Skip to content

Commit 8821cc9

Browse files
committed
fix(ci): remove registry-url to fix OIDC npm publishing
The registry-url option in setup-node creates an .npmrc with a token placeholder that overrides OIDC authentication. Remove it so npm automatically uses OIDC for trusted publishing. Also remove the GitHub Packages dual-publish step — npm OIDC handles provenance.
1 parent 221dd18 commit 8821cc9

1 file changed

Lines changed: 1 addition & 19 deletions

File tree

.github/workflows/ci.yml

Lines changed: 1 addition & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -84,7 +84,7 @@ jobs:
8484
- uses: actions/setup-node@v4
8585
with:
8686
node-version: "22"
87-
registry-url: "https://registry.npmjs.org"
87+
# Do NOT set registry-url — it creates an .npmrc that overrides OIDC
8888
- uses: pnpm/action-setup@v4
8989
- run: pnpm install --frozen-lockfile
9090
- uses: actions/cache@v4
@@ -95,24 +95,6 @@ jobs:
9595
turbo-release-${{ runner.os }}-${{ hashFiles('pnpm-lock.yaml') }}-
9696
turbo-release-${{ runner.os }}-
9797
- run: npx turbo run _compile _schema
98-
- name: Record pre-release version
99-
id: pre
100-
run: echo "version=$(npm pkg get version | tr -d '\"')" >> "$GITHUB_OUTPUT"
10198
- run: npx semantic-release
10299
env:
103100
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
104-
NPM_CONFIG_PROVENANCE: "true"
105-
- name: Check if released
106-
id: released
107-
run: |
108-
CURRENT=$(npm pkg get version | tr -d '"')
109-
if [ "$CURRENT" != "${{ steps.pre.outputs.version }}" ]; then
110-
echo "new_version=$CURRENT" >> "$GITHUB_OUTPUT"
111-
fi
112-
- name: Publish to GitHub Packages
113-
if: steps.released.outputs.new_version
114-
run: |
115-
npm pkg set name='@exadev/sysprom'
116-
npm publish --registry https://npm.pkg.github.com
117-
env:
118-
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

0 commit comments

Comments
 (0)