@shopify/test-oidc-runner-2026-06-03 0.1.2 → 0.2.4

package/.github/workflows/oidc-runner-test.yml

@@ -1,12 +1,13 @@
 name: oidc-runner-test
-# A/B test for Tammy (IAM-1879): does OIDC publishing work on shopify-ubuntu-latest?
-# The ONLY variable between runs is `runner`. Deliberately NO `registry-url` on
-# setup-node — that .npmrc side effect was the real fix in the Feb extensibility
-# thread we'd wrongly credited to the runner switch. Hold everything else constant.
-#
-# Run order:
-#   1. runner=ubuntu-latest         -> control, must succeed (proves the setup is sound)
-#   2. runner=shopify-ubuntu-latest -> the test (only the runner changed)
+# Extended 2026-06-12 (branch: oidc-pnpm-dlx-test) — A/B the publish METHOD under
+# shop/setup-javascript-action to reproduce + fix the polaris-types OIDC 404 (Kyle Durand).
+#   method=pnpm         -> reproduces the bug: pnpm publish fetches the OIDC id-token but
+#                          never completes npm's trusted-publishing handshake -> PUT 404
+#   method=pnpm-dlx-npm -> the fix: real npm via the sanctioned `pnpm dlx` hatch, which
+#                          routes around the Tectonix shim -> OIDC completes -> success
+# The original runner A/B (2026-06-03, IAM-1879) already proved OIDC works on
+# shopify-ubuntu-latest from this private repo with real npm. This run isolates the
+# pnpm-vs-npm variable under setup-javascript-action (Kyle's exact setup).
 on:
   workflow_dispatch:
     inputs:
@@ -14,9 +15,16 @@ on:
         description: 'Runner to publish from'
         type: choice
         options:
-          - ubuntu-latest
           - shopify-ubuntu-latest
-        default: ubuntu-latest
+          - ubuntu-latest
+        default: shopify-ubuntu-latest
+      method:
+        description: 'Publish method'
+        type: choice
+        options:
+          - pnpm-dlx-npm
+          - pnpm
+        default: pnpm-dlx-npm
 
 jobs:
   publish:
@@ -27,27 +35,31 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - uses: actions/setup-node@v4
+      - name: Setup Node/pnpm (mirror polaris-types)
+        uses: shop/setup-javascript-action@main
         with:
-          node-version: '22.14.0'
-          # NO registry-url on purpose — that writes a project .npmrc and is the
-          # confounding variable from the Feb thread. publishConfig handles routing.
-
-      - name: Upgrade npm for OIDC support
-        run: npm install -g npm@latest
+          node-version: '22'
+          pnpm-version: '11.0.0'
 
       - name: Context
         run: |
-          echo "runner input: ${{ inputs.runner }}"
-          node -v && npm -v
+          echo "runner=${{ inputs.runner }}  method=${{ inputs.method }}"
+          node -v
 
-      - name: Unique version per run (0.1.x — keeps clear of the 0.0.1 token first-publish)
-        run: npm version "0.1.${{ github.run_number }}" --no-git-tag-version --allow-same-version
+      - name: Bump to a unique throwaway version
+        run: pnpm dlx npm@latest version "0.2.${{ github.run_number }}" --no-git-tag-version --allow-same-version
 
       - name: Publish via OIDC (no token)
-        run: npm publish --access public
+        run: |
+          set -x
+          if [ "${{ inputs.method }}" = "pnpm" ]; then
+            pnpm publish --tag next --access public --no-git-checks
+          else
+            pnpm dlx npm@latest publish --tag next --access public --no-git-checks
+          fi
         env:
-          # Force OIDC: explicitly blank any org-injected token so npm cannot
+          # Force OIDC: explicitly blank any org-injected token so npm/pnpm can't
           # silently fall back to token auth and mask the result.
           NPM_TOKEN: ""
           NODE_AUTH_TOKEN: ""
+          NPM_CONFIG_GLOBALCONFIG: ""

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@shopify/test-oidc-runner-2026-06-03",
-  "version": "0.1.2",
+  "version": "0.2.4",
   "description": "OIDC runner A/B test (AI Ops, IAM-1879): does OIDC publish work on shopify-ubuntu-latest vs ubuntu-latest?",
   "license": "MIT",
   "publishConfig": {