From ecc078104afc0e7fc6b3a140ed85a3d465d1d8b0 Mon Sep 17 00:00:00 2001 From: Shrey Pandya Date: Mon, 30 Mar 2026 17:56:04 -0700 Subject: [PATCH 1/4] ci: fix release workflow for trusted publishing - Upgrade setup-node from v4 to v6 for better OIDC support - Add npm upgrade step for trusted publishing compatibility - Remove NPM_CONFIG_PROVENANCE env var (not needed with OIDC) Matches the pattern used in stagehand and openclaw-browserbase repos. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/release.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1d0a24a..39d1b26 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,12 +24,15 @@ jobs: uses: pnpm/action-setup@v4 - name: Setup Node.js - uses: actions/setup-node@v4 + uses: actions/setup-node@v6 with: node-version: "22" cache: "pnpm" registry-url: "https://registry.npmjs.org" + - name: Update npm for Trusted Publishing + run: npm install -g npm@latest + - name: Install dependencies run: pnpm install --frozen-lockfile @@ -37,9 +40,9 @@ jobs: run: pnpm build - name: Create Release Pull Request or Publish to npm + id: changesets uses: changesets/action@v1 with: publish: pnpm release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_CONFIG_PROVENANCE: true From 7d1f1812dbcc7da59d8e64f3b33a20afc53ca41b Mon Sep 17 00:00:00 2001 From: Shrey Pandya Date: Mon, 30 Mar 2026 17:58:12 -0700 Subject: [PATCH 2/4] ci: restore NPM_CONFIG_PROVENANCE for provenance attestation Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/release.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 39d1b26..84b8548 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -46,3 +46,4 @@ jobs: publish: pnpm release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + NPM_CONFIG_PROVENANCE: true From 46e23792e62e2078a4bd33262d3b54326c0ccd3c Mon Sep 17 00:00:00 2001 From: Shrey Pandya Date: Mon, 30 Mar 2026 17:59:48 -0700 Subject: [PATCH 3/4] ci: upgrade checkout to v6 with full history, keep provenance MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - checkout@v4 → v6 with fetch-depth: 0 (changesets needs git history) - Keep NPM_CONFIG_PROVENANCE=true (only way to pass --provenance through changesets) Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 84b8548..e8bfa39 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -18,7 +18,9 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: actions/checkout@v6 + with: + fetch-depth: 0 - name: Install pnpm uses: pnpm/action-setup@v4 From 270a25f4514d23701226e8ea2331de0b42b76464 Mon Sep 17 00:00:00 2001 From: Shrey Pandya Date: Mon, 30 Mar 2026 18:06:31 -0700 Subject: [PATCH 4/4] ci: remove NPM_CONFIG_PROVENANCE to match stagehand pattern Stagehand publishes successfully via changesets + OIDC without this env var. Removing it to eliminate the one difference between the two workflows. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/release.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index e8bfa39..9ca27cc 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -48,4 +48,3 @@ jobs: publish: pnpm release env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_CONFIG_PROVENANCE: true