The Publish NPM job has been failing since v4.37.0. Root cause: npm 10
(bundled with Node 22) can sign provenance via OIDC but cannot
authenticate the registry upload itself via trusted publishing — that
requires npm >= 11.5.1. With no NODE_AUTH_TOKEN secret configured, the
publish fell through to an anonymous PUT, which the registry rejected
as a 404 (the standard response for scoped packages when auth is
missing).
Bump the runner to Node 24, which bundles npm 11.x. Drop --provenance
since trusted publishing attaches it automatically.
Also bump actions/setup-node to v6 — v4 runs on Node 20 internally,
which GitHub is deprecating.
This supersedes #838, which removed the npm self-upgrade step after
npm@latest started cross-major upgrading and corrupting itself
mid-install. Using Node 24's bundled npm avoids both the corruption
and the self-upgrade entirely.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
`npm install -g npm@latest` now resolves to npm 11.x, which causes a
fatal cross-major self-upgrade on runners bundling npm 10.x (Node 22).
The step was only needed for OIDC/provenance support, which has been
built into npm since 9.5.0 — Node 22's bundled npm 10.9.7 already
has it.
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- auto-release.yml now only handles: debounce, CI wait, version bump, tag push
- release.yml handles all publishing in parallel: crates.io, npm, binaries
This makes auto-release faster (~4 min instead of ~8 min) and allows
publishing to run in parallel with binary builds.
Flow:
auto-release.yml: PR merge → debounce → bump → push tag
↓
release.yml: tag push → parallel jobs:
├── build binaries (matrix)
├── publish crates.io
└── publish npm (OIDC)
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
The RELEASE_TOKEN doesn't have workflow scope to trigger workflow_dispatch
events. Instead, run the release steps directly in the auto-release workflow.
This also simplifies the release process by removing the need for two
separate workflows.
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
- Fix label detection to only check PRs merged since last release tag
(was checking ALL merged PRs regardless of date)
- Change --field to -f for gh workflow run command
- Add better logging for debugging
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
The status API doesn't reflect GitHub Actions check runs properly.
Switch to the check-runs API which accurately reports CI status.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds a workflow that automatically triggers releases when PRs with
release labels are merged. Features:
- Debounces by waiting 2 minutes for more PRs to merge
- Aggregates all PRs since last release to determine bump type
(major > minor > patch)
- Waits for CI to pass on master before releasing
- Checks for running release workflows to avoid conflicts
- Triggers the existing create-release workflow
This allows multiple PRs to be merged in quick succession and have
them all included in a single release with the appropriate version bump.
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* fix: Remove dead json check from scale command
The scale command doesn't have a --json flag, so the check
for key == "json" in DynamicArgs::from_arg_matches was dead code.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* fix: Update npm to v11.5+ for OIDC trusted publishing
npm OIDC trusted publishing requires npm 11.5+, but Node 22
ships with npm 10.x by default. This adds a step to update
npm before publishing.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
setup-node with registry-url creates an .npmrc expecting NODE_AUTH_TOKEN,
which conflicts with OIDC trusted publisher flow. Removing it lets npm
handle OIDC authentication directly.
* fix docker ci workflow
Revert 'only run publish workflow on changes to the master branch';
Add manual job trigger
* get docker tag from user inputs in manual ci runs
* add security audit for cargo
* test
* revert test
* update workflow name
* change repo name to railwayapp
---------
Co-authored-by: Jake Runzer <jakerunzer@gmail.com>
