Skip to content

Commit 9527956

Browse files
nixel2007claude
andcommitted
Switch publish workflow to npm Trusted Publishing (OIDC)
The package is now established on npmjs.org with a Trusted Publisher binding to this workflow. Drops the NPM_TOKEN dependency: - Removed NODE_AUTH_TOKEN env var from publish / publish-dry-run steps - Removed always-auth: true from setup-node (no static token to auth with) - Added 'npm install --global npm@latest' step — Node 22 LTS ships with npm 10.9.x and Trusted Publishing needs >= 11.5.1 - Updated README publishing instructions accordingly The id-token: write permission and --provenance flag stay; together they let npm exchange the workflow OIDC token for a short-lived publish credential and attach a sigstore provenance attestation to the artifact. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
1 parent f10e021 commit 9527956

2 files changed

Lines changed: 36 additions & 40 deletions

File tree

.github/workflows/publish.yml

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -10,10 +10,10 @@ on:
1010
type: boolean
1111
default: false
1212

13-
# Required by `npm publish --provenance`: the workflow exchanges its OIDC
14-
# token for a sigstore signing identity that npmjs.org records alongside the
15-
# tarball. Consumers can then verify the artifact came from this specific
16-
# repo + workflow run via `npm view @1c-syntax/codemirror-lang-bsl provenance`.
13+
# Required by npm's Trusted Publishing flow: the workflow exchanges its OIDC
14+
# token for an npm credential at publish time, so no long-lived NPM_TOKEN
15+
# secret is needed. Together with --provenance this also records a sigstore
16+
# attestation pointing back at this exact workflow run.
1717
permissions:
1818
contents: read
1919
id-token: write
@@ -35,11 +35,15 @@ jobs:
3535
with:
3636
node-version: 22
3737
cache: npm
38+
# Tells npm which registry to ask for an OIDC-bound credential at
39+
# publish time. Required even without a token, otherwise the CLI
40+
# falls back to whatever a global .npmrc points at.
3841
registry-url: "https://registry.npmjs.org/"
39-
# Forces auth for the public registry even though our committed
40-
# .npmrc only sets `registry`. Without this, `npm publish` would
41-
# use the anonymous fetch path and reject the upload.
42-
always-auth: true
42+
43+
# Node 22 LTS ships with npm 10.9.x; Trusted Publishing requires
44+
# npm >= 11.5.1, so we upgrade in place before any publish step.
45+
- name: Upgrade npm for Trusted Publishing support
46+
run: npm install --global npm@latest
4347

4448
- run: npm ci
4549

@@ -61,11 +65,7 @@ jobs:
6165
- name: Publish (dry-run)
6266
if: github.event_name == 'workflow_dispatch' && inputs.dry_run
6367
run: npm publish --dry-run --provenance --access public
64-
env:
65-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
6668

6769
- name: Publish
6870
if: github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && !inputs.dry_run)
6971
run: npm publish --provenance --access public
70-
env:
71-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

README.md

Lines changed: 24 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -146,41 +146,37 @@ the rollup config copies into `docs/index.html` alongside the bundled
146146

147147
Releases are cut by publishing a GitHub Release with a tag of the form
148148
`v<version>` (matching `package.json#version`). The
149-
`.github/workflows/publish.yml` workflow then builds, tests, and runs
150-
`npm publish --provenance --access public` against npmjs.org.
149+
`.github/workflows/publish.yml` workflow builds, tests, and runs
150+
`npm publish --provenance --access public` against npmjs.org. Authentication
151+
is done via [npm Trusted Publishing](https://docs.npmjs.com/trusted-publishers)
152+
— no long-lived `NPM_TOKEN` secret is needed; npm exchanges the workflow's
153+
OIDC token for a short-lived credential at publish time.
151154

152-
### First-time setup (NPM_TOKEN)
155+
### Setup (one-time)
153156

154-
npm does not allow configuring Trusted Publishers for a package that does
155-
not exist yet, so the first release must be authenticated with an
156-
[Automation token](https://docs.npmjs.com/about-access-tokens):
157+
1. <https://www.npmjs.com/package/@1c-syntax/codemirror-lang-bsl/access>
158+
*Trusted Publishers**Add*
159+
2. Provider: **GitHub Actions**
160+
3. Repository owner: `1c-syntax`, Repository: `codemirror-lang-bsl`
161+
4. Workflow file name: `publish.yml`
162+
5. Environment: `npm`
157163

158-
1. Generate an **Automation** access token at
159-
<https://www.npmjs.com/settings/USERNAME/tokens> (a user-scope token works;
160-
org-scope is fine too if the package lives under an npm org).
161-
2. Add it as a repository secret named `NPM_TOKEN` at
162-
<https://github.com/1c-syntax/codemirror-lang-bsl/settings/secrets/actions>.
163-
3. Bump `package.json#version`, commit, push, then create a Release at
164-
<https://github.com/1c-syntax/codemirror-lang-bsl/releases/new> with tag
165-
`v<version>`. The workflow picks up the release-published event and
166-
publishes the tarball.
164+
That's it — no secrets, no tokens. The workflow's `id-token: write`
165+
permission plus `--provenance` are enough; npm verifies the OIDC token
166+
against the configured trusted publisher and accepts the upload.
167167

168-
The `workflow_dispatch` trigger has a `dry_run` input that runs
169-
`npm publish --dry-run` against the same workflow — useful for verifying
170-
the tarball contents and packaged size before cutting a real release.
168+
### Cutting a release
171169

172-
### After the first release (Trusted Publishing)
170+
1. Bump `package.json#version`, commit, push.
171+
2. <https://github.com/1c-syntax/codemirror-lang-bsl/releases/new>
172+
tag `v<version>` (matching `package.json#version`) → *Publish release*.
173+
3. The `Publish to npm` workflow picks up the `release.published` event,
174+
verifies tag-vs-version, builds, tests, and runs `npm publish`.
173175

174-
Once `@1c-syntax/codemirror-lang-bsl` exists on npmjs.org, switch to
175-
[Trusted Publishing](https://docs.npmjs.com/trusted-publishers) to drop the
176-
NPM_TOKEN secret:
176+
### Dry-run before cutting
177177

178-
1. <https://www.npmjs.com/package/@1c-syntax/codemirror-lang-bsl/access>
179-
*Trusted Publishers**Add*
180-
2. Provider: GitHub Actions; Repository: `1c-syntax/codemirror-lang-bsl`;
181-
Workflow file: `.github/workflows/publish.yml`; Environment: `npm`.
182-
3. Remove the `NPM_TOKEN` secret from the repo (the `NODE_AUTH_TOKEN`
183-
env var still gets populated, just from npm's OIDC exchange).
178+
`workflow_dispatch` on `Publish to npm` accepts a `dry_run` input. Run it
179+
to validate auth, build, and tarball contents without actually publishing.
184180

185181
## License
186182

0 commit comments

Comments
 (0)