..7f5d406 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,6 +2,8 @@ name: Release Package on: push: branches: [main] + pull_request: + branches: [main] jobs: check-version: runs-on: ubuntu-latest From 0413affe33216ef29609a8389df7703636665879 Mon Sep 17 00:00:00 2001 From: James Kebinger Date: Thu, 20 Nov 2025 16:10:40 -0600 Subject: [PATCH 03/15] Run yarn readme before npm upgrade and skip lifecycle scripts during publish --- .github/workflows/release.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7f5d406..1563294 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -80,13 +80,14 @@ jobs: ${{ runner.os }}-yarn- - run: yarn install --immutable - run: yarn build + - name: Prepare package for publishing + run: yarn readme - name: Upgrade npm for OIDC trusted publishing - run: | - npm install -g npm@latest - # Re-enable corepack after npm upgrade (npm install -g disables it) - corepack enable - corepack prepare yarn@4.10.3 --activate + run: npm install -g npm@latest - name: Publish to npm + env: + # Skip prepack script since we already ran yarn readme + NPM_CONFIG_IGNORE_SCRIPTS: true run: | # Use npm CLI directly - requires npm >= 11.5.1 for OIDC trusted publishing # Yarn 4.10.3 OIDC support appears broken despite all env vars being set correctly From 631de6a998d3a2e45c1c11e1a8bc8afbd145a8b2 Mon Sep 17 00:00:00 2001 From: James Kebinger Date: Thu, 20 Nov 2025 16:11:24 -0600 Subject: [PATCH 04/15] Upgrade to Yarn 4.11.0 for better OIDC support and use provenance --- .github/workflows/release.yml | 16 ++++------------ package.json | 2 +- 2 files changed, 5 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1563294..41a567c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -70,7 +70,7 @@ jobs: - name: enable corepack run: | corepack enable - corepack prepare yarn@4.10.3 --activate + corepack prepare yarn@4.11.0 --activate - name: cache yarn dependencies uses: actions/cache@v4 with: @@ -80,21 +80,13 @@ jobs: ${{ runner.os }}-yarn- - run: yarn install --immutable - run: yarn build - - name: Prepare package for publishing - run: yarn readme - - name: Upgrade npm for OIDC trusted publishing - run: npm install -g npm@latest - name: Publish to npm - env: - # Skip prepack script since we already ran yarn readme - NPM_CONFIG_IGNORE_SCRIPTS: true run: | - # Use npm CLI directly - requires npm >= 11.5.1 for OIDC trusted publishing - # Yarn 4.10.3 OIDC support appears broken despite all env vars being set correctly + # Yarn 4.11.0 with OIDC trusted publishing if [ "${{ needs.check-version.outputs.is-prerelease }}" == "true" ]; then - npm publish --provenance --access public --tag ${{ needs.check-version.outputs.npm-tag }} + yarn npm publish --provenance --access public --tag ${{ needs.check-version.outputs.npm-tag }} else - npm publish --provenance --access public + yarn npm publish --provenance --access public fi create-release: diff --git a/package.json b/package.json index d1c400c..c3ff0d2 100644 --- a/package.json +++ b/package.json @@ -1,5 +1,5 @@ { - "packageManager": "yarn@4.10.3", + "packageManager": "yarn@4.11.0", "name": "@reforge-com/cli", "version": "0.0.9", "author": "Jeffrey Chupp @semanticart", From b3fcb1ce254fdd0bef11a4ba9983133f025e2523 Mon Sep 17 00:00:00 2001 From: James Kebinger Date: Thu, 20 Nov 2025 16:20:03 -0600 Subject: [PATCH 05/15] Add yarn version output before publishing --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 41a567c..bde8253 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -82,6 +82,7 @@ jobs: - run: yarn build - name: Publish to npm run: | + echo "Yarn version: $(yarn --version)" # Yarn 4.11.0 with OIDC trusted publishing if [ "${{ needs.check-version.outputs.is-prerelease }}" == "true" ]; then yarn npm publish --provenance --access public --tag ${{ needs.check-version.outputs.npm-tag }} From 0d9e2d5cc54495ee0e01b9aa754fa90a3ac15f59 Mon Sep 17 00:00:00 2001 From: James Kebinger Date: Thu, 20 Nov 2025 16:21:09 -0600 Subject: [PATCH 06/15] Add explicit scope configuration for @reforge-com packages --- .yarnrc.