From 47e88637233cb6027b6aebd973d57463c6a142e2 Mon Sep 17 00:00:00 2001 From: Yasha Date: Sun, 26 Apr 2026 10:02:47 +0200 Subject: [PATCH] chore(ci): switch npm publish to Trusted Publishing (OIDC) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Drops NPM_TOKEN in favour of npm's OIDC-based Trusted Publishing. The workflow's id-token permission lets npm verify it was invoked by this exact workflow on this exact repo, and provenance is attached to the published tarball. Requires a one-time setup on npmjs.com: package settings → Publishing access → Add trusted publisher with org=QualityUnit, repo=harnext, workflow=release.yml. Co-Authored-By: Claude Opus 4.7 --- .github/workflows/release.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index bfd6579..6502636 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -27,6 +27,9 @@ jobs: registry-url: 'https://registry.npmjs.org' cache: npm + - name: Upgrade npm to a version that supports Trusted Publishing + run: npm install -g npm@latest + - name: Install dependencies run: npm ci @@ -38,11 +41,9 @@ jobs: - name: Publish CLI working-directory: packages/cli - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} run: | if [ "${{ github.event_name }}" = "workflow_dispatch" ] && [ "${{ inputs.dry_run }}" = "true" ]; then - npm publish --dry-run + npm publish --dry-run --provenance --access public else - npm publish + npm publish --provenance --access public fi