Skip to content

Publish all packages in single step, skip already-published versions#196

Merged
leoromanovsky merged 1 commit intomainfrom
fix/oidc-skip-published
Mar 3, 2026
Merged

Publish all packages in single step, skip already-published versions#196
leoromanovsky merged 1 commit intomainfrom
fix/oidc-skip-published

Conversation

@leoromanovsky
Copy link
Copy Markdown
Collaborator

@leoromanovsky leoromanovsky commented Mar 3, 2026
edited
Loading

Motivation

Two issues with the current release workflow:

  1. Can't re-run releases: Core was published via OIDC successfully, but browser failed. Re-running the release fails with You cannot publish over the previously published versions: 1.1.0 because core tries to publish again.

  2. OIDC token is single-use per publish: Each npm publish --provenance call exchanges a short-lived OIDC token for a single-operation npm API token that expires immediately after that publish:

    "npm exchanges this OIDC token for a short-lived npm API token that's used to complete the publish. This token exists only for the duration of that single operation."
    MakerX: NPM Trusted Publishing

    When publish steps were separate, the first step (core) consumed the OIDC token. The browser step then tried to authenticate and failed with ENEEDAUTH because it couldn't obtain a fresh token. Publishing all packages in a single shell step keeps access to ACTIONS_ID_TOKEN_REQUEST_URL, allowing npm to request a fresh OIDC token for each publish call.

    Evidence from the failed run:

    • Core: ✅ Signed provenance statement with source and build information from GitHub Actions
    • Browser: npm error code ENEEDAUTH — same job, next step, token gone

Changes

  • Consolidate 3 separate publish steps + wait step into a single "Publish all packages" step
  • Check npm view before each publish — skip if version already exists on npm
  • Same core propagation wait logic, just inline

How re-runs work now

On re-run, each publish_package call checks npm first:

⏭️  @datadog/[email protected] already published, skipping
✅ @datadog/[email protected] is available
📦 Publishing @datadog/[email protected]...
📦 Publishing @datadog/[email protected]...

References

@leoromanovsky
Publish all packages in single step, skip already-published versions
9494f2c 
Consolidates the 3 separate publish steps into one. This ensures the
OIDC token stays valid across all publishes and allows re-runs to skip
packages that were already published successfully.
@leoromanovsky leoromanovsky marked this pull request as ready for review March 3, 2026 22:32
@leoromanovsky leoromanovsky requested a review from a team as a code owner March 3, 2026 22:32
sameerank
sameerank approved these changes Mar 3, 2026
View reviewed changes
.github/workflows/release.yaml
fi

echo "Package not yet available, waiting 10 seconds..."
sleep 10
Copy link
Copy Markdown
Contributor

@sameerank sameerank Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know how short-lived this token is, so I wonder if it might help to shorten the wait if you haven't tried this yet

@leoromanovsky leoromanovsky merged commit cb89658 into main Mar 3, 2026
4 checks passed
@leoromanovsky leoromanovsky deleted the fix/oidc-skip-published branch March 3, 2026 22:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sameerank sameerank sameerank approved these changes

@greghuels greghuels Awaiting requested review from greghuels greghuels is a code owner automatically assigned from DataDog/feature-flagging-and-experimentation-sdk

@dd-oleksii dd-oleksii Awaiting requested review from dd-oleksii dd-oleksii is a code owner automatically assigned from DataDog/feature-flagging-and-experimentation-sdk

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@leoromanovsky @sameerank