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.yarnrc.yml b/.yarnrc.yml index e5a48c2..be21557 100644 --- a/.yarnrc.yml +++ b/.yarnrc.yml @@ -1,2 +1,7 @@ nodeLinker: node-modules npmRegistryServer: 'https://registry.npmjs.org' + +npmScopes: + reforge-com: + npmRegistryServer: "https://registry.npmjs.org" + npmPublishRegistry: "https://registry.npmjs.org" From 897348ebf86acafa98dbdd655a7132198e5cfaf6 Mon Sep 17 00:00:00 2001 From: James Kebinger Date: Thu, 20 Nov 2025 16:26:59 -0600 Subject: [PATCH 07/15] Add npm publish registry too --- .yarnrc.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.yarnrc.yml b/.yarnrc.yml index be21557..584c2af 100644 --- a/.yarnrc.yml +++ b/.yarnrc.yml @@ -1,5 +1,6 @@ nodeLinker: node-modules npmRegistryServer: 'https://registry.npmjs.org' +npmPublishRegistry: "https://registry.npmjs.org" npmScopes: reforge-com: From f356c9a67fdadcea0e0ea5da8c09fda4d06584c5 Mon Sep 17 00:00:00 2001 From: James Kebinger Date: Thu, 20 Nov 2025 16:30:02 -0600 Subject: [PATCH 08/15] Remove --provenance flag to test basic OIDC auth first --- .github/workflows/release.yml | 4 ++-- .yarnrc.yml | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bde8253..aca5c66 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -85,9 +85,9 @@ jobs: echo "Yarn version: $(yarn --version)" # Yarn 4.11.0 with OIDC trusted publishing if [ "${{ needs.check-version.outputs.is-prerelease }}" == "true" ]; then - yarn npm publish --provenance --access public --tag ${{ needs.check-version.outputs.npm-tag }} + yarn npm publish --access public --tag ${{ needs.check-version.outputs.npm-tag }} else - yarn npm publish --provenance --access public + yarn npm publish --access public fi create-release: diff --git a/.yarnrc.yml b/.yarnrc.yml index 584c2af..529120e 100644 --- a/.yarnrc.yml +++ b/.yarnrc.yml @@ -1,4 +1,7 @@ nodeLinker: node-modules + +npmPublishProvenance: true + npmRegistryServer: 'https://registry.npmjs.org' npmPublishRegistry: "https://registry.npmjs.org" From 8ee5be199348461134b9a61d5190ee691701aa86 Mon Sep 17 00:00:00 2001 From: James Kebinger Date: Thu, 20 Nov 2025 16:33:59 -0600 Subject: [PATCH 09/15] Add comprehensive OIDC debug output based on Yarn implementation --- .github/workflows/release.yml | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index aca5c66..0f75208 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -80,9 +80,31 @@ jobs: ${{ runner.os }}-yarn- - run: yarn install --immutable - run: yarn build - - name: Publish to npm + - name: Debug OIDC environment for Yarn run: | + echo "=== Yarn OIDC Debug Info ===" echo "Yarn version: $(yarn --version)" + echo "" + echo "CI environment variables:" + echo " CI: ${CI:-not set}" + echo " GITHUB_ACTIONS: ${GITHUB_ACTIONS:-not set}" + echo " GITLAB: ${GITLAB:-not set}" + echo "" + echo "GitHub Actions OIDC variables:" + echo " ACTIONS_ID_TOKEN_REQUEST_URL: $([[ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]] && echo "SET" || echo "NOT SET")" + echo " ACTIONS_ID_TOKEN_REQUEST_TOKEN: $([[ -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]] && echo "SET" || echo "NOT SET")" + echo "" + echo "GitLab OIDC variables:" + echo " NPM_ID_TOKEN: $([[ -n "$NPM_ID_TOKEN" ]] && echo "SET" || echo "NOT SET")" + echo "" + echo "Package info:" + echo " Name: $(jq -r '.name' package.json)" + echo " Scope: @reforge-com" + echo "" + echo "Yarn registry config:" + cat .yarnrc.yml + - name: Publish to npm + run: | # Yarn 4.11.0 with OIDC trusted publishing if [ "${{ needs.check-version.outputs.is-prerelease }}" == "true" ]; then yarn npm publish --access public --tag ${{ needs.check-version.outputs.npm-tag }} From 0e2fae3b58514605bda4cbbf7738215034416b11 Mon Sep 17 00:00:00 2001 From: James Kebinger Date: Thu, 20 Nov 2025 16:34:52 -0600 Subject: [PATCH 10/15] Remove GitLab-specific debug output --- .github/workflows/release.