@gjsify/cli 0.4.15 → 0.4.16

package/lib/commands/publish.d.ts

@@ -7,6 +7,8 @@ interface PublishOptions {
     provenance?: boolean;
     'dry-run'?: boolean;
     json?: boolean;
+    trusted?: boolean | 'auto';
+    'check-trusted'?: boolean;
 }
 export declare const publishCommand: Command<any, PublishOptions>;
 export {};

package/lib/commands/publish.js

@@ -37,6 +37,7 @@ import { homedir } from 'node:os';
 import { join, resolve } from 'node:path';
 import { DEFAULT_REGISTRY, parseNpmrc, registryFor, buildHeaders, } from '@gjsify/npm-registry';
 import { packWorkspace } from './pack.js';
+import { getNpmTrustedToken, hasGithubOidcEnv, OidcExchangeError, OidcUnavailableError, } from '../utils/npm-oidc.js';
 export const publishCommand = {
     command: 'publish [path]',
     description: 'Pack + upload the workspace at <path> (default: cwd) to its npm registry. Drop-in for `npm publish` with workspace:^ rewrite handled automatically.',
@@ -70,6 +71,19 @@ export const publishCommand = {
         description: 'Emit publish metadata as JSON on stdout.',
         type: 'boolean',
         default: false,
+    })
+        .option('trusted', {
+        description: 'Authenticate via npm Trusted Publishing (OIDC): exchange the GitHub Actions id-token for a short-lived npm token. ' +
+            'Pass `--trusted` to force this mode (errors if env vars missing). ' +
+            'Omit to auto-detect: OIDC is used iff `ACTIONS_ID_TOKEN_REQUEST_URL`+`_TOKEN` are set AND no `_authToken` is present in the resolved npmrc; otherwise the long-lived token path is used. ' +
+            'Requires the calling workflow to declare `permissions: id-token: write` AND the target package to have a Trusted Publisher configured on npmjs.com.',
+        type: 'boolean',
+        default: undefined,
+    })
+        .option('check-trusted', {
+        description: 'Diagnostic mode: perform the OIDC id-token request + npm token exchange, report success/failure, then exit WITHOUT publishing. Useful as a bulk-verifier (e.g. via `gjsify foreach publish --check-trusted`) to confirm Trusted Publisher config across many packages.',
+        type: 'boolean',
+        default: false,
     }),
     handler: async (args) => {
         const wsDir = resolve(args.path ?? process.cwd());
@@ -78,9 +92,56 @@ export const publishCommand = {
         const tolerate = args['tolerate-republish'] === true;
         const provenance = args.provenance === true;
         const dryRun = args['dry-run'] === true;
+        const checkTrustedOnly = args['check-trusted'] === true;
+        const trustedFlag = args.trusted;
+        const verbose = Boolean(process.env.GJSIFY_PUBLISH_DEBUG);
         if (provenance) {
             console.warn('gjsify publish: --provenance recorded but not signed (no sigstore integration yet).');
         }
+        // `--check-trusted` short-circuits the entire pack + publish flow.
+        // Reports the OIDC exchange result for the workspace's package and
+        // exits 0 either way — by design, so `gjsify foreach publish
+        // --check-trusted` walks every workspace without bailing on the
+        // first misconfigured one. CI can grep `^✗ ` (or parse `--json`
+        // entries with `ok: false`) to surface failures.
+        if (checkTrustedOnly) {
+            const rawPkgPath = join(wsDir, 'package.json');
+            const rawPkg = JSON.parse(readFileSync(rawPkgPath, 'utf-8'));
+            if (typeof rawPkg.name !== 'string') {
+                process.stderr.write(`gjsify publish --check-trusted: ${rawPkgPath} has no \`name\` field\n`);
+                process.exit(2);
+            }
+            if (rawPkg.private === true) {
+                const out = { ok: true, action: 'check-trusted', name: rawPkg.name, skipped: 'private' };
+                if (args.json)
+                    process.stdout.write(`${JSON.stringify(out)}\n`);
+                else
+                    process.stdout.write(`- ${rawPkg.name}: skipped (private package)\n`);
+                return;
+            }
+            const npmrcCheck = await loadNpmrc(wsDir);
+            const registry = process.env.npm_config_registry ?? registryFor(rawPkg.name, npmrcCheck) ?? DEFAULT_REGISTRY;
+            try {
+                await getNpmTrustedToken({
+                    packageName: rawPkg.name,
+                    registry,
+                    log: verbose ? (m) => console.error(m) : undefined,
+                });
+                const out = { ok: true, action: 'check-trusted', name: rawPkg.name, registry };
+                if (args.json)
+                    process.stdout.write(`${JSON.stringify(out)}\n`);
+                else
