Skip to content

fix: add repository field for npm trusted publishing #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
konard merged 5 commits into from
Dec 9, 2025
Merged

fix: add repository field for npm trusted publishing #11

konard merged 5 commits into from
Dec 9, 2025

Conversation

@konard
Copy link
Member

@konard konard commented Dec 9, 2025
edited
Loading

Summary

Fixes the npm trusted publishing E422 error by adding the missing repository field to package.json.

Root Cause

npm's trusted publishing (OIDC) performs server-side validation to ensure repository.url in package.json matches the Source Repository URI in the provenance signing certificate. Without this field, npm returns:

E422 422 Unprocessable Entity - Error verifying sigstore provenance bundle:
Failed to validate repository information: package.json: "repository.url" is "",
expected to match "https://github.com/link-foundation/lino-arguments" from provenance

Solution

Added the repository field to package.json:

"repository": {
  "type": "git",
  "url": "https://github.com/link-foundation/lino-arguments.git"
}

Case Study

A comprehensive case study documenting the timeline, error analysis, and solution has been added to docs/case-studies/trusted-publishing-failure-case-study.md.

The case study includes:

  • Timeline of events
  • Error analysis with exact error messages
  • Root cause analysis
  • References to npm documentation and related issues
  • CI logs from failing runs

References

Fixes #10

Test Plan

  • Local CI checks pass (lint, format, tests)
  • CI pipeline passes
  • npm publish succeeds after merge with provenance

🤖 Generated with Claude Code

@konard
Initial commit with task details
9b140e1 
Adding CLAUDE.md with task information for AI processing.
This file will be removed when the task is complete.

Issue: #10
@konard konard self-assigned this Dec 9, 2025
konard and others added 2 commits December 9, 2025 07:47
@konard @claude
fix: add repository field for npm trusted publishing
05d9597 
Add the repository field to package.json which is required for npm
trusted publishing (OIDC) provenance verification. Without this field,
npm returns E422 error because it cannot match the repository.url
against the provenance signature.

Root cause: npm provenance verification validates that package.json
repository.url matches the Source Repository URI in the signing
certificate. Empty string does not match expected URL.

This commit also adds a comprehensive case study in docs/case-studies/
documenting the timeline, error analysis, and solution.

Fixes #10

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@konard @claude
docs: add CI logs for case study analysis
178076a 
Add CI run logs from the failing and subsequent runs for reference
and future debugging purposes. Renamed to .txt extension to bypass
gitignore rules for .log files.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@konard konard changed the title [WIP] Trusted publishing does not work in our CI/CD fix: add repository field for npm trusted publishing Dec 9, 2025
@konard @claude
style: add final newline to CLAUDE.md
a2a2f0e 
Fix formatting issue detected by prettier.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@konard konard marked this pull request as ready for review December 9, 2025 06:52
@konard
Copy link
Member Author

konard commented Dec 9, 2025

🤖 Solution Draft Log

This log file contains the complete execution trace of the AI solution draft process.

💰 Cost estimation:

  • Public pricing estimate: $6.140544 USD
  • Calculated by Anthropic: $3.949170 USD
  • Difference: $-2.191374 (-35.69%)
    📎 Log file uploaded as GitHub Gist (876KB)
    🔗 View complete solution draft log

Now working session is ended, feel free to review and add any feedback on the solution draft.

@konard konard merged commit 05007e2 into main Dec 9, 2025
6 checks passed
This was referenced Dec 9, 2025
Closed
Merged
konard added a commit that referenced this pull request Dec 9, 2025
@konard @claude
docs: update comprehensive analysis with workflow_dispatch findings
d11aa3c 
- Enhanced issue #10 analysis with detailed E404 error investigation
- Added evidence-based findings from online research about OIDC trusted publishing
- Documented workflow_dispatch authentication issues with npm
- Compared authentication strategies (NPM_TOKEN vs OIDC vs Hybrid)
- Added workflow comparison with test-anywhere reference repository
- Proposed multiple solutions with trade-off analysis
- Added changeset for documentation changes

Key findings:
- E422 error (missing repository field) is resolved
- E404 error for manual releases linked to OIDC/workflow_dispatch incompatibility
- test-anywhere uses NPM_TOKEN which works for all trigger types
- Multiple solution options documented with pros/cons

Related: Issue #10, PR #11

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@konard konard

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Trusted publishing does not work in our CI/CD

2 participants

@konard