Skip to content

Publish arsenal to GitHub Packages and npm on release#2657

Open
delthas wants to merge 2 commits into
development/8.4from
improvement/ARSN-605/publish-to-github-packages
Open

Publish arsenal to GitHub Packages and npm on release#2657
delthas wants to merge 2 commits into
development/8.4from
improvement/ARSN-605/publish-to-github-packages

Conversation

@delthas

@delthas delthas commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Summary

Builds on the manual release workflow from ARSN-604 (#2656): on release, build and dual-publish @scality/arsenal to GitHub Packages and npmjs. arsenal is a public, Apache-2.0 library, so per the DevEx TAD it goes to both registries. Non-breaking — existing git-dependency consumers (cloudserver, backbeat, vault2) are untouched; migrating them to the registry is a later, organic step.

release.yaml is split into jobs so the build is produced once and each publish can be retried independently of it and of the other:

  • build — after the branch / version / tag guards: install, yarn build, npm pack, generate a signed build-provenance attestation for the tarball (actions/attest-build-provenance), and upload the .tgz as the artifact.
  • publish-github — download the tarball and publish it to GitHub Packages with the built-in GITHUB_TOKEN.
  • publish-npm — publish the same tarball to npmjs via OIDC trusted publishing (id-token: write, no stored token) with --provenance.
  • release — create the GitHub release + tag, linking to both packages.

Both publish jobs use the committed package.json version (no auto-bump), check the registry with npm view first and skip if that version is already published — so a partial dual-publish can be re-run cleanly — and publish under a v<major.minor> dist-tag so an older release line never moves latest. Building and packing once, then attesting and publishing the same tarball to both registries, gives a single GitHub attestation (gh attestation verify <tarball> --repo scality/Arsenal) covering whatever lands in either registry, plus npm-native provenance on npmjs.

Name: committed, not stamped

package.json is renamed to @scality/arsenal directly — no publish-time name stamp / jq. Git-dependency consumers resolve arsenal by their dependency key, not the package's name, so committing the scoped name keeps require('arsenal') working for cloudserver/backbeat/vault2 (verified end-to-end: real arsenal committed as @scality/arsenal, consumed under the unchanged bare arsenal git key, installs to node_modules/arsenal and resolves both bare and deep arsenal/build/... imports). package.json also drops private and adds types/files + publishConfig.access: public. The version stays committed / manually bumped — auto-stamping is deferred to a later step.

The workflow tests under tests/workflows stub the publish path, so the guard coverage is unchanged.

Prerequisite (npmjs trusted publishing)

The npm publish uses OIDC trusted publishing — no NPM_TOKEN. Before the first npm release, a trusted publisher must be registered for @scality/arsenal: GitHub org scality, repo Arsenal, workflow release.yaml (the same setup Sylvain did for @scality/cloudserverclient). Since @scality/arsenal isn't on npm yet, bootstrap it one of two ways:

  • One-time manual publish by anyone with @scality publish rights (yarn build && npm publish --access public) to create the package, then register the trusted publisher. That first version has no provenance (local publish); the workflow provenance-signs every release after it and skips the bootstrapped version via its npm view check.
  • Org-level trusted publishing, if the @scality npm org allows creating packages via OIDC — then the first workflow run creates it, no manual step.

GitHub Packages needs no bootstrap (built-in GITHUB_TOKEN).

Aligned with the DevEx initiative (S3C-9725); mirrors the dual-publish model of hdclient / cloudserverclient.

Issue: ARSN-605

@bert-e

bert-e commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Hello delthas,

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options
name description privileged authored
/after_pull_request Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval Bypass the pull request author's approval
/bypass_build_status Bypass the build and test status
/bypass_commit_size Bypass the check on the size of the changeset TBA
/bypass_incompatible_branch Bypass the check on the source branch prefix
/bypass_jira_check Bypass the Jira issue check
/bypass_peer_approval Bypass the pull request peers' approval
/bypass_leader_approval Bypass the pull request leaders' approval
/approve Instruct Bert-E that the author has approved the pull request. ✍️
/create_pull_requests Allow the creation of integration pull requests.
/create_integration_branches Allow the creation of integration branches.
/no_octopus Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity Change review acceptance criteria from one reviewer at least to all reviewers
/wait Instruct Bert-E not to run until further notice.
Available commands
name description privileged
/help Print Bert-E's manual in the pull request.
/status Print Bert-E's current status in the pull request TBA
/clear Remove all comments from Bert-E from the history TBA
/retry Re-start a fresh build TBA
/build Re-start a fresh build TBA
/force_reset Delete integration branches & pull requests, and restart merge process from the beginning.
/reset Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

@scality scality deleted a comment from bert-e Jun 29, 2026
@bert-e

bert-e commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Request integration branches

Waiting for integration branch creation to be requested by the user.