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0f75208..a4f32bd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -88,15 +88,11 @@ jobs: echo "CI environment variables:" echo " CI: ${CI:-not set}" echo " GITHUB_ACTIONS: ${GITHUB_ACTIONS:-not set}" - echo " GITLAB: ${GITLAB:-not set}" echo "" echo "GitHub Actions OIDC variables:" echo " ACTIONS_ID_TOKEN_REQUEST_URL: $([[ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]] && echo "SET" || echo "NOT SET")" echo " ACTIONS_ID_TOKEN_REQUEST_TOKEN: $([[ -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]] && echo "SET" || echo "NOT SET")" echo "" - echo "GitLab OIDC variables:" - echo " NPM_ID_TOKEN: $([[ -n "$NPM_ID_TOKEN" ]] && echo "SET" || echo "NOT SET")" - echo "" echo "Package info:" echo " Name: $(jq -r '.name' package.json)" echo " Scope: @reforge-com" From b45ed45120dac09ae593cf9d8636bce049a958ed Mon Sep 17 00:00:00 2001 From: James Kebinger Date: Thu, 20 Nov 2025 16:35:11 -0600 Subject: [PATCH 11/15] Add OIDC token fetch test to debug silent failures --- .github/workflows/release.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index a4f32bd..1ba3867 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -99,6 +99,22 @@ jobs: echo "" echo "Yarn registry config:" cat .yarnrc.yml + echo "" + echo "=== Testing OIDC Token Fetch ===" + if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" && -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]]; then + echo "Attempting to fetch OIDC token for audience: npm:registry.npmjs.org" + RESPONSE=$(curl -sSL -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ + "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=npm:registry.npmjs.org" 2>&1) + if [[ $? -eq 0 ]]; then + echo "Token fetch successful!" + echo "Response contains 'value' field: $(echo "$RESPONSE" | jq -r 'has("value")')" + else + echo "Token fetch FAILED!" + echo "Error: $RESPONSE" + fi + else + echo "Cannot test token fetch - required env vars not set" + fi - name: Publish to npm run: | # Yarn 4.11.0 with OIDC trusted publishing From f2ebb46280a7f80645c06b25b39edc2b236fe6d0 Mon Sep 17 00:00:00 2001 From: James Kebinger Date: Thu, 20 Nov 2025 16:36:27 -0600 Subject: [PATCH 12/15] Add full OIDC flow test: ID token fetch + NPM token exchange --- .github/workflows/release.yml | 36 ++++++++++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1ba3867..1fab198 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -100,16 +100,42 @@ jobs: echo "Yarn registry config:" cat .yarnrc.yml echo "" - echo "=== Testing OIDC Token Fetch ===" + echo "=== Testing OIDC Token Fetch (Step 1: Get ID Token) ===" if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" && -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]]; then - echo "Attempting to fetch OIDC token for audience: npm:registry.npmjs.org" + echo "Attempting to fetch OIDC ID token for audience: npm:registry.npmjs.org" RESPONSE=$(curl -sSL -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=npm:registry.npmjs.org" 2>&1) if [[ $? -eq 0 ]]; then - echo "Token fetch successful!" - echo "Response contains 'value' field: $(echo "$RESPONSE" | jq -r 'has("value")')" + echo "✓ ID token fetch successful!" + ID_TOKEN=$(echo "$RESPONSE" | jq -r '.value') + if [[ "$ID_TOKEN" != "null" && -n "$ID_TOKEN" ]]; then + echo "✓ ID token extracted (length: ${#ID_TOKEN})" + + echo "" + echo "=== Testing OIDC Token Exchange (Step 2: Exchange for NPM