Commit d456da1
ci: publish to npm via OIDC Trusted Publishing
Switch the npm publish workflow from a long-lived NPM_TOKEN secret to
short-lived OIDC tokens via npm Trusted Publishing. Grant id-token: write,
upgrade npm to @latest (Trusted Publishing needs npm >= 11.5.1), drop
NODE_AUTH_TOKEN, and add --provenance for attestation.
Required setup on npmjs.com before the next release tag:
1. npmjs.com -> @snap/react-camera-kit settings -> Publishing access ->
Add trusted publisher -> GitHub Actions
2. Org: Snapchat, Repo: react-camera-kit, Workflow filename: publish.yml,
Environment: blank
3. After the first successful OIDC publish, delete the NPM_TOKEN repo secret.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>1 parent c315e96 commit d456da1
1 file changed
Lines changed: 7 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
10 | 10 | | |
11 | 11 | | |
12 | 12 | | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
13 | 16 | | |
14 | 17 | | |
15 | 18 | | |
| |||
21 | 24 | | |
22 | 25 | | |
23 | 26 | | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
24 | 30 | | |
25 | 31 | | |
26 | 32 | | |
| |||
50 | 56 | | |
51 | 57 | | |
52 | 58 | | |
53 | | - | |
54 | | - | |
55 | | - | |
| 59 | + | |
0 commit comments