mirror of
https://github.com/pnpm/pnpm.git
synced 2026-07-14 17:52:44 -04:00
The Rust release workflow authenticated every publish via npm trusted publishing, but npm allows a single trusted publisher per package and `pnpm` / `@pnpm/exe` have theirs bound to release.yml (the v11 TS releases). The OIDC token exchange therefore returned 404, pnpm skipped OIDC, and the unauthenticated PUT failed with E404. Split the publish into two steps: 1. The `@pnpm/exe.<target>` natives are published only from this workflow, so they keep trusted publishing and go live directly. 2. The `pnpm` and `@pnpm/exe` wrappers are staged with `pnpm stage publish` using the static NPM_TOKEN. Nothing goes live from CI for those two names; a maintainer promotes them with `pnpm stage approve <stage-id> --otp`, which is where the proof-of-presence is consumed. Stage ids are teed into the job summary for the approver. The steps must stay separate because `pnpm publish` skips OIDC as soon as a static _authToken is configured (pnpm/pnpm#11495). `--provenance` keeps working in both steps: it needs only the `id-token: write` OIDC token, not trusted publishing. `set -o pipefail` guards the tee pipe because the runner's default bash is -e without pipefail.