Skip to content

publish: retry post-publish install for registry propagation lag#6

Merged
chinmaygit merged 4 commits into
mainfrom
agitated-payne-2a54d3
Jul 5, 2026
Merged

publish: retry post-publish install for registry propagation lag#6
chinmaygit merged 4 commits into
mainfrom
agitated-payne-2a54d3

Conversation

@chinmaygit

Copy link
Copy Markdown
Owner

Summary

  • Follow-up to publish: move constitution-cli off GitHub Packages to public npm #5. The publish run for constitution-cli@0.17.5 succeeded, but the post-publish smoke test's immediate npm install 404'd — npm's registry had a short propagation window before the freshly published version became installable.
  • Wraps the smoke test's npm install in a retry loop (6 attempts, linear backoff up to 60s) so the workflow survives that race instead of failing a successful publish.
  • Also fixed a stale comment in publish.yml still referencing the old @chinmaygit scope.

Test plan

  • constitution audit / constitution firewall clean (pre-commit hook)
  • Next merge to main (no version bump, so publish step no-ops) exercises the retry-wrapped verify step against the already-published 0.17.5 — should pass on first attempt

🤖 Generated with Claude Code

chinmaygit and others added 4 commits July 5, 2026 15:34
…coped

GitHub Packages requires an auth token to install even public packages —
a platform limitation, not a visibility choice. Publishing to npmjs.org
as unscoped `constitution-cli` lets anyone `npm install` with no token.
Also updates install docs to recommend a local devDependency + npx over
a global install, so the engine version stays pinned per-repo.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
First install of a freshly published package can 404 for a short window
before npm's CDN catches up (seen on the constitution-cli@0.17.5 publish
run). Retry with backoff instead of failing the smoke test on the race.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Removes the long-lived npm automation token in favor of GitHub OIDC —
npmjs.org now trusts this exact repo + workflow file to mint a
short-lived publish token per run. Adds id-token: write permission,
bumps npm CLI (trusted publishing needs >= 11.5.1), and publishes with
--provenance for the attestation.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@chinmaygit chinmaygit merged commit 48c5593 into main Jul 5, 2026
2 checks passed
@chinmaygit chinmaygit deleted the agitated-payne-2a54d3 branch July 5, 2026 14:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant