Publish to npm as @lockdown-systems/ringrtc

micahflee · micahflee · commit f7209a7c115e · 2026-02-02T11:08:50.000-08:00
diff --git a/.github/workflows/lockdown_release.yml b/.github/workflows/lockdown_release.yml
@@ -120,6 +120,7 @@ jobs:
 
     permissions:
       contents: write # Needed for creating releases
+      id-token: write # Needed for npm provenance and trusted publishing
 
     steps:
       - uses: actions/checkout@v4
@@ -129,6 +130,10 @@ jobs:
           node-version-file: "src/node/.nvmrc"
           registry-url: "https://registry.npmjs.org/"
 
+      # Trusted publishing requires npm 11.5.1+
+      - name: Update npm for trusted publishing
+        run: npm install -g npm@latest
+
       # Download all build artifacts
       - name: Download Linux x64 build
         uses: actions/download-artifact@v4
@@ -177,25 +182,24 @@ jobs:
         with:
           files: src/node/ringrtc-desktop-build-v${{ steps.version.outputs.version }}.tar.gz
           generate_release_notes: true
+          fail_on_unmatched_files: true
 
-      # Update package.json with checksum
-      - name: Update prebuild checksum
-        run: |
-          sed -i 's/"prebuildChecksum": ""/"prebuildChecksum": "${{ steps.checksum.outputs.sha256 }}"/' package.json
-        working-directory: src/node
-
-      # Install and build
+      # Install and build (skip install scripts - we already have the prebuilt binaries)
       - name: Install dependencies
-        run: npm ci
+        run: npm ci --ignore-scripts
         working-directory: src/node
 
       - name: Build TypeScript
         run: npm run build
         working-directory: src/node
 
+      # Update package.json with checksum after build
+      - name: Update prebuild checksum
+        run: |
+          npm pkg set config.prebuildChecksum="${{ steps.checksum.outputs.sha256 }}"
+        working-directory: src/node
+
       # Publish to npm
       - name: Publish to npm
-        run: npm publish --access public
+        run: npm publish --access public --provenance --tag audiosink
         working-directory: src/node
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/src/node/package-lock.json b/src/node/package-lock.json
diff --git a/src/node/package.json b/src/node/package.json
@@ -1,9 +1,9 @@
 {
   "name": "@lockdown-systems/ringrtc",
-  "version": "2.63.0-audiosink.2",
+  "version": "2.63.0-audiosink.1",
   "repository": {
     "type": "git",
-    "url": "https://github.com/lockdown-systems/ringrtc.git",
+    "url": "git+https://github.com/lockdown-systems/ringrtc.git",
     "directory": "src/node"
   },
   "description": "Signal Messenger voice and video calling library.",
diff --git a/src/node/scripts/fetch-prebuild.js b/src/node/scripts/fetch-prebuild.js
@@ -13,10 +13,10 @@ const crypto = require('crypto');
 const tar = require('tar');
 const { Transform } = require('stream');
 const { pipeline } = require('stream/promises');
-
-const VERSION = process.env.npm_package_version;
+const { URL: NodeURL } = require('url');
 
 let config;
+let VERSION;
 
 // When installing from the registry, `npm` doesn't set `npm_package_config_*`
 // environment variables. However, unlike `yarn`, `npm` always provides a path
@@ -26,15 +26,18 @@ if (process.env.npm_package_json) {
     encoding: 'utf8',
   });
 
-  ({ config } = JSON.parse(json));
+  const pkg = JSON.parse(json);
+  config = pkg.config;
+  VERSION = pkg.version;
 } else {
   config = {
     prebuildUrl: process.env.npm_package_config_prebuildUrl,
     prebuildChecksum: process.env.npm_package_config_prebuildChecksum,
   };
+  VERSION = process.env.npm_package_version;
 }
 
-const URL = config.prebuildUrl.replace(
+const PREBUILD_URL = config.prebuildUrl.replace(
   '${npm_package_version}', // eslint-disable-line no-template-curly-in-string
   VERSION
 );
@@ -68,15 +71,30 @@ async function downloadIfNeeded() {
   await download();
 }
 
-function download() {
-  console.log(`downloading ${URL}`);
+function download(url = PREBUILD_URL) {
+  console.log(`downloading ${url}`);
   return new Promise((resolve, reject) => {
     let options = {};
     if (process.env.HTTPS_PROXY != undefined) {
       options.agent = new HttpsProxyAgent(process.env.HTTPS_PROXY);
     }
-    https.get(URL, options, async res => {
+
+    // Parse URL if it's a string
+    const parsedUrl = typeof url === 'string' ? new NodeURL(url) : url;
+
+    https.get(parsedUrl, options, async res => {
       try {
+        // Handle redirects (GitHub releases use 302 redirects)
+        if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) {
+          console.log(`following redirect to ${res.headers.location}`);
+          resolve(download(res.headers.location));
+          return;
+        }
+
+        if (res.statusCode !== 200) {
+          throw new Error(`HTTP error: ${res.statusCode} ${res.statusMessage}`);
+        }
+
         const out = fs.createWriteStream(tmpFile);
 
         const hash = crypto.createHash('sha256');
