diff --git a/.github/workflows/releaseEtherpad.yml b/.github/workflows/releaseEtherpad.yml index a30c0c474f2..01a1e2ec80c 100644 --- a/.github/workflows/releaseEtherpad.yml +++ b/.github/workflows/releaseEtherpad.yml @@ -1,9 +1,33 @@ +# PARKED — npm publish of the core package is not part of the standard release. +# +# This workflow renames `ep_etherpad-lite` -> `ep_etherpad` and publishes +# `./src` to npm. As of 2026-06, that publish serves no load-bearing purpose: +# - `ep_etherpad` has 0 dependents on npm and nothing in this repo depends on it; +# - plugins import `ep_etherpad-lite` resolved from the LOCAL core install, +# and plugin CI clones `ether/etherpad` rather than `npm install`-ing core; +# - Etherpad is run via git clone / Docker / zip / snap, never `npm install`. +# The publish has been failing (E404 PUT — the `ep_etherpad` package has no OIDC +# trusted publisher configured on npmjs.com), which is why npm is stuck at 2.5.0 +# while 3.x shipped fine without it. +# +# It is therefore gated behind an explicit `confirm: true` dispatch input so a +# stray run fails fast with a clear message instead of a confusing 404. To +# actually publish, the npm owner of `ep_etherpad` (samtv12345) must first +# configure a trusted publisher: npmjs.com -> ep_etherpad -> Settings -> +# Trusted Publisher -> repo `ether/etherpad`, workflow `releaseEtherpad.yml`. +# Decision pending: finish that config, or remove this workflow. See AGENTS.MD. name: releaseEtherpad.yaml permissions: contents: read id-token: write # for npm OIDC trusted publishing on: workflow_dispatch: + inputs: + confirm: + description: 'PARKED — publish ep_etherpad to npm? Requires a trusted publisher configured on npmjs.com first (see workflow header). Set true only if that is done.' + required: true + default: false + type: boolean env: PNPM_HOME: ~/.pnpm-store @@ -12,6 +36,14 @@ jobs: release: runs-on: ubuntu-latest steps: + - name: Guard — refuse unless explicitly confirmed + if: ${{ inputs.confirm != true }} + run: | + echo "::error::releaseEtherpad is PARKED. The ep_etherpad npm publish is non-functional" + echo "::error::(no trusted publisher configured on npmjs.com; 0 dependents on npm)." + echo "::error::Re-run with confirm=true only after the owner configures a trusted" + echo "::error::publisher. See the workflow header / AGENTS.MD 'Releasing' section." + exit 1 - name: Checkout repository uses: actions/checkout@v6 - uses: actions/setup-node@v6 diff --git a/AGENTS.MD b/AGENTS.MD index c3cb1115e03..80abdce9169 100644 --- a/AGENTS.MD +++ b/AGENTS.MD @@ -231,7 +231,7 @@ Releases are driven almost entirely by GitHub Actions. A maintainer dispatches * - `handleRelease.yml` → builds Etherpad, extracts the matching changelog section via `generateChangelog` (`bin/generateReleaseNotes.ts`), and publishes the **GitHub Release** (`make_latest: true`); - `docker.yml` → builds & pushes the Docker images; - `snap-publish.yml` → publishes the snap. -5. **npm publish is a separate manual step:** dispatch **"releaseEtherpad.yaml"** (`workflow_dispatch`), which runs `npm publish --provenance --access public` via npm **OIDC trusted publishing**. It is *not* fired by the tag. +5. **npm publish — PARKED, not part of the release.** `releaseEtherpad.yaml` publishes the core as `ep_etherpad` to npm, but that package is **not load-bearing**: it has 0 dependents, nothing depends on it (plugins import `ep_etherpad-lite` from the *local* core install; plugin CI clones the repo), and Etherpad is run via clone/Docker/zip/snap — never `npm install`. The publish currently fails with `E404` because `ep_etherpad` has no OIDC trusted publisher configured on npmjs.com, which is why npm sits at 2.5.0 while 3.x shipped fine without it. The workflow is gated behind a `confirm: true` input so it can't run by accident. **Skip it for a normal release.** To revive it, the npm owner of `ep_etherpad` (`samtv12345`) configures a trusted publisher (npmjs.com → ep_etherpad → Settings → Trusted Publisher → repo `ether/etherpad`, workflow `releaseEtherpad.yml`); otherwise the workflow can be removed. Decision pending. ### Documentation