Releases: codeceptjs/reflection
Releases · codeceptjs/reflection
0.5.2
0.5.1
ci: mirror main codeceptjs publish-beta.yml exactly Restores the pattern from codeceptjs/codeceptjs .github/workflows/publish-beta.yml: - setup-node with registry-url - npm install → npm install -g npm@latest (load-bearing: npm 10.9 bundled with Node 22 does NOT support OIDC trusted publishing; only npm 11.5+ does, so the upgrade is what actually makes the auth work) - --provenance publish via trusted publishing, no NPM_TOKEN I wrongly dropped both registry-url and the npm upgrade across earlier attempts, chasing theories about .npmrc interference and an arborist bug. The main repo pattern handles those issues correctly. Keeps our additions on top of the mirror: - dist-tag detection (latest vs beta) - plain SemVer tag (no `v` strip) - --access public (needed because @codeceptjs/reflection is a new scoped package) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
0.5.0
ci: drop registry-url from setup-node — it breaks trusted publishing
setup-node with registry-url writes an .npmrc containing
//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}
With no NODE_AUTH_TOKEN in env (which is the whole point of trusted
publishing), npm substitutes an empty string and sends Authorization:
Bearer — an empty token — which short-circuits the OIDC flow.
The sigstore sign still works (separate OIDC exchange), but the final
PUT to registry.npmjs.org gets rejected with a misleading
404 Not Found - PUT https://registry.npmjs.org/@codeceptjs%2freflection
Omitting registry-url lets npm use its default registry and attempt
OIDC automatically. No behavior change since registry.npmjs.org is
the default anyway.
Run 24362973570 shows the exact symptom: sigstore log entry 1288262459
signed successfully, followed by the 404.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
0.4.0
0.3.0
ci: drop `npm install -g npm@latest` — fails under Node 22.22+ Run 24361722242 (v0.2.0 release) failed at the "Install latest npm" step with a MODULE_NOT_FOUND error for `promise-retry` inside @npmcli/arborist/lib/arborist/rebuild.js. Same bug hits main codeceptjs/publish-beta.yml on the same Node 22.22.2 runner (run 24115715943, 4.0.0-rc.12). Root cause: a regression in how `npm install -g npm@latest` re-enters arborist when the user's local project already has node_modules. The step is cosmetic for us — Node 22 bundles npm 10.9+, and --provenance has shipped since npm 9.5, so there's no functional reason to force a global reinstall on every publish. Fix: remove the step. If a future feature ever needs a newer npm, pin to a specific known-good version (e.g. npm@11) rather than @latest. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
0.2.0
Full Changelog: https://github.com/codeceptjs/reflection/commits/0.2.0