release: single source of truth for version + CI release pipeline#89
Merged
Conversation
Closes #84. Adds `VERSION` at the repo root as the canonical release version, with `package.json` and `.claude-plugin/plugin.json` derived from it via `scripts/release/sync-version.sh`. A `verify-versions` workflow runs `sync-version.sh --check` on every push to catch silent drift. The `release` workflow triggers on `v*.*.*` tags. It validates the tag matches `VERSION`, runs `npm publish --provenance`, and creates a GitHub Release. It runs in the `production` environment so a required reviewer can gate publishes. The npm bootstrapper (formerly in `fujibee/agmsg-npm`) is folded into this repo at `bin/agmsg.js`. The package.json `files` whitelist keeps the npm tarball small (bin/, README.md, LICENSE — 8.2kB).
npmjs.com Trusted Publisher binding is set up against this repo / release.yml / production environment, so the workflow no longer needs a long-lived NPM_TOKEN secret. The publish step uses npm CLI 11.5+'s automatic OIDC exchange. RELEASING.md updated: no required secrets, supply-chain guards now list Trusted Publisher as the primary auth layer.
This was referenced Jun 9, 2026
fujibee
added a commit
that referenced
this pull request
Jun 10, 2026
Adds two install paths the README didn't cover after the PH-launch rework: - **npm / npx** — published since #89 via npm Trusted Publisher (OIDC) with SLSA provenance. `npx agmsg` is the lowest-friction path for Node-having users. - **Claude Code plugin marketplace** — `/plugin marketplace add fujibee/agmsg` + `/plugin install agmsg@fujibee-agmsg` + `/reload-plugins` + `/agmsg`. Verified end-to-end against a fresh Debian-based Claude Code container today: the in-CC slash command flow runs the SKILL.md Step 0 bootstrap (added in #85) and lands on the same `~/.agents/skills/agmsg/` runtime as the direct-script install. Also surfaces the `bash + sqlite3` prerequisite at the top of Quick Start. The dogfood revealed that minimal Linux images (Debian slim, etc.) don't include sqlite3 by default; the bootstrap installer surfaces a clear error, but it's worth flagging up front. macOS users are unaffected. The Install section is restructured into subsections (npm, plugin marketplace, direct script) so each path stands on its own. A note in the direct-script subsection clarifies that `--cmd` / `--agent-type` flags are direct-script only — the other paths always install as `agmsg` with auto-detected agent type.
fujibee
added a commit
that referenced
this pull request
Jun 15, 2026
Adds two install paths the README didn't cover after the PH-launch rework: - **npm / npx** — published since #89 via npm Trusted Publisher (OIDC) with SLSA provenance. `npx agmsg` is the lowest-friction path for Node-having users. - **Claude Code plugin marketplace** — `/plugin marketplace add fujibee/agmsg` + `/plugin install agmsg@fujibee-agmsg` + `/reload-plugins` + `/agmsg`. Verified end-to-end against a fresh Debian-based Claude Code container today: the in-CC slash command flow runs the SKILL.md Step 0 bootstrap (added in #85) and lands on the same `~/.agents/skills/agmsg/` runtime as the direct-script install. Also surfaces the `bash + sqlite3` prerequisite at the top of Quick Start. The dogfood revealed that minimal Linux images (Debian slim, etc.) don't include sqlite3 by default; the bootstrap installer surfaces a clear error, but it's worth flagging up front. macOS users are unaffected. The Install section is restructured into subsections (npm, plugin marketplace, direct script) so each path stands on its own. A note in the direct-script subsection clarifies that `--cmd` / `--agent-type` flags are direct-script only — the other paths always install as `agmsg` with auto-detected agent type.
fujibee
added a commit
that referenced
this pull request
Jun 15, 2026
* docs(readme): document npm and Claude Code plugin install paths Adds two install paths the README didn't cover after the PH-launch rework: - **npm / npx** — published since #89 via npm Trusted Publisher (OIDC) with SLSA provenance. `npx agmsg` is the lowest-friction path for Node-having users. - **Claude Code plugin marketplace** — `/plugin marketplace add fujibee/agmsg` + `/plugin install agmsg@fujibee-agmsg` + `/reload-plugins` + `/agmsg`. Verified end-to-end against a fresh Debian-based Claude Code container today: the in-CC slash command flow runs the SKILL.md Step 0 bootstrap (added in #85) and lands on the same `~/.agents/skills/agmsg/` runtime as the direct-script install. Also surfaces the `bash + sqlite3` prerequisite at the top of Quick Start. The dogfood revealed that minimal Linux images (Debian slim, etc.) don't include sqlite3 by default; the bootstrap installer surfaces a clear error, but it's worth flagging up front. macOS users are unaffected. The Install section is restructured into subsections (npm, plugin marketplace, direct script) so each path stands on its own. A note in the direct-script subsection clarifies that `--cmd` / `--agent-type` flags are direct-script only — the other paths always install as `agmsg` with auto-detected agent type. * docs(readme): note which install path tracks main vs tagged releases git clone / setup.sh install from main (always current); the npm package and Claude Code plugin are cut from tagged releases and can lag. Point readers at `/agmsg version` to see exactly what they're running (#117 provenance). * docs(readme): add clone step to Direct script; credit new contributors - Direct script section now shows the `git clone` + `cd` it assumed, and notes it's the path that tracks latest main. - Community: credit @lucianlamp (native Windows PowerShell helpers, #103) and @tatsuya6502 (sandboxed Bash tool support, #106) — merged but uncredited.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #84.
Summary
VERSIONat repo root as the canonical release version.package.json(npm) and.claude-plugin/plugin.json(Claude Code plugin marketplace) are derived viascripts/release/sync-version.sh.verify-versions.ymlrunssync-version.sh --checkon every push/PR — silent drift fails CI before merge.release.ymltriggers onv*.*.*tags: validates tag/VERSION match → waits forproductionenvironment approval →npm publish --access public --provenancevia Trusted Publisher OIDC → cuts GitHub Release.fujibee/agmsg-npmrepo) is folded into this repo atbin/agmsg.js. Thefileswhitelist inpackage.jsonkeeps the tarball at ~8 kB (bin/,README.md,LICENSEonly — noscripts/, nodb/, no team data).Supply-chain guards
NPM_TOKENsecret exists. npmjs.com only accepts a publish that proves via OIDC it came fromfujibee/agmsg/release.yml/productionenvironment. Package settings on npmjs.com also require 2FA and disallow tokens.environment: productiongates the publish step behind a required reviewer — a compromised tag-push alone cannot ship to npm.npm publish --provenance— GitHub-signed attestation; any tarball lacking provenance is distinguishable on npmjs.com.verify-versionscatches hand-edits topackage.json/plugin.jsonthat bypassVERSION.Setup required before first release (one-time)
These cannot be done from a PR — they need repo settings access:
fujibee/agmsg/release.yml/production, publishing access set to require 2FA and disallow tokens).productionenvironment under Settings → Environments and add yourself as required reviewer.fujibee/agmsg-npmrepo (point its README here first).Local flow after this merges
Test plan
sync-version.sh --checkclean against current 1.0.0 (idempotent).sync-version.shrejects non-semver (v1.0.0, trailing newlines, etc).npm pack --dry-runshows the 4-file tarball:LICENSE,README.md,bin/agmsg.js,package.json.node bin/agmsg.js --versionprintsagmsg bootstrapper 1.0.0.