feat: add instructions for NPM Trusted Publishing (#1685)

2ynn · web-flow · commit dcea2bd5e302 · 2025-11-05T15:34:32.000Z
[CS-275](https://linear.app/speakeasy/issue/CS-275/feature-support-trusted-publishers-npm) [RFC](https://www.notion.so/speakeasyapi/RFC-NPM-Trusted-Publishing-29c726c497cc805f9674c0918e52e7c5?v=99bac25b265e455c871a0c3abc64f191&source=copy_link) - [X] relies on speakeasy-api/sdk-generation-action#266 being merged/released first ### Sample output for a single target (`pr` mode -> `sdk_publish.yaml`) <img width="1655" height="527" alt="screenshot_2025-11-03_12:26:56" src="https://github.com/user-attachments/assets/4518715f-03ab-4c15-821c-ef8f43ab64d1" /> ### Sample output for a single target (`direct` mode -> `sdk_generation.yaml`) <img width="1660" height="524" alt="screenshot_2025-11-03_12:25:35" src="https://github.com/user-attachments/assets/d3aafe39-b436-451a-9573-6b9a6b210001" /> ### Sample output for 2 targets in the same repo (`typescript` + `mcp-typescript`) <img width="1916" height="807" alt="screenshot_2025-10-31_15:29:14" src="https://github.com/user-attachments/assets/bc4ccbde-90c0-486b-b0b4-3160340a8104" />
diff --git a/cmd/configure.go b/cmd/configure.go
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"regexp"
 	"slices"
 	"strings"
 
@@ -493,21 +494,18 @@ func configurePublishing(ctx context.Context, flags ConfigureGithubFlags) error
 	}
 
 	secrets := make(map[string]string)
-	var publishPaths, generationWorkflowFilePaths []string
+	workflowPaths := make(map[string]targetWorkflowPaths)
 
 	for _, name := range chosenTargets {
-		generationWorkflow, generationWorkflowFilePath, newPaths, err := writePublishingFile(workflowFile, workflowFile.Targets[name], name, rootDir, actionWorkingDir)
+		generationWorkflow, targetWorkflowPaths, err := writePublishingFile(workflowFile, workflowFile.Targets[name], name, rootDir, actionWorkingDir)
 		if err != nil {
 			return err
 		}
 		for key, val := range generationWorkflow.Jobs.Generate.Secrets {
 			secrets[key] = val
 		}
 
-		if len(newPaths) > 0 {
-			publishPaths = append(publishPaths, newPaths...)
-		}
-		generationWorkflowFilePaths = append(generationWorkflowFilePaths, generationWorkflowFilePath)
+		workflowPaths[name] = targetWorkflowPaths
 	}
 
 	if err := workflow.Save(filepath.Join(rootDir, actionWorkingDir), workflowFile); err != nil {
@@ -532,6 +530,12 @@ func configurePublishing(ctx context.Context, flags ConfigureGithubFlags) error
 	status := []string{
 		fmt.Sprintf("Speakeasy workflow written to - %s", workflowFilePath),
 	}
+
+	var publishPaths, generationWorkflowFilePaths []string
+	for _, wfp := range workflowPaths {
+		publishPaths = append(publishPaths, wfp.publishWorkflowPaths...)
+		generationWorkflowFilePaths = append(generationWorkflowFilePaths, wfp.generationWorkflowPath)
+	}
 	if len(publishPaths) > 0 {
 		status = append(status, "GitHub action (generate) written to:")
 		for _, path := range generationWorkflowFilePaths {
@@ -548,31 +552,138 @@ func configurePublishing(ctx context.Context, flags ConfigureGithubFlags) error
 		}
 	}
 
-	var agenda []string
+	agenda := []string{
+		fmt.Sprintf("• On GitHub navigate to %s and set up the following repository secrets:", secretPath),
+	}
+
 	for key := range secrets {
 		if key != config.GithubAccessToken {
 			agenda = append(agenda, fmt.Sprintf("\t◦ Provide a secret with name %s", styles.MakeBold(strings.ToUpper(key))))
 		}
 	}
-	agenda = append(agenda, fmt.Sprintf("• Push your repository to github! Navigate to %s to kick of your first publish.", actionPath))
+
+	agenda = append(agenda, fmt.Sprintf("• Push your repository to GitHub and navigate to %s to kick off your first publish!", actionPath))
+
+	// Add instructions for NPM Trusted Publishing (typescript/mcp-typescript)
+	npmTrustedPublishingConfigs := make(map[string]NPMTrustedPublishingConfig)
+	for name, wfp := range workflowPaths {
+		target := workflowFile.Targets[name]
+		if target.Publishing.NPM != nil {
+			var publishPath string
+			switch len(wfp.publishWorkflowPaths) {
+			case 0:
+				// No publish path means generation and publishing are combined into a single workflow
+				publishPath = wfp.generationWorkflowPath
+			case 1:
+				publishPath = wfp.publishWorkflowPaths[0]
+			default:
+				// For typescript/mcp-typescript, if the publish and generation workflow files
+				// are distinct (pr mode), then we only expect a single publish path.
+				return errors.Wrapf(err, "multiple publish workflow paths found for target %s", name)
+			}
+
+			// Get the packageName from the config file
+			packageName := "<packageName>"
+			outDir := ""
+			if target.Output != nil {
+				outDir = *target.Output
+			}
+			workflowDir := filepath.Join(rootDir, actionWorkingDir)
+			configPath := filepath.Join(workflowDir, outDir)
+			cfg, err := config.Load(configPath)
+			if err == nil {
+				if langCfg, ok := cfg.Config.Languages[target.Target]; ok {
+					if pkgName, ok := langCfg.Cfg["packageName"].(string); ok {
+						packageName = pkgName
+					}
+				}
+			}
+
+			npmTrustedPublishingConfigs[name] = NPMTrustedPublishingConfig{
+				target:          target,
+				workflowDir:     filepath.Join(rootDir, actionWorkingDir),
+				actionPath:      actionPath,
+				publishFileName: filepath.Base(publishPath),
+				packageName:     packageName,
+				remoteURL:       remoteURL,
+			}
+		}
+	}
+	agenda = append(agenda, getNPMTrustedPublishingInstructions(ctx, npmTrustedPublishingConfigs)...)
 
 	logger.Println(styles.Info.Render("Files successfully generated!\n"))
 	for _, statusMsg := range status {
 		logger.Println(styles.Info.Render(fmt.Sprintf("• %s", statusMsg)))
 	}
 	logger.Println(styles.Info.Render("\n"))
 
-	if len(agenda) != 0 {
-		agenda = append([]string{
-			fmt.Sprintf("• In your repo navigate to %s and setup the following repository secrets:", secretPath),
-		}, agenda...)
+	msg := styles.RenderInstructionalMessage("For your publishing setup to be complete perform the following steps.",
+		agenda...)
+	logger.Println(msg)
+
+	return nil
+}
+
+type NPMTrustedPublishingConfig = struct {
+	target          workflow.Target
+	workflowDir     string
+	actionPath      string
+	publishFileName string
+	packageName     string
+	remoteURL       string
+}
+
+func getNPMTrustedPublishingInstructions(ctx context.Context, npmConfigs map[string]NPMTrustedPublishingConfig) []string {
+	var agenda []string
+
+	// Collect unique action paths
+	actionPaths := make(map[string][]string)
+	for _, npmConfig := range npmConfigs {
+		if _, exists := actionPaths[npmConfig.actionPath]; !exists {
+			actionPaths[npmConfig.actionPath] = []string{}
+		}
+		actionPaths[npmConfig.actionPath] = append(actionPaths[npmConfig.actionPath], npmConfig.packageName)
+	}
+
+	for targetName, npmConfig := range npmConfigs {
+		repoOwner := "<user>"
+		repoName := "<repository>"
+		if npmConfig.remoteURL != "" {
+			// Expected format: "https://github.com/<user>/<repository>"
+			re := regexp.MustCompile(`^https://github\.com/([^/]+)/([^/]+)/?$`)
+			matches := re.FindStringSubmatch(npmConfig.remoteURL)
+			if len(matches) == 3 {
+				repoOwner = matches[1]
+				repoName = matches[2]
+			}
+		}
 
-		msg := styles.RenderInstructionalMessage("For your publishing setup to be complete perform the following steps.",
-			agenda...)
-		logger.Println(msg)
+		if len(npmConfigs) == 1 {
+			agenda = append(agenda, fmt.Sprintf("• Access your newly published package's settings at https://www.npmjs.com/package/%s/access", npmConfig.packageName))
+		} else {
+			agenda = append(agenda, fmt.Sprintf("• [%s] Access the '%s' package's settings at https://www.npmjs.com/package/%s/access", strings.ToUpper(npmConfig.target.Target), targetName, npmConfig.packageName))
+		}
+
+		configLines := []string{
+			fmt.Sprintf("\t\t- Organization or user: %s", repoOwner),
+			fmt.Sprintf("\t\t- Repository: %s", repoName),
+			fmt.Sprintf("\t\t- Workflow filename: %s", npmConfig.publishFileName),
+			"\t\t- Environment name: <Leave Blank>",
+		}
+		agenda = append(agenda, fmt.Sprintf("\t◦ Add 'GitHub Actions' as a 'Trusted Publisher' with the following configuration:\n%s", strings.Join(configLines, "\n")))
 	}
 
-	return nil
+	for actionPath, packageNames := range actionPaths {
+		if len(packageNames) == 1 {
+			agenda = append(agenda, fmt.Sprintf("• Navigate to %s to regenerate and publish a new version of the %s package.", actionPath, packageNames[0]))
+			agenda = append(agenda, fmt.Sprintf("• Your package's latest version should now include a 'Provenance' at https://www.npmjs.com/package/%s#provenance", packageNames[0]))
+		} else {
+			agenda = append(agenda, fmt.Sprintf("• Navigate to %s to regenerate and publish new versions of your packages.", actionPath))
+			agenda = append(agenda, "• Your packages' latest versions should now be labelled with a green check mark and include a 'Provenance'.")
+		}
+	}
+
+	return agenda
 }
 
 func configureTesting(ctx context.Context, flags ConfigureTestsFlags) error {
@@ -898,7 +1009,7 @@ func configureGithub(ctx context.Context, flags ConfigureGithubFlags) error {
 	}
 
 	if len(secrets) > 2 || !autoConfigureRepoSuccess {
-		agenda = append(agenda, fmt.Sprintf("• In your repo navigate to %s and setup the following repository secrets:", secretPath))
+		agenda = append(agenda, fmt.Sprintf("• On GitHub navigate to %s and set up the following repository secrets:", secretPath))
 	}
 
 	for key := range secrets {
@@ -955,35 +1066,42 @@ func writeGenerationFile(workflowFile *workflow.Workflow, workingDir, workflowFi
 	return generationWorkflow, generationWorkflowFilePath, nil
 }
 
-func writePublishingFile(wf *workflow.Workflow, target workflow.Target, targetName, currentWorkingDir, workflowFileDir string) (*config.GenerateWorkflow, string, []string, error) {
-	generationWorkflowFilePath := filepath.Join(currentWorkingDir, ".github/workflows/sdk_generation.yaml")
+type targetWorkflowPaths struct {
+	generationWorkflowPath string
+	publishWorkflowPaths   []string
+}
+
+func writePublishingFile(wf *workflow.Workflow, target workflow.Target, targetName, currentWorkingDir, workflowFileDir string) (*config.GenerateWorkflow, targetWorkflowPaths, error) {
+	paths := targetWorkflowPaths{}
+	paths.generationWorkflowPath = filepath.Join(currentWorkingDir, ".github/workflows/sdk_generation.yaml")
 	if len(wf.Targets) > 1 {
 		sanitizedName := strings.ReplaceAll(strings.ToLower(targetName), "-", "_")
-		generationWorkflowFilePath = filepath.Join(currentWorkingDir, fmt.Sprintf(".github/workflows/sdk_generation_%s.yaml", sanitizedName))
+		paths.generationWorkflowPath = filepath.Join(currentWorkingDir, fmt.Sprintf(".github/workflows/sdk_generation_%s.yaml", sanitizedName))
 	}
 
 	if _, err := os.Stat(filepath.Join(currentWorkingDir, ".github/workflows")); os.IsNotExist(err) {
 		err = os.MkdirAll(filepath.Join(currentWorkingDir, ".github/workflows"), 0o755)
 		if err != nil {
-			return nil, "", nil, err
+			return nil, paths, err
 		}
 	}
 
 	generationWorkflow := &config.GenerateWorkflow{}
-	if err := prompts.ReadGenerationFile(generationWorkflow, generationWorkflowFilePath); err != nil {
-		return nil, "", nil, fmt.Errorf("you cannot run configure publishing when a github workflow file %s does not exist, try speakeasy configure github", generationWorkflowFilePath)
+	if err := prompts.ReadGenerationFile(generationWorkflow, paths.generationWorkflowPath); err != nil {
+		return nil, paths, fmt.Errorf("you cannot run configure publishing when a github workflow file %s does not exist, try speakeasy configure github", paths.generationWorkflowPath)
 	}
 
 	publishPaths, err := prompts.WritePublishing(wf, generationWorkflow, targetName, currentWorkingDir, workflowFileDir, target)
 	if err != nil {
-		return nil, "", nil, errors.Wrapf(err, "failed to write publishing configs")
+		return nil, paths, errors.Wrapf(err, "failed to write publishing configs")
 	}
 
-	if err = prompts.WriteGenerationFile(generationWorkflow, generationWorkflowFilePath); err != nil {
-		return nil, "", nil, errors.Wrapf(err, "failed to write github workflow file")
+	paths.publishWorkflowPaths = publishPaths
+	if err = prompts.WriteGenerationFile(generationWorkflow, paths.generationWorkflowPath); err != nil {
+		return nil, paths, errors.Wrapf(err, "failed to write github workflow file")
 	}
 
-	return generationWorkflow, generationWorkflowFilePath, publishPaths, nil
+	return generationWorkflow, paths, nil
 }
 
 func handleLegacySDKTarget(workingDir string, workflowFile *workflow.Workflow) ([]string, []huh.Option[string]) {
diff --git a/prompts/github.go b/prompts/github.go
@@ -440,31 +440,25 @@ func WriteTestingFiles(ctx context.Context, wf *workflow.Workflow, currentWorkin
 }
 
 // WritePublishing writes a github action file for a given target for publishing to a package manager.
-// If filenameAddendum is provided, it will be appended to the filename (i.e. sdk_publish_lending.yaml).
+// If multiple targets are defined in the workflow, the filename will be suffixed with the target name.
 // Returns the paths to the files written.
 func WritePublishing(wf *workflow.Workflow, genWorkflow *config.GenerateWorkflow, targetName, currentWorkingDir, workflowFileDir string, target workflow.Target) ([]string, error) {
-	secrets := make(map[string]string)
-	secrets[config.GithubAccessToken] = formatGithubSecretName(defaultGithubTokenSecretName)
-	secrets[config.SpeakeasyApiKey] = formatGithubSecretName(defaultSpeakeasyAPIKeySecretName)
+	genSecrets := genWorkflow.Jobs.Generate.Secrets
+	genSecrets[config.GithubAccessToken] = formatGithubSecretName(defaultGithubTokenSecretName)
+	genSecrets[config.SpeakeasyApiKey] = formatGithubSecretName(defaultSpeakeasyAPIKeySecretName)
 
 	var terraformOutDir *string
 
 	if target.Publishing != nil {
 		for _, secret := range getSecretsValuesFromPublishing(*target.Publishing) {
-			secrets[formatGithubSecret(secret)] = formatGithubSecretName(secret)
+			genSecrets[formatGithubSecret(secret)] = formatGithubSecretName(secret)
 		}
 
 		if target.Target == "terraform" {
 			terraformOutDir = target.Output
 		}
 	}
 
-	currentSecrets := genWorkflow.Jobs.Generate.Secrets
-	for secret, value := range secrets {
-		currentSecrets[secret] = value
-	}
-	genWorkflow.Jobs.Generate.Secrets = currentSecrets
-
 	mode := genWorkflow.Jobs.Generate.With[config.Mode].(string)
 	if target.Target == "terraform" {
 		releaseActionPath := filepath.Join(currentWorkingDir, ".github/workflows/tf_provider_release.yaml")
@@ -495,7 +489,7 @@ func WritePublishing(wf *workflow.Workflow, genWorkflow *config.GenerateWorkflow
 			publishingFile = defaultPublishingFile()
 		}
 
-		// backfill id-token write permissions
+		// backfill `id-token: write` permission (OIDC)
 		if publishingFile.Permissions.IDToken != config.GithubWritePermission {
 			publishingFile.Permissions.IDToken = config.GithubWritePermission
 		}
@@ -521,8 +515,9 @@ func WritePublishing(wf *workflow.Workflow, genWorkflow *config.GenerateWorkflow
 			publishingFile.Jobs.Publish.With["working_directory"] = workflowFileDir
 		}
 
-		for name, value := range secrets {
-			publishingFile.Jobs.Publish.Secrets[name] = value
+		pubSecrets := publishingFile.Jobs.Publish.Secrets
+		for name, value := range genSecrets {
+			pubSecrets[name] = value
 		}
 
 		// Write a github publishing file.
