Merge pull request #12 from BitGo/DX-2083-trusted-publishing

Tanjeem Hossain · web-flow · commit 5d1f0e22bc41 · 2025-11-13T10:43:33.000-05:00
ci: migrate to OIDC trusted publishing
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -11,7 +11,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        version: [18.x,20.x]
+        version: [22.x]
     name: Lint, build and test
     runs-on: ubuntu-latest
     steps:
diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml
@@ -1,4 +1,11 @@
 name: Prerelease
+permissions:
+  # Needed for npm Trusted Publishing
+  id-token: write
+  # Needed for semantic-release
+  contents: write
+  pull-requests: write
+  issues: write
 on:
   push:
     branches:
@@ -7,6 +14,7 @@ jobs:
   release:
     name: Prerelease
     runs-on: ubuntu-latest
+    environment: publish
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -15,14 +23,16 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 20.x
+          node-version: 22.x
+      - name: Ensure npm 11.5.1 or later for trusted publishing
+        run: |
+          npm install -g npm@11.5.1
       - name: Install dependencies
         run: yarn
       - name: Build library
         run: yarn build:prod
       - name: Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
         run: yarn run semantic-release
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,4 +1,11 @@
 name: Release
+permissions:
+  # Needed for npm Trusted Publishing
+  id-token: write
+  # Needed for semantic-release
+  contents: write
+  pull-requests: write
+  issues: write
 on:
   push:
     branches:
@@ -7,6 +14,7 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    environment: publish
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -15,15 +23,17 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 20.x
+          node-version: 22.x
+      - name: Ensure npm 11.5.1 or later for trusted publishing
+        run: |
+          npm install -g npm@11.5.1
       - name: Install dependencies
         run: yarn
       - name: Build library
         run: yarn build:prod
       - name: Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
         run: yarn run semantic-release
       - name: Rebase master
diff --git a/package.json b/package.json
@@ -49,7 +49,7 @@
     "@semantic-release/commit-analyzer": "11.1.0",
     "@semantic-release/git": "10.0.1",
     "@semantic-release/github": "9.2.6",
-    "@semantic-release/npm": "11.0.2",
+    "@semantic-release/npm": "13.1.1",
     "@types/jest": "29.5.11",
     "@types/node": "18.18.7",
     "@typescript-eslint/eslint-plugin": "6.18.1",
diff --git a/yarn.lock b/yarn.lock