token) ===" + PACKAGE_NAME=$(jq -r '.name' package.json | sed 's/^@/%40/') + EXCHANGE_URL="https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/${PACKAGE_NAME}" + echo "Exchange URL: $EXCHANGE_URL" + + EXCHANGE_RESPONSE=$(curl -sSL -w "\nHTTP_STATUS:%{http_code}" \ + -H "Authorization: Bearer $ID_TOKEN" \ + -X POST "$EXCHANGE_URL" 2>&1) + HTTP_STATUS=$(echo "$EXCHANGE_RESPONSE" | grep "HTTP_STATUS:" | cut -d: -f2) + BODY=$(echo "$EXCHANGE_RESPONSE" | sed '/HTTP_STATUS:/d') + + echo "HTTP Status: $HTTP_STATUS" + if [[ "$HTTP_STATUS" == "200" ]]; then + echo "✓ Token exchange successful!" + echo "Response has 'token' field: $(echo "$BODY" | jq -r 'has("token")')" + else + echo "✗ Token exchange FAILED!" + echo "Response: $BODY" + fi + else + echo "✗ No ID token in response!" + fi else - echo "Token fetch FAILED!" + echo "✗ ID token fetch FAILED!" echo "Error: $RESPONSE" fi else From 27e1910c4580653de6066a3ec86ac08ea4513b54 Mon Sep 17 00:00:00 2001 From: James Kebinger Date: Thu, 20 Nov 2025 16:41:09 -0600 Subject: [PATCH 13/15] Test both URL encodings for OIDC token exchange --- .github/workflows/release.yml | 34 ++++++++++++++++++++++++---------- 1 file changed, 24 insertions(+), 10 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1fab198..149f303 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -113,23 +113,37 @@ jobs: echo "" echo "=== Testing OIDC Token Exchange (Step 2: Exchange for NPM token) ===" - PACKAGE_NAME=$(jq -r '.name' package.json | sed 's/^@/%40/') - EXCHANGE_URL="https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/${PACKAGE_NAME}" - echo "Exchange URL: $EXCHANGE_URL" + RAW_NAME=$(jq -r '.name' package.json) + echo "Testing with Yarn's URL encoding (@reforge-com -> %40reforge-com)" + YARN_ENCODED=$(echo "$RAW_NAME" | sed 's/^@/%40/') + EXCHANGE_URL_YARN="https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/${YARN_ENCODED}" + echo "Yarn URL: $EXCHANGE_URL_YARN" EXCHANGE_RESPONSE=$(curl -sSL -w "\nHTTP_STATUS:%{http_code}" \ -H "Authorization: Bearer $ID_TOKEN" \ - -X POST "$EXCHANGE_URL" 2>&1) + -X POST "$EXCHANGE_URL_YARN" 2>&1) HTTP_STATUS=$(echo "$EXCHANGE_RESPONSE" | grep "HTTP_STATUS:" | cut -d: -f2) BODY=$(echo "$EXCHANGE_RESPONSE" | sed '/HTTP_STATUS:/d') + echo "Yarn encoding - HTTP Status: $HTTP_STATUS" + if [[ "$HTTP_STATUS" != "200" ]]; then + echo "Response: $BODY" + fi + + echo "" + echo "Testing with alternate encoding (@reforge-com/cli as-is)" + EXCHANGE_URL_ALT="https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/${RAW_NAME}" + echo "Alternate URL: $EXCHANGE_URL_ALT" - echo "HTTP Status: $HTTP_STATUS" - if [[ "$HTTP_STATUS" == "200" ]]; then - echo "✓ Token exchange successful!" - echo "Response has 'token' field: $(echo "$BODY" | jq -r 'has("token")')" + EXCHANGE_RESPONSE2=$(curl -sSL -w "\nHTTP_STATUS:%{http_code}" \ + -H "Authorization: Bearer $ID_TOKEN" \ + -X POST "$EXCHANGE_URL_ALT" 2>&1) + HTTP_STATUS2=$(echo "$EXCHANGE_RESPONSE2" | grep "HTTP_STATUS:" | cut -d: -f2) + BODY2=$(echo "$EXCHANGE_RESPONSE2" | sed '/HTTP_STATUS:/d') + echo "Alternate encoding - HTTP Status: $HTTP_STATUS2" + if [[ "$HTTP_STATUS2" == "200" ]]; then + echo "✓ Token exchange successful with alternate encoding!" else - echo "✗ Token exchange FAILED!" - echo "Response: $BODY" + echo "Response: $BODY2" fi else echo "✗ No ID token in response!" From 04645c05e292d4446ab4ef4892d021b5bf174a2a Mon Sep 17 00:00:00 2001 From: James Kebinger Date: Thu, 20 Nov 2025 16:46:37 -0600 Subject: [PATCH 14/15] Remove debug code - OIDC working after fixing repo name case --- .github/workflows/release.yml | 75 ----------------------------------- 1 file changed, 75 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 149f303..d19f124 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -80,81 +80,6 @@ jobs: ${{ runner.os }}-yarn- - run: yarn install --immutable - run: yarn build - - name: Debug OIDC environment for Yarn - run: | - echo "=== Yarn OIDC Debug Info ===" - echo "Yarn version: $(yarn --version)" - echo "" - echo "CI environment variables:" - echo " CI: ${CI:-not set}" - echo " GITHUB_ACTIONS: ${GITHUB_ACTIONS:-not set}" - echo "" - echo "GitHub Actions OIDC variables:" - echo " ACTIONS_ID_TOKEN_REQUEST_URL: $([[ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" ]] && echo "SET" || echo "NOT SET")" - echo " ACTIONS_ID_TOKEN_REQUEST_TOKEN: $([[ -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]] && echo "SET" || echo "NOT SET")" - echo "" - echo "Package info:" - echo " Name: $(jq -r '.name' package.json)" - echo " Scope: @reforge-com" - echo "" - echo "Yarn registry config:" - cat .yarnrc.yml - echo "" - echo "=== Testing OIDC Token Fetch (Step 1: Get ID Token) ===" - if [[ -n "$ACTIONS_ID_TOKEN_REQUEST_URL" && -n "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]]; then - echo "Attempting to fetch OIDC ID token for audience: npm:registry.npmjs.org" - RESPONSE=$(curl -sSL -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \ - "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=npm:registry.npmjs.org" 2>&1) - if [[ $? -eq 0 ]]; then - echo "✓ ID token fetch successful!" - ID_TOKEN=$(echo "$RESPONSE" | jq -r '.value') - if [[ "$ID_TOKEN" != "null" && -n "$ID_TOKEN" ]]; then - echo "✓ ID token extracted (length: ${#ID_TOKEN})" - - echo "" - echo "=== Testing OIDC Token Exchange (Step 2: Exchange for NPM token) ===" - RAW_NAME=$(jq -r '.name' package.json) - echo "Testing with Yarn's URL encoding (@reforge-com -> %40reforge-com)" - YARN_ENCODED=$(echo "$RAW_NAME" | sed 's/^@/%40/') - EXCHANGE_URL_YARN="https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/${YARN_ENCODED}" - echo "Yarn URL: $EXCHANGE_URL_YARN" - - EXCHANGE_RESPONSE=$(curl -sSL -w "\nHTTP_STATUS:%{http_code}" \ - -H "Authorization: Bearer $ID_TOKEN" \ - -X POST "$EXCHANGE_URL_YARN" 2>&1) - HTTP_STATUS=$(echo "$EXCHANGE_RESPONSE" | grep "HTTP_STATUS:" | cut -d: -f2) - BODY=$(echo "$EXCHANGE_RESPONSE" | sed '/HTTP_STATUS:/d') - echo "Yarn encoding - HTTP Status: $HTTP_STATUS" - if [[ "$HTTP_STATUS" != "200" ]]; then - echo "Response: $BODY" - fi - - echo "" - echo "Testing with alternate encoding (@reforge-com/cli as-is)" - EXCHANGE_URL_ALT="https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/${RAW_NAME}" - echo "Alternate URL: $EXCHANGE_URL_ALT" - - EXCHANGE_RESPONSE2=$(curl -sSL -w "\nHTTP_STATUS:%{http_code}" \ - -H "Authorization: Bearer $ID_TOKEN" \ - -X POST "$EXCHANGE_URL_ALT" 2>&1) - HTTP_STATUS2=$(echo "$EXCHANGE_RESPONSE2" | grep "HTTP_STATUS:" | cut -d: -f2) - BODY2=$(echo "$EXCHANGE_RESPONSE2" | sed '/HTTP_STATUS:/d') - echo "Alternate encoding - HTTP Status: $HTTP_STATUS2" - if [[ "$HTTP_STATUS2" == "200" ]]; then - echo "✓ Token exchange successful with alternate encoding!" - else - echo "Response: $BODY2" - fi - else - echo "✗ No ID token in response!" - fi - else - echo "✗ ID token fetch FAILED!" - echo "Error: $RESPONSE" - fi - else - echo "Cannot test token fetch - required env vars not set" - fi - name: Publish to npm run: | # Yarn 4.11.0 with OIDC trusted publishing From 1b942b3b237769a793741289ff3daece091f44fd Mon Sep 17 00:00:00 2001 From: James Kebinger Date: Thu, 20 Nov 2025 16:47:47 -0600 Subject: [PATCH 15/15] Remove pull_request trigger - only run on main branch --- .github/workflows/release.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d19f124..6d2e89a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -2,8 +2,6 @@ name: Release Package on: push: branches: [main] - pull_request: - branches: [main] jobs: check-version: runs-on: ubuntu-latest