Skip to content

[DO NOT MERGE] Verify OIDC npm publish end-to-end#103

Closed
SanthoshCharanBolt wants to merge 2 commits into
mainfrom
SanthoshCharan/test-oidc-publish
Closed

[DO NOT MERGE] Verify OIDC npm publish end-to-end#103
SanthoshCharanBolt wants to merge 2 commits into
mainfrom
SanthoshCharan/test-oidc-publish

Conversation

@SanthoshCharanBolt

@SanthoshCharanBolt SanthoshCharanBolt commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Description

Dummy PR to verify the OIDC/Trusted Publishing fix from #102 actually publishes to npm end-to-end, now that the Trusted Publisher entry has been configured on npmjs.com for boltapp/bolt-react-native-sdk + main-release.yml.

Temporarily adds this branch to the main-release.yml push trigger so the release workflow runs here without merging to main. Do not merge — revert the workflow trigger change and delete the branch once verified.

Security Review

  • I have considered and reviewed security implications of this PR and included the summary below.

Security Impact Summary

Temporary, test-only change to a CI trigger; no application code or production behavior affected. Will be reverted after verification.

Reviewer choices: None — throwaway verification PR, not intended to merge.

@snyk-io

snyk-io Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@SanthoshCharanBolt

Copy link
Copy Markdown
Contributor Author

Verified — OIDC/Trusted Publishing works end-to-end: 0.9.10 published successfully with signed provenance. Closing this throwaway verification PR.

@SanthoshCharanBolt SanthoshCharanBolt deleted the SanthoshCharan/test-oidc-publish branch July 6, 2026 11:12
SanthoshCharanBolt added a commit that referenced this pull request Jul 6, 2026
### Description

While verifying the OIDC/Trusted Publishing fix from #102, a test
publish landed `0.9.10` on npm from an untagged, off-`main` commit (see
#103, closed). `main`'s `package.json` is still at `0.9.9`.

Without this fix, the next release-triggering commit to `main` would run
`yarn release --ci`, compute the next version as `0.9.10` again (already
published), and fail — npm rejects republishing an existing version.

This bumps `main` to `0.9.10` so the next real release correctly
computes `0.9.11`+.

### Background on why `main` was broken

Versions `0.9.4`–`0.9.9` were bumped and tagged on `main` via `chore:
release` commits, but every one of those publishes failed with a 404
(`npm error 404 Not Found - PUT .../@BoltPay%2freact-native`), because
npm Trusted Publishing was never configured for this package. That's now
fixed:
- #102 corrected the workflow (`id-token: write`, correct registry URL,
OIDC-based auth, `--provenance`)
- A Trusted Publisher entry was added on npmjs.com for
`boltapp/bolt-react-native-sdk` + `main-release.yml`
- Verified working end-to-end via a throwaway branch/PR (#103, closed) —
publish succeeded with a signed provenance attestation

### Security Review

- [x] I have considered and reviewed security implications of this PR
and included the summary below.

#### Security Impact Summary

Version-number-only change; no application code or production behavior
affected.

**Reviewer choices:** None.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant