Skip to main content
This runbook covers maintainer releases of the official worldmonitor npm CLI from cli/. CLI releases are intentionally independent from desktop app releases: a cli-vX.Y.Z Git tag triggers .github/workflows/publish-cli.yml. The Python, Ruby, and Go SDKs release the same way with their own tags (py-v*, gem-v*, sdk/go/v*) — see Official SDKs → Releasing.

Prerequisites

  • The worldmonitor package already exists on npm.
  • npm Trusted Publishing is configured for this repository and .github/workflows/publish-cli.yml.
  • The workflow keeps permissions.id-token: write so npm can mint the short-lived OIDC credential and attach provenance.
No NPM_TOKEN repository secret is required for the current workflow. If Trusted Publishing is not configured, the publish step fails authentication until an npm package owner adds the GitHub Actions trusted publisher in npm package settings.

Release Steps

  1. Update cli/package.json so version is the exact version you intend to publish.
  2. Commit the version bump, and include any CLI docs or changelog updates that should ship with that version.
  3. After the release commit is on main or the intended release ref, create a tag named cli-vX.Y.Z, where X.Y.Z exactly matches cli/package.json:
    git tag cli-vX.Y.Z
    
  4. Push the tag:
    git push origin cli-vX.Y.Z
    
  5. Watch the Publish CLI to npm workflow. It runs the CLI tests, verifies the tag version matches cli/package.json, and publishes with provenance.
The version-match guard is strict: cli-v0.1.3 only publishes when cli/package.json also says "version": "0.1.3".

Dry Run

Use the manual workflow_dispatch trigger with dry_run: true when you want to validate the package tarball without publishing. The workflow runs from cli/ and executes npm pack --dry-run. Use dry_run: false only when you intentionally want the manual workflow path to publish. Tag-triggered releases remain the normal path because the tag name is the release contract.
dry_run: false skips the version-match guard. That check is gated to tag pushes (if: startsWith(github.ref, 'refs/tags/cli-v')), so a manual workflow_dispatch publish runs without verifying cli/package.json against any tag — it publishes whatever version the package currently declares. Prefer the tag-triggered path above, which enforces the match; use manual dry_run: false only as a deliberate escape hatch after confirming the version by hand.

Failure Checklist

SymptomLikely causeFix
Version-match step failsThe cli-v* tag does not match cli/package.jsonDelete or supersede the bad tag, bump or correct the package version, then push the matching tag
Publish step fails authenticationnpm Trusted Publishing is missing or points at the wrong workflow/repositoryConfigure the package trusted publisher for this repo and .github/workflows/publish-cli.yml
CLI tests failThe package is not release-readyFix cli/, rerun tests locally, commit, and push a new release tag
After the workflow succeeds, confirm the new version appears on npm and that npx worldmonitor --version resolves to the published version.