@shopify/test-oidc-runner-2026-06-03 0.0.1

package/.github/workflows/cloudsmith-routing-demo.yml

@@ -0,0 +1,112 @@
+name: cloudsmith-routing-demo
+# Self-contained demo for the cloudsmith_excess_usage_reduction proposal.
+# Proves two things with NO secrets and NO impact on any other team:
+#   1. A PUBLIC @shopify package installs fine straight from npmjs.org (Cloudsmith not needed).
+#   2. PRIVATE @shopify packages 404 on npm — so they MUST migrate to @shopify-internal
+#      BEFORE the @shopify scope can be routed direct to npm. (The load-bearing risk.)
+#
+# Runs on ubuntu-latest on purpose: standard GitHub-hosted runners have no Shopify org
+# .npmrc injection, so the ONLY routing in effect is the scoped .npmrc this workflow writes.
+# That isolates the variable to the routing change itself.
+on:
+  workflow_dispatch:
+    inputs:
+      public_package:
+        description: 'Public @shopify package (should install from npm)'
+        default: '@shopify/polaris'
+      private_packages:
+        description: 'Space-separated private @shopify packages (should 404 on npm)'
+        default: '@shopify/checkout-web-ui @shopify/gravity-web @shopify/event-id-service'
+
+jobs:
+  routing-demo:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4   # needed so Test 3 can read private-packages.txt
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: "Test 1 — PUBLIC @shopify package resolves DIRECT from npmjs.org (no Cloudsmith)"
+        run: |
+          set -euo pipefail
+          PKG='${{ inputs.public_package }}'
+          WORK="$(mktemp -d)"; cd "$WORK"
+          # Route the @shopify scope straight to public npm:
+          echo '@shopify:registry=https://registry.npmjs.org/' > .npmrc
+          echo "::group::.npmrc in effect"; cat .npmrc; echo "::endgroup::"
+          npm init -y >/dev/null
+          echo "Installing $PKG (with @shopify -> registry.npmjs.org)..."
+          npm install "$PKG" --no-audit --no-fund --ignore-scripts
+          echo ""
+          echo "::group::resolved tarball sources (sample)"
+          grep -Eo '"resolved": *"[^"]+"' package-lock.json | sort -u | head -10
+          echo "::endgroup::"
+          if grep -q 'npm.shopify.io' package-lock.json; then
+            echo "❌ Resolved via Cloudsmith (npm.shopify.io) — unexpected."; exit 1
+          fi
+          if grep -q 'registry.npmjs.org' package-lock.json; then
+            echo "✅ PASS: $PKG installed directly from registry.npmjs.org — Cloudsmith not involved."
+          else
+            echo "⚠️ Installed but couldn't confirm npmjs.org in the lockfile — inspect the sample above."; exit 1
+          fi
+
+      - name: "Test 2 — PRIVATE @shopify packages 404 on npm (must migrate before routing @shopify direct)"
+        run: |
+          set -uo pipefail
+          FAIL=0
+          for PKG in ${{ inputs.private_packages }}; do
+            echo "::group::$PKG"
+            WORK="$(mktemp -d)"; cd "$WORK"
+            echo '@shopify:registry=https://registry.npmjs.org/' > .npmrc
+            npm init -y >/dev/null
+            echo "Attempting: npm install $PKG  (with @shopify -> npm)"
+            if npm install "$PKG" --no-audit --no-fund --ignore-scripts 2> err.log; then
+              echo "⚠️ $PKG installed from npm (HTTP 200) — it appears to be PUBLIC now; re-check the exception list."
+              FAIL=1
+            elif grep -qE '404|E404' err.log; then
+              echo "✅ $PKG → 404 on npm. A build would BREAK here if @shopify were routed direct — this is the expected, load-bearing result."
+            else
+              echo "⚠️ $PKG failed for a non-404 reason:"; cat err.log; FAIL=1
+            fi
+            cd - >/dev/null
+            echo "::endgroup::"
+          done
+          if [ "$FAIL" = "1" ]; then
+            echo "One or more results were unexpected — see warnings above."; exit 1
+          fi
+          echo "✅ PASS: every listed private @shopify package 404s on npm → migration to @shopify-internal is required before routing @shopify direct to npmjs.org."
+
+      - name: "Test 3 — re-validate the FULL exception list (private-packages.txt) against npm"
+        run: |
+          set -uo pipefail
+          # Lightweight re-check of the entire 72-package exception list: a GET to the npm
+          # registry metadata endpoint. 404 = still private (expected). 200 = it has gone
+          # PUBLIC on npm and the exception list needs updating before routing @shopify direct.
+          LIST="private-packages.txt"
+          STILL_PRIVATE=0; DRIFTED=0; OTHER=0
+          DRIFTED_PKGS=""; OTHER_PKGS=""
+          while IFS= read -r PKG; do
+            case "$PKG" in ''|\#*) continue ;; esac
+            PKG="$(echo "$PKG" | tr -d '[:space:]')"
+            [ -z "$PKG" ] && continue
+            # @shopify/foo -> https://registry.npmjs.org/@shopify%2ffoo
+            URL="https://registry.npmjs.org/$(echo "$PKG" | sed 's:/:%2f:')"
+            CODE="$(curl -s -o /dev/null -w '%{http_code}' "$URL" || echo 000)"
+            case "$CODE" in
+              404) STILL_PRIVATE=$((STILL_PRIVATE+1)) ;;
+              200) DRIFTED=$((DRIFTED+1)); DRIFTED_PKGS="$DRIFTED_PKGS $PKG"; echo "⚠️  $PKG → HTTP 200 (PUBLIC on npm — drifted off the exception list)" ;;
+              *)   OTHER=$((OTHER+1)); OTHER_PKGS="$OTHER_PKGS $PKG"; echo "❓ $PKG → HTTP $CODE (couldn't classify)" ;;
+            esac
+          done < "$LIST"
+          echo ""
+          echo "── Exception-list re-validation summary ─────────────────────"
+          echo "  Still private (404, expected): $STILL_PRIVATE"
+          echo "  Drifted to PUBLIC (200):       $DRIFTED${DRIFTED_PKGS:+ →$DRIFTED_PKGS}"
+          echo "  Unclassified (other codes):    $OTHER${OTHER_PKGS:+ →$OTHER_PKGS}"
+          echo "─────────────────────────────────────────────────────────────"
+          if [ "$DRIFTED" != "0" ]; then
+            echo "⚠️  $DRIFTED package(s) are now public on npm — update private-packages.txt + cloudsmith-package-audit.md before relying on this list."
+          else
+            echo "✅ All $STILL_PRIVATE listed packages still 404 on npm — exception list is consistent with npm today."
+          fi

