coulomb/whynot-design
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
a89bb563a0070244f30385a8300eff0bbd04405f
whynot-design/PUBLISHING.md
tegwick e02011905a
Some checks failed
ci / check (push) Has been cancelled
Details
ci / release (push) Has been cancelled
Details
feat(publish): make package installable from Gitea npm registry (WHYNOT-WP-0003 T02) 
- package.json: private:false; real repository.url; publishConfig.registry →
  coulomb Gitea npm; lit dependency → peerDependency (^3) + devDependency;
  ship the ir/ consumer contract (files + ./ir/* export); add PUBLISHING.md to files.
- .npmrc: real @whynot scope registry + ${NPM_AUTH_TOKEN} ref (no secret committed).
- PUBLISHING.md: publish flow, token routing (operator/OpenBao — warden route is not
  in this CLI), and consumer install.
- README: registry-install path + lit peer note. CHANGELOG: Added/Changed entries.

Config + packaging validated via `npm pack --dry-run` (ir/, tokens, CSS, PUBLISHING.md
included; .npmrc excluded). Actual `npm publish` + install-verify is gated on a Gitea
NPM_AUTH_TOKEN (operator-owned) and an explicit outward-publish go-ahead.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 15:15:47 +02:00

2.1 KiB
Raw Blame History

Publishing @whynot/design

@whynot/design is published to the coulomb Gitea npm registry so consuming repos can pin a version (npm i @whynot/design@x.y.z) and track it at their own pace (WHYNOT-WP-0003). The git tag cut by make release (see DesignSystemIntroduction.md §6) is the version; publishing makes that version installable.

  • Registry: https://gitea.coulomb.social/api/packages/coulomb/npm/
  • package.json publishConfig.registry already points npm publish here.
  • lit is a peerDependency — consumers install it themselves so their bundler dedupes to a single lit instance.

The token (never commit it)

Publishing and installing @whynot/* need a Gitea package token. It is not stored in this repo — per .claude/rules/credential-routing.md, tokens are routed, not vended: a Gitea package token is operator/OpenBao-owned (railiance-platform). Obtain one from the operator and export it:

export NPM_AUTH_TOKEN=# Gitea package token; never paste into git/chat/logs

.npmrc (committed) references it via ${NPM_AUTH_TOKEN} — no secret lives in the file.

Publish (maintainer)

git checkout main && git pull --ff-only
make release VERSION=x.y.z      # bumps, cuts CHANGELOG, commits, tags  (§6)
git push --follow-tags origin main
npm publish                     # uses publishConfig.registry + NPM_AUTH_TOKEN

npm publish is outward and immutable — a published version cannot be silently replaced. Confirm the tag and npm pack --dry-run contents first.

Install (consumer)

Add an .npmrc to the consuming repo so the @whynot scope resolves to the registry, then install the package plus the lit peer:

# .npmrc
@whynot:registry=https://gitea.coulomb.social/api/packages/coulomb/npm/
//gitea.coulomb.social/api/packages/coulomb/npm/:_authToken=${NPM_AUTH_TOKEN}

npm i @whynot/design@x.y.z lit

The installed package carries the consumer-facing contract under ir/ (component contracts, tokens.json, exemplars) reachable via the ./ir/* export — that is what the drift check (WHYNOT-WP-0003 T05) reads to report changes between versions.

Reference in New Issue View Git Blame Copy Permalink