+                    process.stdout.write(`✓ ${rawPkg.name}: trusted publisher OK\n`);
+                return;
+            }
+            catch (err) {
+                handleOidcFailure(err, rawPkg.name, args.json === true);
+                // Report-mode: exit 0 so `gjsify foreach` keeps walking. The
+                // `✗ <name>: <reason>` (or JSON `ok:false`) line is the
+                // failure signal for CI to grep / parse.
+                return;
+            }
+        }
         // 1. Pack the workspace (rewrites workspace:^, computes integrity)
         const packOpts = { dryRun: true };
         const packed = await packWorkspace(wsDir, packOpts);
@@ -159,10 +220,45 @@ export const publishCommand = {
         const headers = buildHeaders(url, { npmrc });
         headers['content-type'] = 'application/json';
         headers['accept'] = '*/*';
-        if (process.env.GJSIFY_PUBLISH_DEBUG) {
+        // Trusted Publishing path. `--trusted` forces OIDC (errors if env
+        // vars are missing); the default `undefined` triggers auto-detect:
+        // OIDC is used iff GitHub OIDC env vars are present AND no
+        // `NODE_AUTH_TOKEN` is set. With `NODE_AUTH_TOKEN` set the user has
+        // explicitly opted into token auth, so we don't shadow their choice.
+        const wantTrusted = trustedFlag === true ||
+            (trustedFlag === undefined && hasGithubOidcEnv() && !process.env.NODE_AUTH_TOKEN);
+        let authMode = 'token';
+        if (wantTrusted) {
+            try {
+                const { token: oidcToken, audience } = await getNpmTrustedToken({
+                    packageName: packed.name,
+                    registry,
+                    log: verbose ? (m) => console.error(m) : undefined,
+                });
+                headers['authorization'] = `Bearer ${oidcToken}`;
+                authMode = 'oidc';
+                if (verbose) {
+                    console.error(`gjsify publish: OIDC token obtained (audience=${audience})`);
+                }
+            }
+            catch (err) {
+                if (trustedFlag === true) {
+                    // Explicit --trusted: bail with a clear error.
+                    handleOidcFailure(err, packed.name, args.json === true);
+                    process.exit(1);
+                }
+                // Auto-detect: fall back to whatever buildHeaders found.
+                if (verbose) {
+                    const msg = err instanceof Error ? err.message : String(err);
+                    console.error(`gjsify publish: OIDC auto-detect failed (${msg}) — falling back to token auth`);
+                }
+            }
+        }
+        if (verbose) {
             console.error(`gjsify publish: PUT ${url} (${packed.name}@${packed.version})`);
+            console.error(`  auth-mode:     ${authMode}`);
             console.error(`  authorization: ${headers['authorization'] ? '(set)' : '(none)'}`);
-            console.error(`  payload size: ${JSON.stringify(payload).length} bytes`);
+            console.error(`  payload size:  ${JSON.stringify(payload).length} bytes`);
         }
         const res = await fetch(url, {
             method: 'PUT',
@@ -317,3 +413,28 @@ function base64Encode(bytes) {
     }
     return btoa(str);
 }
+function handleOidcFailure(err, packageName, asJson) {
+    if (err instanceof OidcUnavailableError) {
+        const msg = `gjsify publish: OIDC not available — ${err.message}`;
+        if (asJson)
+            process.stdout.write(`${JSON.stringify({ ok: false, name: packageName, error: 'oidc-unavailable', reason: err.reason, message: err.message })}\n`);
+        else
+            process.stderr.write(`${msg}\n`);
+        return;
+    }
+    if (err instanceof OidcExchangeError) {
+        const friendly = err.status === 401 || err.status === 403
+            ? `npm rejected the OIDC exchange (${err.status}) — check that ${packageName} has a Trusted Publisher configured at https://www.npmjs.com/package/${encodeURIComponent(packageName)}/access pointing at this workflow.`
+            : err.message;
+        if (asJson)
+            process.stdout.write(`${JSON.stringify({ ok: false, name: packageName, error: 'oidc-exchange', status: err.status, body: err.body, message: err.message })}\n`);
+        else
+            process.stderr.write(`✗ ${packageName}: ${friendly}\n`);
+        return;
+    }
+    const msg = err instanceof Error ? err.message : String(err);
+    if (asJson)
+        process.stdout.write(`${JSON.stringify({ ok: false, name: packageName, error: 'unknown', message: msg })}\n`);
+    else
+        process.stderr.write(`✗ ${packageName}: ${msg}\n`);
+}

