From dbae278654ec30be2a2e0af6cc799341f14a873d Mon Sep 17 00:00:00 2001 From: Faraazuddin Mohammed Date: Wed, 20 May 2026 11:08:23 -0400 Subject: [PATCH] docs: remove npm token release guidance --- CONTRIBUTING.md | 5 +-- scripts/diagnose-npm-token.sh | 57 --------------------------------- scripts/publish-with-token.sh | 59 ----------------------------------- 3 files changed, 3 insertions(+), 118 deletions(-) delete mode 100755 scripts/diagnose-npm-token.sh delete mode 100755 scripts/publish-with-token.sh diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md index 63ab9a5..c94856d 100644 --- a/CONTRIBUTING.md +++ b/CONTRIBUTING.md @@ -97,7 +97,7 @@ The release pipeline is **fully unified** — one merge of the Version Packages 1. If `.changeset/` has any pending changesets, the workflow opens (or updates) a **Version Packages** PR that auto-bumps `package.json` versions and auto-generates `CHANGELOG.md` entries. 2. Merging that PR triggers the same workflow to: - - Publish `tokenometer` + `@tokenometer/core` to npm with provenance. + - Publish `tokenometer`, `@tokenometer/core`, and `@tokenometer/mcp` to npm with provenance through npm Trusted Publishing / GitHub OIDC. - Create a GitHub Release on the new tag (GitHub Marketplace listens to that and republishes the Action's listing). - Build a fresh `.vsix` and publish the VS Code extension to the **VS Code Marketplace** (`vsce`) and **Open VSX** (`ovsx`, the registry Cursor + VSCodium read from). - HTTP-verify the GitHub Marketplace listing (best-effort — propagation can take a few minutes). @@ -108,11 +108,12 @@ Before merging the Version Packages PR, you can sanity-check the build locally w Required secrets in repo settings → Secrets and variables → Actions: -- `NPM_TOKEN` — npm automation token. - `VSCE_PAT` — Personal Access Token from https://dev.azure.com (Marketplace publisher → Manage Tokens, scope: Marketplace → Acquire + Manage). If absent, the VS Code Marketplace step is skipped with a clear notice. - `OVSX_PAT` — Personal Access Token from https://open-vsx.org (User Settings → Access Tokens). If absent, the Open VSX step is skipped. - `VERCEL_DEPLOY_HOOK` — Deploy hook URL from Vercel project settings (optional; the playground also rebuilds automatically on every push to main). +npm package publishing does not use a repository secret. Configure npm Trusted Publisher bindings for `tokenometer`, `@tokenometer/core`, and `@tokenometer/mcp` to point at `faraa2m/tokenometer` and `.github/workflows/release.yml`. + ## Questions Use [Discussions](https://github.com/faraa2m/tokenometer/discussions). Issues are for bugs and concrete proposals. diff --git a/scripts/diagnose-npm-token.sh b/scripts/diagnose-npm-token.sh deleted file mode 100755 index d5652d4..0000000 --- a/scripts/diagnose-npm-token.sh +++ /dev/null @@ -1,57 +0,0 @@ -#!/usr/bin/env bash -# Diagnose an npm token without touching ~/.npmrc. -# Usage: bash scripts/diagnose-npm-token.sh -# -# Writes a temp .npmrc at $TMPDIR/tokenometer-diag.npmrc, points npm at it -# via NPM_CONFIG_USERCONFIG, runs whoami / org-list / dry-run publishes, -# then deletes the temp file. - -set -u - -if [ "$#" -ne 1 ]; then - echo "Usage: $0 " >&2 - exit 2 -fi - -TOKEN="$1" -TMPDIR="${TMPDIR:-/tmp}" -NPMRC="${TMPDIR}/tokenometer-diag-$$-$(date +%s).npmrc" -REGISTRY="https://registry.npmjs.org/" - -cleanup() { - rm -f "$NPMRC" - unset NPM_CONFIG_USERCONFIG -} -trap cleanup EXIT INT TERM - -cat > "$NPMRC" <&1 || true -echo - -echo "▸ npm org ls tokenometer" -npm org ls tokenometer --registry="$REGISTRY" 2>&1 || true -echo - -echo "▸ npm access list packages tokenometer" -npm access list packages tokenometer --registry="$REGISTRY" 2>&1 | head -20 || true -echo - -echo "▸ Dry-run publish: @tokenometer/core" -( cd "$repo_root/packages/core" && npm publish --access public --dry-run --registry="$REGISTRY" 2>&1 | tail -25 ) || true -echo - -echo "▸ Dry-run publish: tokenometer" -( cd "$repo_root/packages/cli" && npm publish --access public --dry-run --registry="$REGISTRY" 2>&1 | tail -25 ) || true -echo - -echo "✅ Done. Temp .npmrc deleted. Your real ~/.npmrc was never touched." diff --git a/scripts/publish-with-token.sh b/scripts/publish-with-token.sh deleted file mode 100755 index 5502bd7..0000000 --- a/scripts/publish-with-token.sh +++ /dev/null @@ -1,59 +0,0 @@ -#!/usr/bin/env bash -# Publish @tokenometer/core and tokenometer to npm using a one-shot -# isolated config. Does NOT touch ~/.npmrc. -# -# Usage: bash scripts/publish-with-token.sh -# -# Order matters: core first (CLI depends on it). - -set -euo pipefail - -if [ "$#" -ne 1 ]; then - echo "Usage: $0 " >&2 - exit 2 -fi - -TOKEN="$1" -TMPDIR="${TMPDIR:-/tmp}" -NPMRC="${TMPDIR}/tokenometer-publish-$$-$(date +%s).npmrc" -REGISTRY="https://registry.npmjs.org/" - -cleanup() { - rm -f "$NPMRC" - unset NPM_CONFIG_USERCONFIG -} -trap cleanup EXIT INT TERM - -cat > "$NPMRC" </dev/null 2>&1 ) -echo " done" -echo - -echo "▸ Publishing @tokenometer/core@0.1.0" -( cd "$repo_root/packages/core" && npm publish --access public --registry="$REGISTRY" ) -echo - -echo "▸ Publishing tokenometer@0.1.0" -( cd "$repo_root/packages/cli" && npm publish --access public --registry="$REGISTRY" ) -echo - -echo "✅ Both packages published to npm. Temp .npmrc deleted." -echo -echo "Next steps:" -echo " 1. git tag -a v0.1.0 -m 'v0.1.0'" -echo " 2. git push origin v0.1.0" -echo " 3. gh release create v0.1.0 --generate-notes" -echo " (creates the GitHub Release that triggers Marketplace re-publish for the Action)"