From a3492173b45dbcb8478b9fe911b4b2fb7ecce543 Mon Sep 17 00:00:00 2001 From: Joao Henrique Machado Silva Date: Mon, 1 Jun 2026 22:37:13 +0200 Subject: [PATCH] docs(release-secrets): document sqlrite-notes trusted publisher + Repository-field gotcha (SQLR-13) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The sqlrite-notes npm trusted publisher had its Repository field set to the package's npmjs access-page URL instead of the bare repo name, so the OIDC subject claim (repo:joaoh82/rust_sqlite:environment:release) never matched the record and every publish-notes-example run failed with "OIDC token exchange error - package not found". It only surfaced once #156 made the release idempotent and a re-dispatch finally attempted the first-ever sqlrite-notes publish. - §3c: mark the trusted publisher resolved (first shipped at 0.11.0) and add a gotcha callout — set Repository to exactly `rust_sqlite`, no owner prefix, no URL. - §3b: strengthen the canonical Repository-field note to warn against pasting a URL (not just the owner-prefixed form), pointing at §3c. Co-Authored-By: Claude Opus 4.8 (1M context) --- docs/release-secrets.md | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/docs/release-secrets.md b/docs/release-secrets.md index 062d78e..a8b1f65 100644 --- a/docs/release-secrets.md +++ b/docs/release-secrets.md @@ -163,8 +163,12 @@ For each placeholder you just published: 3. **Add publisher**: - **Publisher**: GitHub Actions - **Organization or user**: `joaoh82` - - **Repository**: `rust_sqlite` *(repo basename, not - `joaoh82/rust_sqlite` — npm prepends the owner field)* + - **Repository**: `rust_sqlite` *(repo basename only — not + `joaoh82/rust_sqlite` (npm prepends the owner field), and + definitely not a full URL like the package's + `npmjs.com/package/…/access` page. Pasting that URL into this + field is exactly what silently broke the `sqlrite-notes` + publish — see §3c.)* - **Workflow filename**: `release.yml` *(basename, not `.github/workflows/release.yml`)* - **Environment**: `release` *(case-sensitive — must match the @@ -233,6 +237,24 @@ and amend the repo per the note above. **Verify**: status flips from "pending" to "active" after the first successful CI publish. +**Status (resolved — SQLR-13, June 2026):** `sqlrite-notes` is +configured and publishing via OIDC; it shipped its first real version +at `0.11.0`. + +> **Gotcha that bit us (SQLR-13):** the trusted-publisher **Repository** +> field had been set to the package's npmjs access-page URL +> (`https://www.npmjs.com/package/sqlrite-notes/access`) instead of the +> bare repo name. The OIDC subject claim the workflow sends is +> `repo:joaoh82/rust_sqlite:environment:release`, so it didn't match the +> record, and every `publish-notes-example` run failed with `OIDC token +> exchange error - package not found` (npm's misleading 404 for "no +> trusted publisher matches your token's claims"). This surfaced only +> when [#156](https://github.com/joaoh82/rust_sqlite/pull/156) made the +> release idempotent and a re-dispatch finally *attempted* the +> first-ever `sqlrite-notes` publish — before that, the wave had always +> died earlier and never reached this job. **Fix:** Edit the publisher +> and set Repository to exactly `rust_sqlite` — no owner prefix, no URL. + --- ## 4. GitHub `release` environment