Skip to content

Fix release workflow draft handling and npm OIDC authentication #274

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 7, 2025
Merged

Fix release workflow draft handling and npm OIDC authentication #274

merged 2 commits into from
Sep 7, 2025

Conversation

sugyan
Copy link
Owner

@sugyan sugyan commented Sep 7, 2025

Summary

This PR fixes two critical issues in the release workflow that were causing failures in v0.1.52:

  1. Draft Release Handling: Fixed "Cannot upload assets to immutable release" error
  2. npm OIDC Authentication: Added npm version update for Trusted Publishers support

Type of Change

  • 🐛 bug: Bug fix (non-breaking change which fixes an issue)
  • 🔧 chore: Changes to the build process or auxiliary tools

Root Cause Analysis

Issue 1: Immutable Release Error

Problem: tagpr correctly created draft releases, but softprops/action-gh-release with draft: false immediately published the release, then failed when trying to upload assets to the now-immutable published release.

Timeline:

  • 14:39:23Z - tagpr creates draft release ✅
  • 14:43:15Z - workflow publishes release
  • 14:43:15Z - same workflow tries to upload assets → FAIL (immutable)

Issue 2: npm Authentication Failure

Problem: Node.js 22 ships with npm 10.9.3, but npm Trusted Publishers requires npm 11.5.1+. The workflow attempted OIDC authentication with insufficient npm version.

Changes Made

1. Two-Step Release Process (.github/workflows/release.yml)

# Step 1: Upload assets to draft release
- name: Upload release assets
  uses: softprops/action-gh-release@v2
  with:
    files: |
      artifacts/*/*
      frontend/demo-recordings/*.webm
    draft: true  # Keep as draft while uploading
    prerelease: false

# Step 2: Publish release (no file operations)
- name: Publish release
  uses: softprops/action-gh-release@v2
  with:
    generate_release_notes: true
    draft: false  # Now publish the release
    prerelease: false

2. npm Version Update for OIDC Support

- name: Update npm to latest version
  run: npm install -g npm@latest

Benefits

Manual Configuration Still Required

After merging, configure npm Trusted Publisher on npmjs.com:

  1. Navigate to https://www.npmjs.com/package/claude-code-webui settings
  2. Configure Trusted Publisher for GitHub Actions:
    • Organization: sugyan
    • Repository: claude-code-webui
    • Workflow: release.yml

Testing

  • All CI checks pass
  • Draft release workflow logic validated
  • npm version requirement confirmed (Node.js 22 = npm 10.9.3 < 11.5.1)
  • Full release workflow testing (after npm Trusted Publisher setup)

This should resolve both the release asset upload failures and npm publishing authentication issues.

🤖 Generated with Claude Code

sugyan and others added 2 commits September 7, 2025 23:50
@sugyan @claude
Fix release workflow to properly handle draft releases
724afb3 
- Split release creation into two steps to avoid immutable release error
- Step 1: Upload assets to draft release (draft: true)
- Step 2: Publish release without touching assets (draft: false)
- Resolves softprops/action-gh-release#653 issue with immutable releases

This ensures:
1. tagpr creates draft release correctly
2. Assets are uploaded to mutable draft release
3. Release is published only after assets are uploaded
4. No "Cannot upload assets to immutable release" errors

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
@sugyan @claude
Update npm to latest version for OIDC Trusted Publishers support
c7d0b0b 
- Add npm update step to npm-publish job before dependencies installation
- Node.js 22 ships with npm 10.9.3, but OIDC Trusted Publishers requires npm 11.5.1+
- This ensures npm CLI can detect and use OIDC authentication properly
- Enables automatic provenance attestations for enhanced supply chain security

Combined with previous draft release workflow fix, this should resolve:
1. "Cannot upload assets to immutable release" error (draft handling)
2. npm publish authentication failures (npm version requirement)

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
@sugyan sugyan added bug Something isn't working chore Maintenance, dependencies, tooling backend Backend-related changes labels Sep 7, 2025
@sugyan sugyan requested a review from Copilot September 7, 2025 14:57
Copilot
Copilot AI reviewed Sep 7, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes critical issues in the release workflow that were preventing successful releases, specifically addressing draft release handling and npm OIDC authentication requirements.

  • Split release process into two steps to prevent "immutable release" errors when uploading assets
  • Updated npm to latest version to support OIDC Trusted Publishers authentication
  • Maintained existing release functionality while fixing the upload failure points

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

.github/workflows/release.yml
Comment on lines 127 to 139
with:
files: |
artifacts/*/*
frontend/demo-recordings/*.webm
draft: true
prerelease: false

- name: Publish release
uses: softprops/action-gh-release@v2
with:
generate_release_notes: true
draft: false
prerelease: false
Copy link
Preview

Copilot AI Sep 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The two-step release process duplicates the action usage. Consider extracting common parameters to environment variables or using YAML anchors to reduce duplication and ensure consistency between the steps.

Suggested change
with:
files: |
artifacts/*/*
frontend/demo-recordings/*.webm
draft: true
prerelease: false
- name: Publish release
uses: softprops/action-gh-release@v2
with:
generate_release_notes: true
draft: false
prerelease: false
with: &gh_release_common
files: |
artifacts/*/*
frontend/demo-recordings/*.webm
prerelease: false
draft: true
- name: Publish release
uses: softprops/action-gh-release@v2
with:
<<: *gh_release_common
generate_release_notes: true
draft: false

Copilot uses AI. Check for mistakes.

@sugyan sugyan merged commit 7765294 into main Sep 7, 2025
7 checks passed
@sugyan sugyan deleted the fix/release-workflow-draft-handling branch September 7, 2025 14:58
@sugyan sugyan mentioned this pull request Sep 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

Assignees
No one assigned
Labels
backend Backend-related changes bug Something isn't working chore Maintenance, dependencies, tooling
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Incompatible with immutable releases
1 participant
@sugyan