Skip to content

feat(release): add NPM publishing workflow#7

Merged
talissoncosta merged 7 commits intomainfrom
feat/npm-publish
Feb 5, 2026
Merged

feat(release): add NPM publishing workflow#7
talissoncosta merged 7 commits intomainfrom
feat/npm-publish

Conversation

@talissoncosta
Copy link
Contributor

@talissoncosta talissoncosta commented Dec 25, 2025
edited
Loading

Summary

Adds NPM publishing infrastructure for @flagsmith/backstage-plugin.

Changes

  • Package configuration: Update package.json with NPM metadata, scoped package name, and Backstage plugin config
  • Release workflow (publish-release.yml):
    • Triggers on v* tags (created by release-please)
    • Secure job separation: build job (no OIDC) → publish job (OIDC only)
  • Release management (release-please.yml):
    • Automated release PR creation on pushes to main
    • Follows release-please pattern (same as flagsmith-js-client)
  • Authentication: Uses NPM trusted publishing (OIDC) - no tokens required
  • Security: Build scripts are isolated from OIDC token (publish job only downloads artifact and publishes)
  • Documentation: Add LICENSE (Apache-2.0) and CHANGELOG

How it works

  1. Merge PRs to main → release-please creates/updates a release PR
  2. Merge release PR → release-please creates a v* tag
  3. Tag push triggers publish-release.yml → builds and publishes to NPM

Authentication

Uses NPM trusted publishing with OIDC for secure, tokenless authentication. The workflow uses --provenance for signed attestations (supply chain security).

Security

Build and publish are separate jobs:

  • Build job: No id-token permission - runs install, lint, tests, build
  • Publish job: Has id-token: write - only downloads artifact and publishes

This ensures malicious build scripts cannot access the OIDC token.

Setup Required

  1. ✅ OIDC trusted publisher configured on npmjs.com by @khvn26
  2. RELEASE_PLEASE_GITHUB_TOKEN (org-level secret)

Test Plan

  • Merge PR → verify release-please creates a release PR
  • Merge release PR → verify NPM publish succeeds with OIDC

Closes #11

github-actions bot added a commit that referenced this pull request Dec 25, 2025
@github-actions
Deploy PR #7 preview
4ce7380
github-actions bot added a commit that referenced this pull request Jan 26, 2026
@github-actions
Deploy PR #7 preview
968f0fe
@talissoncosta talissoncosta force-pushed the feat/npm-publish branch 3 times, most recently from ffc27ed to a55a280 Compare January 28, 2026 18:04
talissoncosta and others added 2 commits January 29, 2026 13:33
@talissoncosta @claude
feat(release): add NPM publishing workflow and prepare for npm release
ee5d922 
- Update package.json with NPM metadata (@flagsmith/backstage-plugin)
- Add release workflow with PR previews (@next tag), GitHub Release trigger, and manual dispatch
- Add NPM version badge to README
- Extract PR comment script to scripts/comment-pr-preview.js

Closes #6423

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@talissoncosta @claude
chore: add LICENSE and CHANGELOG for npm publishing
3135fb9 
- Add Apache-2.0 LICENSE file
- Add CHANGELOG.md with initial 0.1.0 release notes

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@Flagsmith Flagsmith deleted a comment from github-actions bot Jan 29, 2026
@talissoncosta @claude
refactor(ci): rename workflows to publish-preview and publish-release
63ef880 
Rename workflow files for better clarity and extract preview publishing
into its own workflow.

- Rename release.yml → publish-release.yml
- Extract preview job into publish-preview.yml
- Remove pull_request trigger from publish-release.yml
- Update workflow display names to match

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
khvn26
khvn26 reviewed Feb 2, 2026
View reviewed changes
@talissoncosta @claude
feat(ci): use OIDC trusted publishing for production releases
7f40003 
Remove NODE_AUTH_TOKEN from publish-release.yml to use NPM's trusted
publishing (OIDC) for secure, tokenless authentication.

- publish-release.yml: Uses OIDC (configured by @khvn26 on npmjs.com)
- publish-preview.yml: Keeps NPM_TOKEN (OIDC doesn't support pull_request)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@talissoncosta
Copy link
Contributor Author

talissoncosta commented Feb 3, 2026
edited
Loading

@khvn26 Good point! I've removed the preview publishing entirely.

NPM's trusted publishing (OIDC) doesn't support pull_request events, so instead of maintaining a separate token-based workflow, we can just use git sources for testing PR changes:

yarn add github:Flagsmith/flagsmith-backstage-plugin#feat/some-branch

Now we only have publish-release.yml using OIDC for production releases - simpler and more secure!

@talissoncosta @claude
chore(ci): remove npm preview publishing
18278f0 
Remove PR preview publishing - packages can be installed directly
from git sources instead (e.g., yarn add github:Flagsmith/flagsmith-backstage-plugin#branch).

This simplifies the CI setup and removes the need for NPM_TOKEN.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@talissoncosta talissoncosta requested a review from khvn26 February 3, 2026 14:01
khvn26
khvn26 reviewed Feb 3, 2026
View reviewed changes
khvn26
khvn26 reviewed Feb 3, 2026
View reviewed changes
@talissoncosta @claude
refactor(ci): adopt release-please pattern with secure publish
454cd76 
Add release-please for automated release PR management and refactor
publish-release.yml for better security:

New:
- release-please.yml: Creates/updates release PRs on main branch pushes

Changes to publish-release.yml:
- Trigger on tag push (v*) instead of release event
- Separate build and publish jobs for OIDC security:
  - build: runs install/lint/test/build (no id-token permission)
  - publish: only downloads artifact and publishes (has id-token)
- Keeps same filename to preserve npm OIDC configuration

This follows the established Flagsmith pattern (flagsmith-js-client)
and addresses security concerns about running build scripts with
OIDC token access.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@talissoncosta talissoncosta requested a review from khvn26 February 3, 2026 14:51
@Flagsmith Flagsmith deleted a comment from github-actions bot Feb 3, 2026
khvn26
khvn26 requested changes Feb 5, 2026
View reviewed changes
@talissoncosta @claude
chore(ci): add release-please config and remove implicit --provenance…
4902061 
… flag

- Add release-please-config.json and .release-please-manifest.json
- Remove --provenance flag (implied with trusted publishing)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@talissoncosta talissoncosta requested a review from khvn26 February 5, 2026 12:01
khvn26
khvn26 reviewed Feb 5, 2026
View reviewed changes
khvn26
khvn26 approved these changes Feb 5, 2026
View reviewed changes
Copy link
Member

@khvn26 khvn26 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Left a non-blocking comment. LGTM 👍

@talissoncosta talissoncosta merged commit c356cce into main Feb 5, 2026
4 checks passed
@flagsmithdev flagsmithdev mentioned this pull request Feb 5, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@khvn26 khvn26 khvn26 approved these changes

@Zaimwa9 Zaimwa9 Awaiting requested review from Zaimwa9

@gagantrivedi gagantrivedi Awaiting requested review from gagantrivedi

@matthewelwell matthewelwell Awaiting requested review from matthewelwell

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Publish @flagsmith/backstage-plugin to NPM

2 participants

@talissoncosta @khvn26