Skip to content

ci: add OIDC canary publish to release.yml via workflow_dispatch#1352

Merged
kiroushi merged 3 commits into
mainfrom
kiroushi/canary-release-via-oidc
Jun 17, 2026
Merged

ci: add OIDC canary publish to release.yml via workflow_dispatch#1352
kiroushi merged 3 commits into
mainfrom
kiroushi/canary-release-via-oidc

Conversation

@kiroushi

@kiroushi kiroushi commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Member

What

Adds a manual canary publish to release.yml via workflow_dispatch, and removes the standalone release-canary.yml (and its build-label mechanism).

Why

The canary must publish from release.yml to use npm's OIDC trusted publisher — npm allows exactly one trusted publisher per package (one repo + one workflow file), and checkly's is release.yml. The old release-canary.yml was a separate workflow using a classic NODE_AUTH_TOKEN; that token was retired when the package moved to OIDC, so the canary has failed on every PR since.

A label trigger is a non-starter: pull_request: labeled would fire release.yml on every label on every PR (jobs skip, but the release pipeline is still invoked). A manual workflow_dispatch keeps release.yml triggered only by a real release or an explicit dispatch.

Changes

  • release.yml: add workflow_dispatch (input tag, default experimental) and a canary job (if: github.event_name == 'workflow_dispatch') that publishes 0.0.0-canary.<sha> of the dispatched branch via id-token: write + npm publish --provenance — no token. Release-event jobs gate on github.event_name == 'release'; dispatch runs cascade-skip them via needs: validate-tag.
  • run-name distinguishes Canary build - <branch> from Release <tag> in the Actions list.
  • Delete release-canary.yml.

Usage

gh workflow run release.yml --ref <branch> [-f tag=<dist-tag>]

Verification / caveat

Depends on the checkly npm trusted-publisher config (maintainer-owned on npmjs.com) accepting OIDC from a workflow_dispatch run of release.yml, and not being environment-scoped to the release/production job — the canary job has no environment, by design. Verify with one dispatch.

@kiroushi
ci: publish PR canaries via OIDC by folding them into release.yml
cb1e556 
npm trusted publishing allows exactly one trusted publisher per package (one
repo + one workflow file), and checkly's slot is release.yml — which is why the
normal release publishes via OIDC + --provenance.

release-canary.yml was a separate workflow using a classic NODE_AUTH_TOKEN. That
token was retired when the package moved to OIDC, so a separate workflow could no
longer authenticate and the canary has failed on every PR since.

Fold the canary job into release.yml so it inherits the trusted publisher:
- add a `pull_request: [labeled]` trigger; the release-event jobs now gate on
  `github.event_name == 'release'` (PR events cascade-skip via needs: validate-tag).
- the canary job publishes 0.0.0-pr.<N>.<sha> with id-token + --provenance (no
  token), tagged `experimental` — or a `canary:<tag>` label's tag, applied at
  publish time (trusted publishing authenticates `npm publish`, not a separate
  `npm dist-tag add`).
- remove release-canary.yml.
@kiroushi kiroushi force-pushed the kiroushi/canary-release-via-oidc branch from 6d1f488 to cb1e556 Compare June 17, 2026 12:19
kiroushi added 2 commits June 17, 2026 14:21
@kiroushi
ci: name canary vs release runs distinctly in the Actions list
e655dc3 
Add a run-name expression so PR-label canary runs render as
'Canary build - PR #<n> (<branch>)' and release-event runs as 'Release <tag>',
instead of the default commit-subject run name.
@kiroushi
ci: trigger canary via workflow_dispatch instead of a PR label
43a7b74 
A pull_request:labeled trigger fired release.yml on every label on every PR
(jobs skipped, but the release workflow was still invoked). Drop it: the canary
is now a manual workflow_dispatch (`gh workflow run release.yml --ref <branch>`,
optional `-f tag=`), publishing 0.0.0-canary.<sha> via the same OIDC trusted
publisher. release.yml now triggers only on a real release or an explicit
dispatch — never on labels. The build-label mechanism / release-canary.yml are
gone.
@kiroushi kiroushi changed the title ci: publish PR canaries via OIDC by folding them into release.yml ci: add OIDC canary publish to release.yml via workflow_dispatch Jun 17, 2026
@kiroushi kiroushi requested a review from sbezludny June 17, 2026 12:32
@kiroushi kiroushi merged commit 3397ed3 into main Jun 17, 2026
8 checks passed
@kiroushi kiroushi deleted the kiroushi/canary-release-via-oidc branch June 17, 2026 12:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sbezludny sbezludny sbezludny approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kiroushi @sbezludny