update publish workflow to use OIDC authentication

kieran-osgood-shopify · kieran-osgood-shopify · commit a1055cf3ccb9 · 2026-02-24T12:42:34.000Z
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -7,7 +7,12 @@ runs:
     - name: Setup Node.js
       uses: actions/setup-node@1a4442cacd436585916779262731d5b162bc6ec7 # v3.8.2
       with:
-        node-version: 20
+        node-version: 22
+        registry-url: 'https://registry.npmjs.org'
+
+    - name: Install npm 11
+      run: npm install -g npm@11
+      shell: bash
 
     - name: Cache turbo build setup
       uses: actions/cache@v4
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -10,13 +10,21 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Setup
         uses: ./.github/actions/setup
 
+      - name: Debug versions
+        run: |
+          node --version
+          npm --version
+
       - name: Determine NPM tag
         id: npm-tag
         run: |
@@ -34,11 +42,10 @@ jobs:
 
       - name: Prepare release
         run: |
-          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc
           cp README.md modules/@shopify/checkout-sheet-kit
           yarn module clean
           yarn module build
           cd modules/@shopify/checkout-sheet-kit
           npm publish --access public --tag ${{ steps.npm-tag.outputs.tag }}
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TOKEN: '' # Empty string forces OIDC
diff --git a/dev.yml b/dev.yml
@@ -15,7 +15,7 @@ up:
         ios:
           - '26.0'
   - node:
-      version: v20.11.1
+      version: v22.14.0
       yarn: 1.22.22
   - custom:
       name: Install NPM dependencies
diff --git a/modules/@shopify/checkout-sheet-kit/package.json b/modules/@shopify/checkout-sheet-kit/package.json
@@ -9,6 +9,10 @@
   "description": "A React Native library for Shopify's Checkout Kit.",
   "author": "Shopify",
   "homepage": "https://github.com/shopify/checkout-sheet-kit-react-native",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Shopify/checkout-sheet-kit-react-native"
+  },
   "publishConfig": {
     "registry": "https://registry.npmjs.org/"
   },