package/.github/workflows/firstpublish-repro.yml

@@ -0,0 +1,16 @@
+name: firstpublish-repro
+on:
+  workflow_dispatch: {}
+jobs:
+  publish:
+    runs-on: shopify-ubuntu-latest   # fallback: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+      - name: Attempt first publish of a brand-new package
+        run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/.github/workflows/oidc-runner-test.yml

@@ -0,0 +1,53 @@
+name: oidc-runner-test
+# A/B test for Tammy (IAM-1879): does OIDC publishing work on shopify-ubuntu-latest?
+# The ONLY variable between runs is `runner`. Deliberately NO `registry-url` on
+# setup-node — that .npmrc side effect was the real fix in the Feb extensibility
+# thread we'd wrongly credited to the runner switch. Hold everything else constant.
+#
+# Run order:
+#   1. runner=ubuntu-latest         -> control, must succeed (proves the setup is sound)
+#   2. runner=shopify-ubuntu-latest -> the test (only the runner changed)
+on:
+  workflow_dispatch:
+    inputs:
+      runner:
+        description: 'Runner to publish from'
+        type: choice
+        options:
+          - ubuntu-latest
+          - shopify-ubuntu-latest
+        default: ubuntu-latest
+
+jobs:
+  publish:
+    runs-on: ${{ inputs.runner }}
+    permissions:
+      id-token: write   # required for OIDC token exchange
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22.14.0'
+          # NO registry-url on purpose — that writes a project .npmrc and is the
+          # confounding variable from the Feb thread. publishConfig handles routing.
+
+      - name: Upgrade npm for OIDC support
+        run: npm install -g npm@latest
+
+      - name: Context
+        run: |
+          echo "runner input: ${{ inputs.runner }}"
+          node -v && npm -v
+
+      - name: Unique version per run (0.1.x — keeps clear of the 0.0.1 token first-publish)
+        run: npm version "0.1.${{ github.run_number }}" --no-git-tag-version --allow-same-version
+
+      - name: Publish via OIDC (no token)
+        run: npm publish --access public
+        env:
+          # Force OIDC: explicitly blank any org-injected token so npm cannot
+          # silently fall back to token auth and mask the result.
+          NPM_TOKEN: ""
+          NODE_AUTH_TOKEN: ""

