Skip to content

ci: add npm publish workflow for @fathom-rules/sdk#51

Merged
se-jo-ma merged 2 commits into
mainfrom
issue-40-npm-publish
Jun 24, 2026
Merged

ci: add npm publish workflow for @fathom-rules/sdk#51
se-jo-ma merged 2 commits into
mainfrom
issue-40-npm-publish

Conversation

@se-jo-ma

@se-jo-ma se-jo-ma commented Jun 6, 2026

Copy link
Copy Markdown
Member

Summary

Adds an npm publish pipeline for the @fathom-rules/sdk TypeScript SDK, mirroring pypi-publish.yml.

  • .github/workflows/npm-publish.yml: triggers on v*.*.* tags (plus workflow_dispatch), environment: npm, working-directory: packages/fathom-ts.
    • pnpm/action-setup@v6 (v9) + actions/setup-node@v6 (node 20, registry-url: https://registry.npmjs.org).
    • pnpm install --frozen-lockfilepnpm run build (tsc, emits dist/).
    • npm publish --provenance --access public with NODE_AUTH_TOKEN from secrets.NPM_TOKEN.
    • permissions: id-token: write for npm provenance (the same OIDC attestation mechanism pypi-publish.yml uses).
  • package.json metadata fix: repository.url corrected from the bare https://github.com/KrakenNet/fathom to the canonical git+https://github.com/KrakenNet/fathom.git; repository.directory was already packages/fathom-ts.

The package already carries build (tsc), main, types, and files: ["dist"] on main, so no bundler/build scaffolding was added — only the publish lane and the URL fix.

What is NOT in scope (maintainer decisions per issue #40)

  • Versioning strategy (lockstep with fathom-rules vs independent semver / release-please node component) is deliberately left to the maintainer. The workflow publishes whatever version is in packages/fathom-ts/package.json at the tagged commit — no lockstep automation was invented.

Action required before this works

  • A maintainer must create the NPM_TOKEN repository secret (an npm automation/granular token with publish rights to @fathom-rules), and (recommended) configure the npm deployment environment. The first npm provenance build also requires the @fathom-rules scope to exist with the publishing account as a member.
  • Real verification happens on the next v*.*.* release tag — npm publish cannot be exercised from a PR.

Local verification

From packages/fathom-ts (pnpm 10 / node 22):

  • pnpm install --frozen-lockfile + pnpm run build → exit 0, emits dist/.
  • npm pack --dry-run → clean file list: dist/ (.js + .d.ts + .map) + package.json only. No src/, test/, or node_modules/ (grep count: 0).
    • name @fathom-rules/sdk, version 0.1.0, 53 files, package size 22.0 kB, unpacked 112.0 kB.
  • uv run python -c "import yaml; yaml.safe_load(...)" → workflow YAML parses; jobs: ['publish'], permissions.id-token: write, environment: npm.

Security

No third-party binary downloads in the workflow — only actions/checkout@v6, pnpm/action-setup@v6, actions/setup-node@v6 (pinned to major). Nothing to SHA-256 pin. The NPM_TOKEN secret is passed via env:, never interpolated into a shell command.

Fixes #40

🤖 Generated with Claude Code

krakennetworks and others added 2 commits June 6, 2026 00:02
@krakennetworks @claude
ci: add npm publish workflow for @fathom-rules/sdk
cb6f269 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@krakennetworks @claude
docs: bump planned-integrations last_verified for package.json touch
6faa0d8 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@se-jo-ma

se-jo-ma commented Jun 6, 2026

Copy link
Copy Markdown
Member Author

Currently we do not have npm publishing set up so actual publishing will not take place yet. Whenever we do, we can merge this.

@se-jo-ma se-jo-ma merged commit fdd79aa into main Jun 24, 2026
10 checks passed
@se-jo-ma se-jo-ma deleted the issue-40-npm-publish branch June 24, 2026 18:51
se-jo-ma added a commit that referenced this pull request Jun 24, 2026
@se-jo-ma @claude
docs: bump planned-integrations last_verified (repo-url tweak from #51)
4c8c670 
fathom-ts/package.json was touched by #51 (repository.url https->git+https), tripping the doc-source drift gate. The repo-url format change doesn't affect this page's content; re-verified.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017pXsj4Q7q1Vn2mtHhakTtJ
Signed-off-by: se-jo-ma <mauk.sean@gmail.com>
@se-jo-ma se-jo-ma mentioned this pull request Jun 24, 2026
Merged
se-jo-ma added a commit that referenced this pull request Jun 24, 2026
@se-jo-ma @claude
docs: bump planned-integrations last_verified (repo-url tweak from #51)
4d6f905 
fathom-ts/package.json was touched by #51 (repository.url https->git+https), tripping the doc-source drift gate. The repo-url format change doesn't affect this page's content; re-verified.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017pXsj4Q7q1Vn2mtHhakTtJ
Signed-off-by: se-jo-ma <mauk.sean@gmail.com>
@se-jo-ma se-jo-ma mentioned this pull request Jun 24, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TS SDK: publish @fathom-rules/sdk to npm on release tags

2 participants

@se-jo-ma @krakennetworks