chore(main): release 2.2.0

[source-release-bot]

🤖 I have created a release beep boop

2.2.0 (2026-06-19)

Features

• OIDC provider (#132) (5671b64)

Bug Fixes

• registry: sync product model with source.coop#284 (drop mirror config, use visibility) (#149) (8ecf9b4)

---

This PR was generated with Release Please. See documentation.

[github-actions]

🚀 Latest commit deployed to https://source-data-proxy-pr-150.source-coop.workers.dev

• Date: 2026-06-19T05:44:56Z
• Commit: 2005997

[alukach]

Deploy review — env vars (updated)

✅ No env var changes are required for this release to boot. The new non-secret vars (AUTH_ISSUER, OIDC_PROVIDER_ISSUER, OIDC_PROVIDER_KID) are in wrangler.toml, and the OIDC_PROVIDER_KEY / SESSION_TOKEN_KEY secrets already exist in both the production and staging GitHub environments. Staging is live and healthy.

Two follow-ups to handle before/with publishing the release:

Warning

Enable /.sts for production — it returns 501 until AUTH_AUDIENCE is set. /.sts token exchange is fail-closed: it stays disabled unless AUTH_AUDIENCE (the Ory OAuth2 client_id that subject tokens must carry in their aud claim) is configured. It's read as a plain wrangler.toml var (env.var), not a secret. Staging was wired up in 8cf364a; production needs the same, in two steps:

1. Create the production Ory OAuth2 client against the prod issuer (auth.source.coop). This is the client the frontend/CLI uses to obtain the ID token it presents to /.sts, and its client_id becomes the required audience.
2. Add AUTH_AUDIENCE = "<prod client_id>" to the [vars] block of wrangler.toml — the production analog of 8cf364a (which added it under [env.staging.vars] as 1123dfa8-…). This must land in the commit the release is cut from, since production.yml deploys on release publish and [vars] is what carries the value.

Until both are done, prod /.sts returns 501 (staging already returns credentials). Only a single audience is supported today, so use the one client_id that production clients present.

Note

The production deploy's smoke test will fail on the wrong URL — fix in flight (#155). The smoke test curls <worker>.<subdomain>.workers.dev, but staging/production are served only via custom-domain routes, so it 404s even when the worker booted fine (this is why the staging deploy of #132 went red while data.staging.source.coop was healthy at 200). #155 changes the smoke test to target the URL wrangler actually published. Merge #155 before cutting the production release, otherwise the release deploy job goes red on an otherwise-healthy deploy.