coulomb/whynot-design
2
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
a89bb563a0070244f30385a8300eff0bbd04405f
whynot-design/PUBLISHING.md
tegwick e02011905a
Some checks failed
ci / check (push) Has been cancelled
Details
ci / release (push) Has been cancelled
Details
feat(publish): make package installable from Gitea npm registry (WHYNOT-WP-0003 T02) 
- package.json: private:false; real repository.url; publishConfig.registry →
  coulomb Gitea npm; lit dependency → peerDependency (^3) + devDependency;
  ship the ir/ consumer contract (files + ./ir/* export); add PUBLISHING.md to files.
- .npmrc: real @whynot scope registry + ${NPM_AUTH_TOKEN} ref (no secret committed).
- PUBLISHING.md: publish flow, token routing (operator/OpenBao — warden route is not
  in this CLI), and consumer install.
- README: registry-install path + lit peer note. CHANGELOG: Added/Changed entries.

Config + packaging validated via `npm pack --dry-run` (ir/, tokens, CSS, PUBLISHING.md
included; .npmrc excluded). Actual `npm publish` + install-verify is gated on a Gitea
NPM_AUTH_TOKEN (operator-owned) and an explicit outward-publish go-ahead.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-27 15:15:47 +02:00

56 lines
2.1 KiB
Markdown
Raw Blame History

# Publishing `@whynot/design`
`@whynot/design` is published to the **coulomb Gitea npm registry** so consuming
repos can pin a version (`npm i @whynot/design@x.y.z`) and track it at their own pace
(WHYNOT-WP-0003). The git tag cut by `make release` (see `DesignSystemIntroduction.md`
§6) is the version; publishing makes that version installable.
- Registry: `https://gitea.coulomb.social/api/packages/coulomb/npm/`
- `package.json` `publishConfig.registry` already points `npm publish` here.
- `lit` is a **peerDependency** — consumers install it themselves so their bundler
dedupes to a single `lit` instance.
## The token (never commit it)
Publishing and installing `@whynot/*` need a Gitea package token. It is **not stored in
this repo** — per `.claude/rules/credential-routing.md`, tokens are routed, not vended:
a Gitea package token is operator/OpenBao-owned (`railiance-platform`). Obtain one from
the operator and export it:
```sh
export NPM_AUTH_TOKEN=# Gitea package token; never paste into git/chat/logs
```
`.npmrc` (committed) references it via `${NPM_AUTH_TOKEN}` — no secret lives in the file.
## Publish (maintainer)
```sh
git checkout main && git pull --ff-only
make release VERSION=x.y.z # bumps, cuts CHANGELOG, commits, tags (§6)
git push --follow-tags origin main
npm publish # uses publishConfig.registry + NPM_AUTH_TOKEN
```
`npm publish` is **outward and immutable** — a published version cannot be silently
replaced. Confirm the tag and `npm pack --dry-run` contents first.
## Install (consumer)
Add an `.npmrc` to the consuming repo so the `@whynot` scope resolves to the registry,
then install the package plus the `lit` peer:
```ini
# .npmrc
@whynot:registry=https://gitea.coulomb.social/api/packages/coulomb/npm/
//gitea.coulomb.social/api/packages/coulomb/npm/:_authToken=${NPM_AUTH_TOKEN}
```
```sh
npm i @whynot/design@x.y.z lit
```
The installed package carries the consumer-facing contract under `ir/` (component
contracts, `tokens.json`, exemplars) reachable via the `./ir/*` export — that is what
the `drift` check (WHYNOT-WP-0003 T05) reads to report changes between versions.
Reference in New Issue View Git Blame Copy Permalink