package/package.json

@@ -0,0 +1,7 @@
+{
+  "name": "@shopify/test-oidc-runner-2026-06-03",
+  "version": "0.0.1",
+  "description": "OIDC runner A/B test (AI Ops, IAM-1879): does OIDC publish work on shopify-ubuntu-latest vs ubuntu-latest?",
+  "license": "MIT",
+  "publishConfig": { "access": "public", "registry": "https://registry.npmjs.org/" }
+}

package/private-packages.txt

@@ -0,0 +1,77 @@
+# Private @shopify/* packages natively hosted on Cloudsmith (NOT on npmjs.com).
+# Source: "Private @shopify/* packages natively hosted on Cloudsmith" sheet +
+# projects/npm/cloudsmith-package-audit.md (72 packages, verified 404 on npm 2026-04-28).
+# These must migrate to @shopify-internal before @shopify can route direct to npm.
+# Lines starting with # are ignored.
+@shopify/checkout-web-ui
+@shopify/checkout-react-testing
+@shopify/checkout-web-ui-post-purchase
+@shopify/checkout-react-router
+@shopify/shop-pay-external-interface
+@shopify/checkout-performance
+@shopify/checkout-utilities
+@shopify/editor-bridge
+@shopify/checkout-react-html
+@shopify/signals-react
+@shopify/checkout-react-async
+@shopify/checkout-i18n
+@shopify/checkout-graphql
+@shopify/checkout-react-performance
+@shopify/card-fields-react
+@shopify/checkout-assistant
+@shopify/checkout-react-server-render
+@shopify/eslint-plugin-checkout-web
+@shopify/extensibility-host
+@shopify/extensibility-host-runtimes
+@shopify/extensibility-host-react
+@shopify/extensibility-host-plugins
+@shopify/extensibility-host-mobile
+@shopify/extensibility-host-shared
+@shopify/remote-dom-runtime
+@shopify/dev-console-plugin
+@shopify/web-production-validation
+@shopify/docs-mcp
+@shopify/extensibility-host-docs
+@shopify/online-store-ui
+@shopify/richtext
+@shopify/editor-core
+@shopify/richtext-toolbar-html
+@shopify/richtext-plugin-bold
+@shopify/richtext-editor
+@shopify/richtext-presets
+@shopify/richtext-toolbar-core
+@shopify/gravity
+@shopify/gravity-web
+@shopify/gravity-react
+@shopify/gravity-tokens
+@shopify/gravity-tailwind
+@shopify/gravity-typescript-config
+@shopify/react-native-customerview-library
+@shopify/polaris-react-native
+@shopify/mobile-workflow-tooling
+@shopify/type-diff
+@shopify/type-diff-github-action
+@shopify/credit-card-bin
+@shopify/docs-ai
+@shopify/docusaurus-docuchat
+@shopify/edge-worker-fetch
+@shopify/event-id-service
+@shopify/i18n-linter
+@shopify/lang-liquid
+@shopify/opentelemetry-js
+@shopify/opentelemetry-propagation-shopify
+@shopify/otel-cf-workers-shopify
+@shopify/pci-script-inventory
+@shopify/qr-code-generator
+@shopify/rataris
+@shopify/swc-plugins
+@shopify/consent-tracking-api
+@shopify/privacy-banner-templates
+@shopify/dev-server
+@shopify/web-pixels-internal
+@shopify/pipeline-schema
+@shopify/guidance-ui
+@shopify/token-protocol
+@shopify/quick
+@shopify/magic-ui
+@shopify/whoowns