Skip to content

docs(release-secrets): document sqlrite-notes trusted publisher + Repository-field gotcha (SQLR-13) #157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
joaoh82 merged 1 commit into from
Jun 1, 2026
Merged

docs(release-secrets): document sqlrite-notes trusted publisher + Repository-field gotcha (SQLR-13) #157

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 24 additions & 2 deletions docs/release-secrets.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,8 +163,12 @@ For each placeholder you just published:
3. **Add publisher**:
- **Publisher**: GitHub Actions
- **Organization or user**: `joaoh82`
- **Repository**: `rust_sqlite` *(repo basename, not
`joaoh82/rust_sqlite` — npm prepends the owner field)*
- **Repository**: `rust_sqlite` *(repo basename only — not
`joaoh82/rust_sqlite` (npm prepends the owner field), and
definitely not a full URL like the package's
`npmjs.com/package/…/access` page. Pasting that URL into this
field is exactly what silently broke the `sqlrite-notes`
publish — see §3c.)*
- **Workflow filename**: `release.yml` *(basename, not
`.github/workflows/release.yml`)*
- **Environment**: `release` *(case-sensitive — must match the
Expand Down Expand Up @@ -233,6 +237,24 @@ and amend the repo per the note above.
**Verify**: status flips from "pending" to "active" after the
first successful CI publish.

**Status (resolved — SQLR-13, June 2026):** `sqlrite-notes` is
configured and publishing via OIDC; it shipped its first real version
at `0.11.0`.

> **Gotcha that bit us (SQLR-13):** the trusted-publisher **Repository**
> field had been set to the package's npmjs access-page URL
> (`https://www.npmjs.com/package/sqlrite-notes/access`) instead of the
> bare repo name. The OIDC subject claim the workflow sends is
> `repo:joaoh82/rust_sqlite:environment:release`, so it didn't match the
> record, and every `publish-notes-example` run failed with `OIDC token
> exchange error - package not found` (npm's misleading 404 for "no
> trusted publisher matches your token's claims"). This surfaced only
> when [#156](https://github.com/joaoh82/rust_sqlite/pull/156) made the
> release idempotent and a re-dispatch finally *attempted* the
> first-ever `sqlrite-notes` publish — before that, the wave had always
> died earlier and never reached this job. **Fix:** Edit the publisher
> and set Repository to exactly `rust_sqlite` — no owner prefix, no URL.

---

## 4. GitHub `release` environment
Expand Down
Loading