To request integration branches, please comment on this pull request with the following command:

/create_integration_branches

Alternatively, the /approve and /create_pull_requests commands will automatically
create the integration branches.

@codecov

codecov Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 74.00%. Comparing base (364e032) to head (54cde5f).
⚠️ Report is 4 commits behind head on development/8.4.

Additional details and impacted files
@@                 Coverage Diff                 @@
##           development/8.4    #2657      +/-   ##
===================================================
- Coverage            74.03%   74.00%   -0.03%     
===================================================
  Files                  229      229              
  Lines                18503    18503              
  Branches              3845     3820      -25     
===================================================
- Hits                 13699    13694       -5     
- Misses                4799     4804       +5     
  Partials                 5        5              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@delthas delthas force-pushed the improvement/ARSN-605/publish-to-github-packages branch 4 times, most recently from c06db2c to 2b07c4a Compare July 3, 2026 08:03
Comment thread .github/workflows/release.yaml Outdated
@delthas delthas force-pushed the improvement/ARSN-605/publish-to-github-packages branch from 2b07c4a to ba6a25d Compare July 3, 2026 08:10
@delthas delthas marked this pull request as ready for review July 3, 2026 08:12
@delthas delthas requested review from a team, benzekrimaha and maeldonn July 3, 2026 08:13
Comment thread .github/workflows/release.yaml Outdated
Reformat tests/workflows/release.spec.ts (added in ARSN-604) to satisfy
the prettier check, in a standalone commit so the functional ARSN-605
change stays prettier-clean.

Issue: ARSN-605
@delthas delthas force-pushed the improvement/ARSN-605/publish-to-github-packages branch from ba6a25d to 7d72e9c Compare July 3, 2026 08:37
Comment thread .github/workflows/release.yaml Outdated
Comment thread .github/workflows/release.yaml
Comment thread .github/workflows/release.yaml
Comment thread .github/workflows/release.yaml
Comment thread .github/workflows/release.yaml Outdated
@delthas delthas force-pushed the improvement/ARSN-605/publish-to-github-packages branch 4 times, most recently from 3946f2a to 24ffbc9 Compare July 3, 2026 13:04
@delthas delthas changed the title Publish arsenal to GitHub Packages on release Publish arsenal to GitHub Packages and npm on release Jul 3, 2026
@delthas delthas force-pushed the improvement/ARSN-605/publish-to-github-packages branch 2 times, most recently from 6a85917 to 45f5079 Compare July 3, 2026 14:07
@scality scality deleted a comment from bert-e Jul 3, 2026
@delthas delthas requested review from francoisferrand and removed request for francoisferrand July 3, 2026 14:08
@delthas delthas force-pushed the improvement/ARSN-605/publish-to-github-packages branch from 45f5079 to dece6b0 Compare July 3, 2026 14:27
Comment thread .github/workflows/release.yaml Outdated
Comment thread .github/workflows/release.yaml
@delthas delthas requested a review from francoisferrand July 3, 2026 14:39
Extend the manual release workflow (ARSN-604) to build and dual-publish
@scality/arsenal (a public, Apache-2.0 library) to GitHub Packages and
npmjs, split into jobs so the build is produced once and each publish
can be retried independently of it and of the other:

- build: after the branch/version/tag guards, install, build, pack the
  tarball, generate a signed build-provenance attestation for it
  (actions/attest-build-provenance), and upload it as the artifact.
- publish-github: download the tarball and publish it to GitHub Packages
  with the built-in GITHUB_TOKEN.
- publish-npm: publish the same tarball to npmjs via OIDC trusted
  publishing (id-token, no stored token) with --provenance.
- release: create the GitHub release, linking to both packages.

Both publish jobs use the committed package.json version (no auto-bump),
check the registry with npm view first and skip if that version is
already published (so a partial dual-publish can be re-run cleanly), and
publish under a v<major.minor> dist-tag so an older release line never
moves the latest tag. Building and packing once, then attesting and
publishing the same tarball to both registries, yields a single GitHub
attestation covering whatever lands in either registry, plus npm-native
provenance on npmjs.

package.json is renamed to @scality/arsenal, drops the private flag, and
gains types, files and publishConfig.access: public. The scoped name is
committed directly rather than stamped at publish time: git-dependency
consumers resolve arsenal by their dependency key, not the package name,
so committing @scality/arsenal keeps require('arsenal') working for the
current git consumers (verified) while making the published package
correctly scoped. Token permissions are scoped per job. The workflow
tests stub the publish path so the guard coverage is unchanged.

Issue: ARSN-605
@delthas delthas force-pushed the improvement/ARSN-605/publish-to-github-packages branch from dece6b0 to 54cde5f Compare July 3, 2026 16:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants