Distribute up via npm with trusted publishing#9
Open
suarezesteban wants to merge 1 commit into
Open
Conversation
Publish the CLI to npm as `up` (2.0.0: the name's earlier 1.x line was an unrelated project, so the major jump keeps `^1` users untouched). Publishing happens exclusively from release.yml via npm trusted publishing: OIDC, no token, provenance attached to every version. - package.json: rename @vercel-labs/up -> up, version 2.0.0, drop `private`, add `files` so the published tarball contains the built CLI (dist/ is gitignored and would otherwise be excluded). - release.yml: id-token permission, registry-url, and a guarded publish step: it publishes only when the pushed tag is exactly v<package.json version>, and prerelease versions go to the `beta` dist-tag so `latest` always resolves to a stable build. - README, package README, SECURITY.md, landing: npm is the install channel; releases verify via provenance (`npm audit signatures`). - install.sh: the curl channel stays frozen at its final beta and now prints a pointer to npm.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Makes the repository publish-ready for npm. The
uppackage name on npm now belongs to this project; npm is where a JS-ecosystem CLI is expected to live (npm i -g up,npx up), and the previouscurl | shchannel is frozen at its final beta.Changes
packages/cli/package.json— rename@vercel-labs/up→up; version2.0.0(the npm name's earlier 1.x line was an unrelated project, so the major jump signals the break and keeps^1consumers untouched); remove"private": true(it blocks publishing); add"files": ["dist"]— without it npm falls back to.gitignore, which excludesdist/, and the published tarball would ship without the CLI..github/workflows/release.yml—id-token: writepermission,registry-url, and a guarded publish step using npm trusted publishing (OIDC: no token exists; provenance is attached automatically). The guard publishes only when the pushed tag is exactlyv<package.json version>— a suffixed tag can never publish a stable version — and prerelease versions (containing-) publish under thebetadist-tag solatestalways resolves to a stable build.README.md,packages/cli/README.md(the npm package page),SECURITY.md, landing — install vianpm install -g up; release verification is provenance-based (npm audit signatures) instead of CDN checksums.apps/downloads/public/install.sh— keeps working, frozen atv0.1.0-beta.5, and prints a pointer to npm. Existing release artifacts are untouched (CI enforces their immutability).Package contents verified with
npm pack --dry-run:LICENSE,README.md,dist/cli.js,package.json— 190 kB packed.Rollout order
upmust be configured to accept this repo'srelease.yml(owner-side; in progress).npm i -g upwhen its deploy completes, so —v2.0.0and push the tag promptly.release.ymlvalidates, builds, publishes to npm with provenance, and creates the GitHub Release.npm install -g up && up --help, andnpm audit signaturesin a project that depends on it.This PR publishes nothing by itself — publishing only happens when a
v2.0.0tag is pushed after merge.Verification
Lint, typecheck, and build green; tests 156/158 (the 2 failures are pre-existing and occur only when running as root — identical on
main); release-artifact verifier and installer syntax checks pass; lockfile unchanged by the rename.Generated by Claude Code