Skip to content

ci(release): mirror npm publish to @shep.bot scope#598

Closed
arielshad wants to merge 1 commit into
mainfrom
ci/npm-publish-shepbot-mirror
Closed

ci(release): mirror npm publish to @shep.bot scope#598
arielshad wants to merge 1 commit into
mainfrom
ci/npm-publish-shepbot-mirror

Conversation

@arielshad

Copy link
Copy Markdown
Contributor

Summary

Mirrors every npm publish (dev prerelease + production stable release) to a second scope, @shep.bot/cli, alongside the canonical @shepai/cli. Fully additive and backward compatible — existing users keep installing @shepai/cli unchanged.

This is also a hedge against the current dev-release outage (the primary NPM_TOKEN was revoked sometime between 14:57 and 17:00 UTC on 2026-05-03, blocking all dev releases until rotated). With this PR, even when one token misbehaves, the other keeps publishing.

What changed

.github/workflows/ci.yml — purely additive (111 inserts, 0 deletes):

  1. New parallel job dev-release-shepbot (PRs only)

    • Same needs: list as dev-release, runs in parallel.
    • Uses a separate secret NPM_TOKEN_SHEPBOT.
    • Swaps the package name in-job via npm pkg set name='@shep.bot/cli', then publishes with --tag dev.
    • continue-on-error: true at the job level — a misconfigured token cannot block PR merges.
    • Posts its own PR comment with comment-tag: dev-release-shepbot (independent from the existing @shepai comment).
  2. Final mirror step in the existing release job (main pushes only)

    • Captures the pre-release version, runs semantic-release as today, then mirror-publishes if and only if the version actually bumped (so PRs that merge with no releasable changes do not re-publish).
    • continue-on-error: true — a failed mirror does not break the canonical @shepai/cli release.

Both publish paths guard against an unset NPM_TOKEN_SHEPBOT secret with a warning + clean exit, so the workflow does not break on first run before the secret is configured.

Required follow-up (not in this PR)

  • On npmjs.com, generate a granular access token with publish access to the @shep.bot org.
  • Add it to repo secrets as NPM_TOKEN_SHEPBOT.
  • Separately, rotate NPM_TOKEN to fix the canonical @shepai/cli outage.

Test plan

  • Open this PR — confirm the new Dev Release (shep.bot mirror) check appears and passes (or warns + exits cleanly if NPM_TOKEN_SHEPBOT is unset).
  • Confirm the existing Dev Release check is unchanged.
  • After merge to main, confirm the production Release job runs the new mirror step and either publishes @shep.bot/cli@<version> or warns + exits cleanly.

🤖 Generated with Claude Code

Mirrors every npm publish (dev prerelease + production stable release)
to a second scope, @shep.bot/cli, alongside the canonical @shepai/cli.
Fully additive and backward compatible — existing users keep installing
@shepai/cli unchanged. The mirror is also a hedge against the current
dev-release outage (the primary @shepai npm token was revoked sometime
between 14:57 and 17:00 today, blocking all dev releases until rotated).

Two changes in .github/workflows/ci.yml:

1. New parallel job dev-release-shepbot, runs on PRs with the same
   needs: list as dev-release. Uses a separate secret NPM_TOKEN_SHEPBOT,
   swaps the package name in-job via npm pkg set, publishes with
   --tag dev. continue-on-error: true at the job level keeps it from
   blocking PR merges while the new token / org settle. Posts its own
   PR comment with comment-tag dev-release-shepbot so it does not
   collide with the existing @shepai PR comment.

2. Final mirror step in the existing release job. Captures the
   pre-release version, runs semantic-release as today, then mirror-
   publishes if and only if the version actually bumped (so PRs that
   merge with no releasable changes do not re-publish). Uses
   continue-on-error so a failed mirror does not break the canonical
   release.

Both publish paths guard against an unset NPM_TOKEN_SHEPBOT secret with
a warning + clean exit, so the workflow does not break on first run
before the secret is configured.

Required follow-up (manual, not in this PR):
- generate a granular npm token with publish access to the @shep.bot
  org on npmjs.com
- add it to repo secrets as NPM_TOKEN_SHEPBOT
- separately rotate NPM_TOKEN to fix the canonical @shepai/cli outage

Co-Authored-By: Shep Bot <shep-agent@users.noreply.github.com>
@github-actions

github-actions Bot commented May 3, 2026

Copy link
Copy Markdown
Contributor

Dev Release Published — @shep.bot mirror

Artifact Version Install
npm 1.198.0-pr598.41caa6d npm install -g @shep.bot/cli@1.198.0-pr598.41caa6d

Mirror publish from commit f904b60 | View CI

@arielshad arielshad closed this May 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant