Publisher Account Setup
Configure the npmjs.com trusted publisher for @ahmed-g-gad/apothem and the GitHub-side release prerequisites.
This runbook configures the publisher side of the release surface. The
distribution story has one registry: the scoped npm package
@ahmed-g-gad/apothem on npmjs.com, published by the manually-dispatched
publish-npm.yml workflow after the GitHub Release, Pages, CI, conformity,
and harness workflows are green. Every other artifact ships on the GitHub
Release page itself and needs no external publisher account.
Identity Map
| Surface | Account | Package identity |
|---|---|---|
| GitHub | ahmed-g-gad | ahmed-g-gad/apothem |
| npm (npmjs.com) | ahmed-g-gad | @ahmed-g-gad/apothem |
The GitHub owner is allowed to drift in the future. Workflow and installer
logic reads github.repository, github.repository_owner, or
APOTHEM_GITHUB_REPOSITORY where a platform permits dynamic resolution.
The registry package identifier remains stable because users install the
package name, not the maintainer account name.
npm (npmjs.com)
-
Sign in to
https://www.npmjs.com/asahmed-g-gad. -
Enable two-factor authentication on the account.
-
Confirm the scoped package name:
npm view @ahmed-g-gad/apothem nameA
404means the scoped package has not been published yet. Any other package response must match this repository and account before publishing. -
Create the package on npm if the UI requires a first package record. Keep the name scoped:
@ahmed-g-gad/apothem. -
Configure Trusted Publishing for
@ahmed-g-gad/apothemfrom GitHub Actions:- GitHub owner:
ahmed-g-gad - Repository:
apothem - Workflow filename:
publish-npm.yml - Environment:
npmjs - Allowed action:
npm publish.
- GitHub owner:
-
In GitHub, verify the
npmjsenvironment exists onahmed-g-gad/apothemand requires manual approval for deployment. -
Keep the npm surface to one public registry package:
@ahmed-g-gad/apothemon npmjs.com. -
Confirm release readiness:
Release readiness bash scripts/release/check-release-ready.sh <release-tag> -
Run
Publish — npm(publish-npm.yml) from the GitHub Actions tab withtag=<release-tag>and approve thenpmjsenvironment deployment. -
Verify the live package:
npm verification npm view @ahmed-g-gad/apothem version npx @ahmed-g-gad/apothem@<version> --version
No NPM_TOKEN, username, or password secret is required. The workflow
publishes through npm Trusted Publishing (OIDC) with the Node version and the
npm CLI OIDC floor pinned inside .github/workflows/publish-npm.yml. It runs
npm publish --access public against npmjs.com; npm automatically emits
provenance for public packages published from a public GitHub Actions
workflow. A registry 404 during PUT means the npm-side trusted publisher,
package scope, or account authorization is not aligned yet; fix the npm
package settings before retrying the workflow.
References: npm Trusted Publishers, npm provenance, and npm scopes.
GitHub-side release prerequisites
The remaining release surfaces are GitHub-native and authenticate with the
repository-scoped GITHUB_TOKEN; no external account is involved.
-
GitHub Release.
.github/workflows/release.ymlruns on the version tag and needs only its job-localcontents: writepermission. Confirm the workflow file is present onmainbefore tagging. -
Pages custom domain. The documentation site deploys through
publish-static-site.ymlto the custom domainapothem.ahmedgad.com. The domain, DNS, and HTTPS enforcement are established by the Pages-enablement runbook; verify:Pages verification gh api repos/ahmed-g-gad/apothem/pages --jq '.cname, .https_enforced' curl -sSI https://apothem.ahmedgad.com/ | head -n 1 -
Script installers.
install.shandinstall.ps1are served from the Pages site (https://apothem.ahmedgad.com/install.shandhttps://apothem.ahmedgad.com/install.ps1). They are published by the same Pages deployment; no separate account or token is required.
Verification matrix
After setup, each publisher surface answers its canonical check:
| Surface | Check |
|---|---|
| npmjs.com | npm view @ahmed-g-gad/apothem version returns the released version |
| GitHub Release | gh release view <release-tag> --json assets --jq '.assets[].name' lists sdist, wheel, SBOM, cosign bundles, provenance, and platform archives |
| Pages | curl -sSI https://apothem.ahmedgad.com/ returns 200 on the custom domain |