releasing - nself-org/cli GitHub Wiki

SDK Releasing — Trusted Publisher Setup

This page documents how trusted-publisher (OIDC keyless) publishing is configured for each SDK registry. Use this when creating a new SDK release or troubleshooting publish failures.

TypeScript SDK (@nself/plugin-sdk on npm)

Workflow: sdk/ts/.github/workflows/sdk-ts-publish.yml

OIDC permission set: id-token: write — enables npm provenance via OIDC.

Setup (npm Trusted Publisher)

  1. Sign in to npmjs.com with the @nself org owner account.
  2. Navigate to the package settings for @nself/plugin-sdk.
  3. Under Automation tokens, generate a token scoped to Publish only and add it as the NPM_TOKEN repository secret in nself-org/cli → Settings → Secrets → Actions.
  4. Alternatively, npm Provenance (no secret needed) works when the workflow has id-token: write and npm publish --provenance is called. Current workflow uses both paths: provenance is attached automatically when NPM_TOKEN is set.

Trigger: push a tag matching sdk-ts/v* (e.g. sdk-ts/v2.1.0).

Python SDK (nself-plugin-sdk on PyPI)

Workflow: sdk/py/.github/workflows/sdk-py-publish.yml

OIDC permission set: id-token: write — enables PyPI Trusted Publisher (no API token needed).

Setup (PyPI Trusted Publisher)

  1. Sign in to pypi.org using the nSelf publisher account.
  2. Go to the project page for nself-plugin-sdkPublishing tab.
  3. Click Add a new publisher and fill in:
    • Owner: nself-org
    • Repository: cli
    • Workflow filename: sdk-py-publish.yml
    • Environment name: (leave blank)
  4. No secret token is needed once the trusted publisher is configured. The pypa/gh-action-pypi-publish action uses the OIDC token directly.

Trigger: push a tag matching sdk-py/v* (e.g. sdk-py/v2.1.0).

Flutter SDK (nself_plugin_sdk on pub.dev)

Workflow: sdk/flutter/.github/workflows/sdk-flutter-publish.yml

OIDC status: id-token: write is set and reserved for when pub.dev adds OIDC support. As of 2026, pub.dev does not yet support keyless OIDC publishing. Track: dart-lang/pub-dev#6687.

Current setup (secret-based)

  1. On a local machine with Dart SDK installed, run: 
    dart pub token add https://pub.dev
    This creates credentials at ~/.pub-cache/credentials.json.
  2. Copy the JSON content and add it as the PUB_DEV_CREDENTIALS repository secret in nself-org/cli → Settings → Secrets → Actions.
  3. The workflow injects the credential via the PUB_DEV_CREDENTIALS env var before calling dart pub publish --force.

Rotation

Pub.dev credentials expire when the OAuth token expires (typically 1 year). Rotate by repeating the dart pub token add step above and updating the secret.

Trigger: push a tag matching sdk-flutter/v* (e.g. sdk-flutter/v2.1.0).

Summary Table

SDK Registry Method Secret needed
TypeScript npm OIDC provenance + NPM_TOKEN NPM_TOKEN
Python PyPI OIDC Trusted Publisher none (after setup)
Flutter pub.dev OAuth credentials PUB_DEV_CREDENTIALS

Home | plugin-sdk | Release-Process

ɳSelf CLI v1.0.9. MIT licensed. Docs CC BY 4.0.

GitHub · Issues · Discussions · nself.org · docs.nself.org

⚠️ **GitHub.com Fallback** ⚠️