fix: harden web SDK npm releases#165
Merged
Merged
Conversation
shuaib-ahmed-vapi
approved these changes
Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Linear ticket
https://linear.app/vapi/issue/PRISM-1194/web-sdk-harden-npm-releases-with-oidc-and-human-approval
Fixes PRISM-1194
Value
vapi employees can now release the web SDK without a long-lived npm token. Publishing only succeeds for a version-changing PR merged into protected
main, where one approving review is required and no actors can bypass the rule.We found the gap after the
v2.5.3GitHub release failed npm authentication and never reached the registry.Small edit since first push: the release workflow no longer checks the release author's identity. Human approval is enforced where SDK code changes, at the protected pull request merge.
Evidence of value
v2.5.3tag passes the new merged-PR and version-change checks.API Changes (including webhooks + events)
Is this changing the public API?
If yes, is it backward‐compatible?
Non backward-compatible changes might break customers' agents. Please proceed with care and notify the team.
Testing plan
Merge through the protected
mainbranch, then publish a GitHub Release from a merged version PR. Confirm npm Trusted Publishing succeeds, the expected package version appears on npm, and Slack receives the release result. A failed workflow, missing Slack notification, or an unchanged npm version indicates a regression.