npm - @omnidist/omnidist-linux-arm64 - Versions diffs - 0.1.24 → 0.1.29 - Mend

@omnidist/omnidist-linux-arm64 0.1.24 → 0.1.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -23,7 +23,7 @@ For project background, packaging model details, migration notes, and contributo
 - Node.js + npm (for npm distribution commands)
 - `uv` (for uv distribution commands)
 - `git` (when `version.source: git-tag`)
-- `NPM_PUBLISH_TOKEN` for npm publish (unless `--dry-run`)
+- `NPM_PUBLISH_TOKEN` for npm publish when `distributions.npm.publish-auth: token` (default) and not `--dry-run`
 - `UV_PUBLISH_TOKEN` (or `--token`) for uv publish (unless `--dry-run`)
 ## Installation
@@ -175,7 +175,9 @@ Supported variables:
 - `OMNIDIST_OMNIDIST_ROOT`: optional project root directory (same as `--omnidist-root`).
 - `OMNIDIST_GIT_COMMIT`: optional ldflags template variable for build metadata; populated automatically by `omnidist build` when git metadata is available.
 - `OMNIDIST_BUILD_DATE`: optional ldflags template variable for build metadata; populated automatically by `omnidist build` as UTC RFC3339.
-- `NPM_PUBLISH_TOKEN`: required for npm publish commands when not using `--dry-run`
+- `NPM_PUBLISH_TOKEN`: required for npm publish commands in `token` auth mode when not using `--dry-run`
+- `distributions.npm.publish-auth`: npm publish auth mode; `token` uses `NPM_PUBLISH_TOKEN`, `trusted` uses ambient trusted publishing/OIDC
+- `distributions.npm.repository-url`: repository URL written to staged package.json `repository.url`; required for trusted npm publishing
 - `UV_PUBLISH_TOKEN`: used by uv publish when `--token` is not provided
 Example `.env`:
@@ -228,7 +230,10 @@ distributions:
     package: "@omnidist/omnidist"
     registry: https://registry.npmjs.org
     access: public # public | restricted
+    publish-auth: token # token | trusted
+    repository-url: git+https://github.com/your-org/your-repo.git # required for trusted publish
     license: MIT # optional override for package.json license; omit to use SEE LICENSE IN <file>
+    keywords: [cli, ai, llm] # optional npm meta-package keywords
     readme-path: docs/npm-readme.md # optional npm-specific README source
     include-readme: true # include project README.md in staged packages when present
@@ -261,6 +266,7 @@ profiles:
     distributions:
       npm:
         package: "@scope/mytool"
+        keywords: [cli, ai, llm]
         readme-path: docs/npm-readme.md
       uv:
         package: mytool
@@ -292,6 +298,8 @@ README source precedence during staging:
 `distributions.<name>.readme-path` -> `readme-path` -> `README.md`.
 If a configured readme-path is set and cannot be read, staging fails.
+When `distributions.npm.keywords` is set, omnidist writes those values to the staged npm meta package `package.json`.
 For appkit version injection, configure `build.ldflags` in your project config:
 ```yaml
@@ -413,6 +421,41 @@ Before npm commands run, omnidist writes `.omnidist/.npmrc` from `distributions.
 `//<registry>/:_authToken=${NPM_PUBLISH_TOKEN}`.
 If staged package version contains a `-dev` prerelease and `--tag` is not provided, omnidist auto-publishes with `--tag dev`.
+To publish through npm trusted publishing, set:
+```yaml
+distributions:
+  npm:
+    publish-auth: trusted
+    repository-url: git+https://github.com/your-org/your-repo.git
+```
+In trusted mode, omnidist skips token-only auth preflight and does not force a workspace `.npmrc`; `npm publish` uses the ambient CI credentials instead. For GitHub Actions, that means:
+- the workflow must grant `id-token: write`
+- the job must use a supported Node/npm toolchain for OIDC
+- each published npm package must have its own trusted publisher configured on npm
+- each staged package must include a `repository.url` that exactly matches the GitHub repository
+`omnidist ci` emits the required GitHub Actions OIDC permissions and Node setup when `publish-auth: trusted` is configured.
+To configure npm trusted publishers for the meta package and all platform packages:
+```bash
+omnidist npm trust
+```
+That prints the exact `npx -y npm@11.16.0 trust github ...` commands derived from your config and target matrix, so you do not have to rely on the host npm version. To apply them directly with an npm account that has write access and 2FA enabled:
+```bash
+omnidist npm trust --apply
+```
+Useful overrides:
+- `--workflow-file publish.yml` when your workflow filename differs from `omnidist-release.yml`
+- `--repo your-org/your-repo` when you want to override `distributions.npm.repository-url`
+- `--environment production` when your trusted publisher is restricted to a GitHub Actions environment
+- `--allow-stage-publish` to also allow `npm stage publish`
 If your npm account requires 2FA for publish operations:
 ```bash

package/bin/omnidist CHANGED Viewed

Binary file

package/package.json CHANGED Viewed

@@ -16,5 +16,9 @@
   "os": [
     "linux"
   ],
-  "version": "0.1.24"
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/metalagman/omnidist.git"
+  },
+  "version": "0.1.29"
 }