Skip to content

fix: Update repository URLs for npm OIDC publishing#483

Merged
azu merged 1 commit intomasterfrom
fix/npm-oidc-repository-url
Sep 8, 2025
Merged

fix: Update repository URLs for npm OIDC publishing#483
azu merged 1 commit intomasterfrom
fix/npm-oidc-repository-url

Conversation

@azu
Copy link
Copy Markdown
Member

@azu azu commented Sep 8, 2025
edited
Loading

Summary

This PR fixes npm OIDC (OpenID Connect) publishing failures by updating repository URLs in package.json files to match the expected provenance information.

The main issue was with @honkit/markup-it package, which had outdated repository URLs pointing to GitbookIO repositories. When publishing with npm's new OIDC provenance verification, the mismatch between the package.json repository URL and the actual GitHub repository caused publishing to fail with a 422 error.

Changes

Critical Fix

  • @honkit/markup-it: Updated repository URL from git+https://github.com/GitbookIO/draft-markup.git to https://github.com/honkit/honkit.git
    • Also updated homepage and bugs URLs for consistency
    • This package is published to npm and requires correct URLs for OIDC provenance

Consistency Update

  • font-awesome (theme-default): Updated repository URLs from FortAwesome to honkit/honkit
    • This is an internal package that is NOT published to npm
    • Changed for repository consistency only

Context

The error encountered during npm publish:

npm error 422 Unprocessable Entity - PUT https://registry.npmjs.org/@honkit%2fmarkup-it
Error verifying sigstore provenance bundle: Failed to validate repository information:
package.json: "repository.url" is "git+https://github.com/GitbookIO/draft-markup.git",
expected to match "https://github.com/honkit/honkit" from provenance

Test Plan

  • Verify @honkit/markup-it can be published successfully with npm OIDC provenance
  • Confirm no regression in local development workflow
  • Ensure theme-default continues to work correctly (internal package, not published)

🤖 Generated with Claude Code

Co-Authored-By: Claude [email protected]

@azu
fix: Update repository URLs for npm OIDC publishing
8dc83d4 
- Update @honkit/markup-it package.json repository URL from GitbookIO to honkit/honkit
- Update font-awesome package.json for consistency (not published to npm)
- Fixes npm publish error: repository.url must match GitHub Actions environment
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Sep 8, 2025

📦 NPM Package Status

Published Packages Missing OIDC Configuration

Configure OIDC for these packages:

Setup Instructions:

  1. Click each package link above
  2. Click "Add trusted publisher"
  3. Configure with:
    • Repository: honkit/honkit
    • Workflow: .github/workflows/release.yml
    • Environment: (leave empty)

@azu azu added the Type: CI Changes to CI configuration files and scripts label Sep 8, 2025
@azu azu marked this pull request as ready for review September 8, 2025 13:52
@azu azu merged commit c34a280 into master Sep 8, 2025
21 checks passed
@azu azu deleted the fix/npm-oidc-repository-url branch September 8, 2025 13:59
@github-actions github-actions bot mentioned this pull request Sep 8, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Type: CI Changes to CI configuration files and scripts

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@azu