[DO NOT MERGE] Verify OIDC npm publish end-to-end#103
Closed
SanthoshCharanBolt wants to merge 2 commits into
Closed
[DO NOT MERGE] Verify OIDC npm publish end-to-end#103SanthoshCharanBolt wants to merge 2 commits into
SanthoshCharanBolt wants to merge 2 commits into
Conversation
Contributor
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
Contributor
Author
|
Verified — OIDC/Trusted Publishing works end-to-end: 0.9.10 published successfully with signed provenance. Closing this throwaway verification PR. |
1 task
SanthoshCharanBolt
added a commit
that referenced
this pull request
Jul 6, 2026
### Description While verifying the OIDC/Trusted Publishing fix from #102, a test publish landed `0.9.10` on npm from an untagged, off-`main` commit (see #103, closed). `main`'s `package.json` is still at `0.9.9`. Without this fix, the next release-triggering commit to `main` would run `yarn release --ci`, compute the next version as `0.9.10` again (already published), and fail — npm rejects republishing an existing version. This bumps `main` to `0.9.10` so the next real release correctly computes `0.9.11`+. ### Background on why `main` was broken Versions `0.9.4`–`0.9.9` were bumped and tagged on `main` via `chore: release` commits, but every one of those publishes failed with a 404 (`npm error 404 Not Found - PUT .../@BoltPay%2freact-native`), because npm Trusted Publishing was never configured for this package. That's now fixed: - #102 corrected the workflow (`id-token: write`, correct registry URL, OIDC-based auth, `--provenance`) - A Trusted Publisher entry was added on npmjs.com for `boltapp/bolt-react-native-sdk` + `main-release.yml` - Verified working end-to-end via a throwaway branch/PR (#103, closed) — publish succeeded with a signed provenance attestation ### Security Review - [x] I have considered and reviewed security implications of this PR and included the summary below. #### Security Impact Summary Version-number-only change; no application code or production behavior affected. **Reviewer choices:** None.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Dummy PR to verify the OIDC/Trusted Publishing fix from #102 actually publishes to npm end-to-end, now that the Trusted Publisher entry has been configured on npmjs.com for
boltapp/bolt-react-native-sdk+main-release.yml.Temporarily adds this branch to the
main-release.ymlpush trigger so the release workflow runs here without merging tomain. Do not merge — revert the workflow trigger change and delete the branch once verified.Security Review
Security Impact Summary
Temporary, test-only change to a CI trigger; no application code or production behavior affected. Will be reverted after verification.
Reviewer choices: None — throwaway verification PR, not intended to merge.