Add npm publishing workflow for Aspire CLI packages#17297
Draft
adamint wants to merge 4 commits into
Draft
Conversation
- Create .github/workflows/publish-npm.yml for manual npm package publishing - Support workflow_dispatch with inputs for version, run_id, dist_tag, pr_number, only_rid, skip_meta, and dry_run - Enable npm provenance via id-token: write permission for Trusted Publisher OIDC - Require admin/maintain permission for non-dry-run publishes - Download artifacts from specified GitHub Actions run_id - Publish RID packages before meta package with fail-fast: false matrix - Wait for RID packages to propagate on npm before publishing meta package - Support fallback to NPM_TOKEN secret until Trusted Publisher OIDC is configured - Include recovery options via only_rid and skip_meta inputs - Generate workflow summary with job status and next steps - Update docs/specs/npm-cli-package.md with publishing section and prerequisites Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…tion The MISSING_PACKAGES counter was incremented inside a pipeline subshell and never propagated to the parent shell, causing the verification check to always see 0 and never fail on missing tarballs. Changed from pipeline (echo | jq | while) to process substitution (while < <(echo | jq)) so the while loop runs in the main shell and variable updates are visible to the later check. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
When dry_run=true, wait-for-packages is skipped, which previously allowed publish-meta-package to start without waiting for publish-rid-packages to complete. This violated the spec requirement that RID packages must be published/validated before the meta package. Changes: - Add publish-rid-packages to publish-meta-package job needs - Update if condition to require publish-rid-packages.result == 'success' - Preserve existing behavior: wait-for-packages can be skipped (dry run) but only after RID packages complete successfully Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
…eout
Address code review findings:
1. Exact version matching for tarballs:
- Replace broad patterns (microsoft-aspire-cli-$RID-*.tgz) with exact
version patterns (microsoft-aspire-cli-$RID-$VERSION.tgz)
- Apply to download verification, publish-rid-packages, and
publish-meta-package steps
- Improve error messages to show exact expected filename when missing
2. Configurable propagation timeout:
- Add propagation_timeout_seconds workflow input (default 900s = 15min)
- Validate input is positive integer in validate job
- Compute MAX_ATTEMPTS from timeout/sleep interval, rounding up
- Include timeout in workflow summary and parameter output
- Preserve bounded polling and dry-run skip behavior
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This adds the missing npm publish path for the Aspire CLI npm package work. The branch can now take the
microsoft-aspire-cli*.tgztarballs already produced by the native archive build and publish them through a manual, dry-run-by-default GitHub Actions workflow.The workflow is designed for Microsoft-managed publishing of the
@microsoft/aspire-clipackages:secrets.NPM_TOKENfallback until Trusted Publisher setup is complete.latest,next,daily, andpr-<N>dist-tags, plusonly_ridandskip_metarecovery knobs.docs/specs/npm-cli-package.md.Example dry run:
Security considerations
This change adds release infrastructure that can publish packages to npm. Real publishes are restricted to repository users with
adminormaintainpermission, use GitHub OIDC/npm provenance, and include a temporaryNPM_TOKENfallback that should be removed after Trusted Publisher configuration is complete. Security review is recommended for the publishing permissions, Trusted Publisher binding, and temporary token fallback before enabling real publishes.Fixes #17045
Checklist
<remarks />and<code />elements on your triple slash comments?aspire.devissue:Validation:
python3YAML parse of.github/workflows/publish-npm.ymldotnet test --project tests/Infrastructure.Tests/Infrastructure.Tests.csproj --no-launch-profile -- --filter-class "*.StageNativeCliToolPackagesTests" --filter-not-trait "quarantined=true" --filter-not-trait "outerloop=true"(11 passed)