Skip to content

Commit cc80048

Browse files
robhoganrobhogan
committed
fix: unify all npm publish workflows into a single top-level publish-npm.yml
## Problem npm Trusted Publishing matches the `workflow_ref` OIDC claim, which is always the top-level workflow filename. npm allows only ONE trusted publisher per package. The prior migration (#57099) used `workflow_call` to route all publishes through `publish-npm.yml`, but `workflow_ref` resolves to the *caller* (e.g. `nightly.yml`), not the reusable child — so the Trusted Publisher entry for `publish-npm.yml` never matches. ## Solution Merge all three publish entry points into `publish-npm.yml` itself, triggered by all three event types: - `push.tags: v0.*` → release mode (was publish-release.yml) - `schedule + workflow_dispatch` → nightly mode (was nightly.yml) - `push.branches: main, *-stable` → bumped-packages mode (was publish-bumped-packages.yml) A `determine_mode` job inspects the trigger and sets the mode. Downstream jobs use conditional `if:` expressions to run only the relevant build/publish steps. Since `publish-npm.yml` is now always the top-level workflow, `workflow_ref` always resolves to `publish-npm.yml` ✅. ## Key design points - **No JS changes** — the publish scripts are unchanged. The build and publish still happen in the same job, on the same runner, with the same container. No artifact handoff or pack-only mode needed. - **Reusable workflow_call children are fine** — prebuild-ios-*.yml, generate-changelog.yml, etc. remain as `workflow_call` children. Only the file that calls `npm publish` must be the top-level workflow; child workflows don't affect the OIDC claim. - **Old workflow files kept as stubs** — publish-release.yml, nightly.yml, and publish-bumped-packages.yml are replaced with minimal deprecation notices so that external links/dashboards don't 404. - **`always()` + explicit result checks** — publish_react_native depends on build_android (nightly-only) and prebuild_* jobs. In release mode, build_android is skipped. The `always()` prevents cascading skips, while explicit result checks ensure we don't publish after a failed build. ## npm Trusted Publisher config (manual step) For each of the 24 packages, configure on npmjs.com: Organization: react Repository: react-native Workflow: publish-npm.yml Environment: npm-publish
1 parent 79adce3 commit cc80048

4 files changed

Lines changed: 209 additions & 296 deletions

File tree

.github/workflows/nightly.yml

Lines changed: 0 additions & 90 deletions
This file was deleted.

.github/workflows/publish-bumped-packages.yml

Lines changed: 0 additions & 19 deletions
This file was deleted.

0 commit comments

Comments
 (0)