package/lib/utils/install-backend-native.js

@@ -71,6 +71,11 @@ export async function installPackagesNative(opts) {
     // behavior). Sub-deps are not included.
     return topLevelResolutions(opts.specs, nodes);
 }
+function errMsg(err) {
+    if (err instanceof Error)
+        return err.message;
+    return String(err);
+}
 function topLevelResolutions(specs, nodes) {
     // Top-level installs live at `node_modules/<name>` (no nesting). Build
     // a name → root-node lookup limited to the top-level set.
@@ -131,7 +136,12 @@ async function resolveDeps(specs, npmrc, log, overrides) {
         const cached = packumentCache.get(name);
         if (cached)
             return cached;
-        const fresh = fetchPackument(name, { npmrc });
+        const fresh = fetchPackument(name, {
+            npmrc,
+            onRetry: ({ attempt, error, delayMs }) => {
+                log("packument %s: retry %d after %dms (%s)", name, attempt, delayMs, errMsg(error));
+            },
+        });
         packumentCache.set(name, fresh);
         return fresh;
     };
@@ -455,6 +465,9 @@ async function extractOne(node, prefix, npmrc, log) {
     const bytes = await fetchTarball(node.tarballUrl, {
         npmrc,
         integrity: node.integrity,
+        onRetry: ({ attempt, error, delayMs }) => {
+            log("tarball %s@%s: retry %d after %dms (%s)", node.name, node.version, attempt, delayMs, errMsg(error));
+        },
     });
     fs.rmSync(dest, { recursive: true, force: true });
     fs.mkdirSync(dest, { recursive: true });

package/lib/utils/npm-oidc.d.ts

@@ -0,0 +1,53 @@
+interface OidcExchangeOptions {
+    /** Full package name including scope, e.g. `@gjsify/cli`. */
+    packageName: string;
+    /** Registry URL, e.g. `https://registry.npmjs.org`. */
+    registry: string;
+    /** Optional verbose logger — receives single-line strings. */
+    log?: (msg: string) => void;
+}
+export interface OidcExchangeResult {
+    /** Short-lived npm token (`Authorization: Bearer <token>`-compatible). */
+    token: string;
+    /** Audience used for the GitHub OIDC token request. */
+    audience: string;
+}
+export declare class OidcUnavailableError extends Error {
+    readonly reason: 'no-env' | 'fetch-id-token' | 'no-id-token';
+    constructor(message: string, reason: 'no-env' | 'fetch-id-token' | 'no-id-token');
+}
+export declare class OidcExchangeError extends Error {
+    readonly status: number;
+    readonly body: string;
+    readonly packageName: string;
+    constructor(message: string, status: number, body: string, packageName: string);
+}
+/**
+ * Probe whether OIDC publishing is available in the current process —
+ * cheap env-var check, no network access. Used by `gjsify publish` to
+ * decide between OIDC and token-based auth in auto-detect mode.
+ */
+export declare function hasGithubOidcEnv(): boolean;
+/**
+ * Request a GitHub Actions OIDC ID token for the given audience.
+ * Throws `OidcUnavailableError` when the required env vars are missing
+ * (caller can fall back to token auth) or when GitHub rejects the request.
+ */
+export declare function fetchGithubOidcToken(audience: string, log?: (msg: string) => void): Promise<string>;
+/**
+ * Exchange a GitHub OIDC JWT for a short-lived npm publish token at
+ * `/-/npm/v1/oidc/token/exchange/package/<escaped-name>`. The npm
+ * registry validates the JWT against the package's Trusted Publisher
+ * config — if no Trusted Publisher is configured, or the JWT comes from
+ * a repo/workflow that doesn't match, the exchange returns a 4xx with
+ * a descriptive body which we propagate as `OidcExchangeError`.
+ */
+export declare function exchangeOidcForNpmToken(args: OidcExchangeOptions & {
+    idToken: string;
+}): Promise<string>;
+/**
+ * End-to-end: probe env → fetch id-token → exchange for npm token.
+ * One-shot convenience for `gjsify publish` and the verification command.
+ */
+export declare function getNpmTrustedToken(opts: OidcExchangeOptions): Promise<OidcExchangeResult>;
+export {};

