@omnidist/omnidist-linux-arm64 0.1.25 → 0.1.29
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +41 -2
- package/bin/omnidist +0 -0
- package/package.json +5 -1
package/README.md
CHANGED
|
@@ -23,7 +23,7 @@ For project background, packaging model details, migration notes, and contributo
|
|
|
23
23
|
- Node.js + npm (for npm distribution commands)
|
|
24
24
|
- `uv` (for uv distribution commands)
|
|
25
25
|
- `git` (when `version.source: git-tag`)
|
|
26
|
-
- `NPM_PUBLISH_TOKEN` for npm publish (
|
|
26
|
+
- `NPM_PUBLISH_TOKEN` for npm publish when `distributions.npm.publish-auth: token` (default) and not `--dry-run`
|
|
27
27
|
- `UV_PUBLISH_TOKEN` (or `--token`) for uv publish (unless `--dry-run`)
|
|
28
28
|
|
|
29
29
|
## Installation
|
|
@@ -175,7 +175,9 @@ Supported variables:
|
|
|
175
175
|
- `OMNIDIST_OMNIDIST_ROOT`: optional project root directory (same as `--omnidist-root`).
|
|
176
176
|
- `OMNIDIST_GIT_COMMIT`: optional ldflags template variable for build metadata; populated automatically by `omnidist build` when git metadata is available.
|
|
177
177
|
- `OMNIDIST_BUILD_DATE`: optional ldflags template variable for build metadata; populated automatically by `omnidist build` as UTC RFC3339.
|
|
178
|
-
- `NPM_PUBLISH_TOKEN`: required for npm publish commands when not using `--dry-run`
|
|
178
|
+
- `NPM_PUBLISH_TOKEN`: required for npm publish commands in `token` auth mode when not using `--dry-run`
|
|
179
|
+
- `distributions.npm.publish-auth`: npm publish auth mode; `token` uses `NPM_PUBLISH_TOKEN`, `trusted` uses ambient trusted publishing/OIDC
|
|
180
|
+
- `distributions.npm.repository-url`: repository URL written to staged package.json `repository.url`; required for trusted npm publishing
|
|
179
181
|
- `UV_PUBLISH_TOKEN`: used by uv publish when `--token` is not provided
|
|
180
182
|
|
|
181
183
|
Example `.env`:
|
|
@@ -228,6 +230,8 @@ distributions:
|
|
|
228
230
|
package: "@omnidist/omnidist"
|
|
229
231
|
registry: https://registry.npmjs.org
|
|
230
232
|
access: public # public | restricted
|
|
233
|
+
publish-auth: token # token | trusted
|
|
234
|
+
repository-url: git+https://github.com/your-org/your-repo.git # required for trusted publish
|
|
231
235
|
license: MIT # optional override for package.json license; omit to use SEE LICENSE IN <file>
|
|
232
236
|
keywords: [cli, ai, llm] # optional npm meta-package keywords
|
|
233
237
|
readme-path: docs/npm-readme.md # optional npm-specific README source
|
|
@@ -417,6 +421,41 @@ Before npm commands run, omnidist writes `.omnidist/.npmrc` from `distributions.
|
|
|
417
421
|
`//<registry>/:_authToken=${NPM_PUBLISH_TOKEN}`.
|
|
418
422
|
If staged package version contains a `-dev` prerelease and `--tag` is not provided, omnidist auto-publishes with `--tag dev`.
|
|
419
423
|
|
|
424
|
+
To publish through npm trusted publishing, set:
|
|
425
|
+
|
|
426
|
+
```yaml
|
|
427
|
+
distributions:
|
|
428
|
+
npm:
|
|
429
|
+
publish-auth: trusted
|
|
430
|
+
repository-url: git+https://github.com/your-org/your-repo.git
|
|
431
|
+
```
|
|
432
|
+
|
|
433
|
+
In trusted mode, omnidist skips token-only auth preflight and does not force a workspace `.npmrc`; `npm publish` uses the ambient CI credentials instead. For GitHub Actions, that means:
|
|
434
|
+
- the workflow must grant `id-token: write`
|
|
435
|
+
- the job must use a supported Node/npm toolchain for OIDC
|
|
436
|
+
- each published npm package must have its own trusted publisher configured on npm
|
|
437
|
+
- each staged package must include a `repository.url` that exactly matches the GitHub repository
|
|
438
|
+
|
|
439
|
+
`omnidist ci` emits the required GitHub Actions OIDC permissions and Node setup when `publish-auth: trusted` is configured.
|
|
440
|
+
|
|
441
|
+
To configure npm trusted publishers for the meta package and all platform packages:
|
|
442
|
+
|
|
443
|
+
```bash
|
|
444
|
+
omnidist npm trust
|
|
445
|
+
```
|
|
446
|
+
|
|
447
|
+
That prints the exact `npx -y npm@11.16.0 trust github ...` commands derived from your config and target matrix, so you do not have to rely on the host npm version. To apply them directly with an npm account that has write access and 2FA enabled:
|
|
448
|
+
|
|
449
|
+
```bash
|
|
450
|
+
omnidist npm trust --apply
|
|
451
|
+
```
|
|
452
|
+
|
|
453
|
+
Useful overrides:
|
|
454
|
+
- `--workflow-file publish.yml` when your workflow filename differs from `omnidist-release.yml`
|
|
455
|
+
- `--repo your-org/your-repo` when you want to override `distributions.npm.repository-url`
|
|
456
|
+
- `--environment production` when your trusted publisher is restricted to a GitHub Actions environment
|
|
457
|
+
- `--allow-stage-publish` to also allow `npm stage publish`
|
|
458
|
+
|
|
420
459
|
If your npm account requires 2FA for publish operations:
|
|
421
460
|
|
|
422
461
|
```bash
|
package/bin/omnidist
CHANGED
|
Binary file
|