Skip to content

feat(release): use OIDC trusted publishing for npm publish #4

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
St0rmz1 merged 3 commits into from
Apr 16, 2026
Merged

feat(release): use OIDC trusted publishing for npm publish #4

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
44be6e3
feat(release): use OIDC trusted publishing for npm publish
St0rmz1 Apr 16, 2026
bdae9d1
fix perms
St0rmz1 Apr 16, 2026
1bbf056
fix node version
St0rmz1 Apr 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/format.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ on:
pull_request:
workflow_dispatch:

permissions:
contents: read

jobs:
format:
runs-on: ubuntu-latest
Expand Down
16 changes: 12 additions & 4 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,9 +69,10 @@ jobs:
- name: Format check
run: bun run format:check

# Fail fast on bad/missing NPM_TOKEN before any side effects
# (version.ts writes to package.json, network calls to GH, etc.)
# Surfaces auth issues in ~2s instead of mid-publish.
# npm whoami does NOT support OIDC trusted publishing — it only
# works with a static token. We keep NODE_AUTH_TOKEN here so this
# pre-publish sanity check still works. The actual publish step
# authenticates via OIDC (no token needed).
- name: Verify npm auth
run: npm whoami --registry=https://registry.npmjs.org/
env:
Expand Down Expand Up @@ -107,11 +108,15 @@ jobs:
# recovery handler prints the exact manual recovery commands.
# ============================================================

# Authentication for npm publish uses OIDC trusted publishing —
# no NODE_AUTH_TOKEN needed. npm CLI auto-detects the OIDC
# environment when id-token: write is set and no token is present.
# Configured on npmjs.com under package settings → Trusted Publishers.
# Requires npm CLI v11.5.1+ and Node 22.14.0+.
- name: Publish to npm
Comment thread
St0rmz1 marked this conversation as resolved.
id: publish
run: bun script/publish.ts
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
NPM_CONFIG_PROVENANCE: "true"
KILO_CHANNEL: ${{ steps.version.outputs.channel }}

Expand Down Expand Up @@ -155,6 +160,9 @@ jobs:
#
# Like the verify step above, this is INFORMATIONAL only —
# it never fails the workflow and never blocks tag/release.
# npm dist-tag add is a write operation NOT covered by OIDC
# trusted publishing (OIDC only covers npm publish). Still
# needs the static token.
- name: Reconcile latest dist-tag (dev publishes)
if: steps.publish.outcome == 'success' && steps.version.outputs.channel == 'dev'
env:
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ on:
pull_request:
workflow_dispatch:

permissions:
contents: read

jobs:
test:
runs-on: ubuntu-latest
Expand Down
3 changes: 3 additions & 0 deletions .github/workflows/typecheck.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,9 @@ on:
pull_request:
workflow_dispatch:

permissions:
contents: read

jobs:
typecheck:
runs-on: ubuntu-latest
Expand Down
Loading