package/lib/utils/npm-oidc.js

@@ -0,0 +1,140 @@
+// npm Trusted Publishing — OIDC token exchange for `gjsify publish`.
+//
+// Two-step flow, mirroring `refs/npm-cli/lib/utils/oidc.js`:
+//
+//   1. Request a GitHub Actions OIDC ID token (JWT) from the runner.
+//      Requires `permissions: id-token: write` in the calling workflow.
+//      GitHub provides `ACTIONS_ID_TOKEN_REQUEST_URL` and
+//      `ACTIONS_ID_TOKEN_REQUEST_TOKEN` env vars; we GET the URL with
+//      the runner-provided audience (`npm:registry.npmjs.org`).
+//
+//   2. Exchange that JWT at npm's `/-/npm/v1/oidc/token/exchange/package/<name>`
+//      endpoint for a short-lived (~5 min) npm publish token. npm verifies
+//      the JWT against the package's configured Trusted Publisher
+//      (repository + workflow filename + optional environment) and either
+//      issues a token or rejects with an explanatory error.
+//
+// The token returned by step 2 is used for the publish PUT in the same
+// way the long-lived NPM_TOKEN would have been — drop-in replacement.
+//
+// Reference: refs/npm-cli/lib/utils/oidc.js
+// Original: Copyright (c) npm contributors. Artistic-2.0.
+export class OidcUnavailableError extends Error {
+    reason;
+    constructor(message, reason) {
+        super(message);
+        this.reason = reason;
+        this.name = 'OidcUnavailableError';
+    }
+}
+export class OidcExchangeError extends Error {
+    status;
+    body;
+    packageName;
+    constructor(message, status, body, packageName) {
+        super(message);
+        this.status = status;
+        this.body = body;
+        this.packageName = packageName;
+        this.name = 'OidcExchangeError';
+    }
+}
+/**
+ * Probe whether OIDC publishing is available in the current process —
+ * cheap env-var check, no network access. Used by `gjsify publish` to
+ * decide between OIDC and token-based auth in auto-detect mode.
+ */
+export function hasGithubOidcEnv() {
+    return Boolean(process.env.ACTIONS_ID_TOKEN_REQUEST_URL && process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN);
+}
+/**
+ * Request a GitHub Actions OIDC ID token for the given audience.
+ * Throws `OidcUnavailableError` when the required env vars are missing
+ * (caller can fall back to token auth) or when GitHub rejects the request.
+ */
+export async function fetchGithubOidcToken(audience, log) {
+    const url = process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
+    const bearer = process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
+    if (!url || !bearer) {
+        throw new OidcUnavailableError('GitHub Actions OIDC env vars (ACTIONS_ID_TOKEN_REQUEST_{URL,TOKEN}) not set. ' +
+            'The calling workflow needs `permissions: id-token: write`.', 'no-env');
+    }
+    const requestUrl = new URL(url);
+    requestUrl.searchParams.set('audience', audience);
+    log?.(`gjsify oidc: GET ${requestUrl.href.replace(bearer, '<bearer>')}`);
+    const res = await fetch(requestUrl.href, {
+        method: 'GET',
+        headers: {
+            Accept: 'application/json',
+            Authorization: `Bearer ${bearer}`,
+        },
+    });
+    if (!res.ok) {
+        const text = await res.text().catch(() => '<no body>');
+        throw new OidcUnavailableError(`Failed to fetch GitHub OIDC id_token: ${res.status} ${res.statusText} — ${text.slice(0, 200)}`, 'fetch-id-token');
+    }
+    const json = (await res.json().catch(() => ({})));
+    if (!json.value) {
+        throw new OidcUnavailableError('GitHub OIDC response missing `value` field', 'no-id-token');
+    }
+    return json.value;
+}
+/**
+ * Exchange a GitHub OIDC JWT for a short-lived npm publish token at
+ * `/-/npm/v1/oidc/token/exchange/package/<escaped-name>`. The npm
+ * registry validates the JWT against the package's Trusted Publisher
+ * config — if no Trusted Publisher is configured, or the JWT comes from
+ * a repo/workflow that doesn't match, the exchange returns a 4xx with
+ * a descriptive body which we propagate as `OidcExchangeError`.
+ */
+export async function exchangeOidcForNpmToken(args) {
+    const { packageName, registry, idToken, log } = args;
+    const registryClean = registry.endsWith('/') ? registry.slice(0, -1) : registry;
+    // npm-package-arg's escapedName convention — same as gjsify publish.ts.
+    const escapedName = packageName.startsWith('@')
+        ? (() => {
+            const slash = packageName.indexOf('/');
+            const scope = packageName.slice(1, slash);
+            const base = packageName.slice(slash + 1);
+            return `@${encodeURIComponent(scope)}%2f${encodeURIComponent(base)}`;
+        })()
+        : encodeURIComponent(packageName);
+    const exchangeUrl = `${registryClean}/-/npm/v1/oidc/token/exchange/package/${escapedName}`;
+    log?.(`gjsify oidc: POST ${exchangeUrl}`);
+    const res = await fetch(exchangeUrl, {
+        method: 'POST',
+        headers: {
+            Authorization: `Bearer ${idToken}`,
+            'Content-Type': 'application/json',
+            Accept: 'application/json',
+        },
+        // npm's exchange endpoint accepts an empty JSON body — the JWT is
+        // the proof, no additional claims needed from us.
+        body: '{}',
+    });
+    const text = await res.text().catch(() => '');
+    if (!res.ok) {
+        throw new OidcExchangeError(`npm OIDC token exchange failed for ${packageName}: ${res.status} ${res.statusText} — ${text.slice(0, 300)}`, res.status, text, packageName);
+    }
+    let json;
+    try {
+        json = JSON.parse(text);
+    }
+    catch {
+        throw new OidcExchangeError(`npm OIDC token exchange returned non-JSON body for ${packageName}: ${text.slice(0, 200)}`, res.status, text, packageName);
+    }
+    if (!json.token) {
+        throw new OidcExchangeError(`npm OIDC token exchange returned no \`token\` field for ${packageName}`, res.status, text, packageName);
+    }
+    return json.token;
+}
+/**
+ * End-to-end: probe env → fetch id-token → exchange for npm token.
+ * One-shot convenience for `gjsify publish` and the verification command.
+ */
+export async function getNpmTrustedToken(opts) {
+    const audience = `npm:${new URL(opts.registry).hostname}`;
+    const idToken = await fetchGithubOidcToken(audience, opts.log);
+    const token = await exchangeOidcForNpmToken({ ...opts, idToken });
+    return { token, audience };
+}

