This document explains required repository settings for the hardened CI/CD pipelines.
QMD_SILICONFLOW_API_KEY
- No
NPM_TOKENrequired. - You must configure trusted publishing in npm package settings.
NPM_TOKEN(automation token with publish permissions)
Branch protection is a GitHub rule set on main to prevent direct/broken merges.
Recommended settings for this repo:
- Settings → Branches → Add rule for
main - Enable:
- Require a pull request before merging
- Require approvals (at least 1)
- Require status checks to pass before merging
- Required checks:
TypecheckQuality (typecheck + unit tests)Integration (SiliconFlow smoke)(optional if you want hard API gate on every PR)
If you expect external fork PRs, keep integration as optional because secrets are not exposed to forked PRs.
In npm package settings (qmdr):
- Open package → Settings → Trusted publishers
- Add GitHub repository:
uf-hy/qmdr(replace with your actual owner/repo if different) - Restrict workflow file to:
.github/workflows/release.yml - Save
After this, release workflow can publish using OIDC (id-token: write) without NPM_TOKEN.
Release is tag-driven:
git tag v1.0.3
git push origin v1.0.3Workflow guarantees:
- tag version must match
package.jsonversion - binaries are built for all configured targets
.sha256checksum files are attached- npm publish runs before GitHub Release creation
- CI runs on
pull_request,push main, andworkflow_dispatch. - Nightly full regression runs on schedule (
.github/workflows/nightly.yml) and can be triggered manually. - Integration smoke job is conditional on
QMD_SILICONFLOW_API_KEY. - Integration and nightly jobs upload logs as workflow artifacts for faster debugging.
- If npm trusted publishing is not configured and
NPM_TOKENis missing, release workflow will fail at npm publish.