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@gjsify/cli",
-    "version": "0.4.15",
+    "version": "0.4.16",
     "description": "CLI for Gjsify",
     "type": "module",
     "main": "lib/index.js",
@@ -37,18 +37,18 @@
         "cli"
     ],
     "dependencies": {
-        "@gjsify/buffer": "^0.4.15",
-        "@gjsify/create-app": "^0.4.15",
-        "@gjsify/node-globals": "^0.4.15",
-        "@gjsify/node-polyfills": "^0.4.15",
-        "@gjsify/npm-registry": "^0.4.15",
-        "@gjsify/resolve-npm": "^0.4.15",
-        "@gjsify/rolldown-plugin-gjsify": "^0.4.15",
-        "@gjsify/rolldown-plugin-pnp": "^0.4.15",
-        "@gjsify/semver": "^0.4.15",
-        "@gjsify/tar": "^0.4.15",
-        "@gjsify/web-polyfills": "^0.4.15",
-        "@gjsify/workspace": "^0.4.15",
+        "@gjsify/buffer": "^0.4.16",
+        "@gjsify/create-app": "^0.4.16",
+        "@gjsify/node-globals": "^0.4.16",
+        "@gjsify/node-polyfills": "^0.4.16",
+        "@gjsify/npm-registry": "^0.4.16",
+        "@gjsify/resolve-npm": "^0.4.16",
+        "@gjsify/rolldown-plugin-gjsify": "^0.4.16",
+        "@gjsify/rolldown-plugin-pnp": "^0.4.16",
+        "@gjsify/semver": "^0.4.16",
+        "@gjsify/tar": "^0.4.16",
+        "@gjsify/web-polyfills": "^0.4.16",
+        "@gjsify/workspace": "^0.4.16",
         "cosmiconfig": "^9.0.1",
         "get-tsconfig": "^4.14.0",
         "pkg-types": "^2.3.1",
@@ -56,12 +56,12 @@
         "yargs": "^18.0.0"
     },
     "devDependencies": {
-        "@gjsify/unit": "^0.4.15",
+        "@gjsify/unit": "^0.4.16",
         "@types/yargs": "^17.0.35",
         "typescript": "^6.0.3"
     },
     "peerDependencies": {
-        "@gjsify/rolldown-native": "^0.4.15"
+        "@gjsify/rolldown-native": "^0.4.16"
     },
     "peerDependenciesMeta": {
         "@gjsify/rolldown-native": {