Skip to content

Commit d456da1

Browse files
msilivonik-scclaude
andcommitted
ci: publish to npm via OIDC Trusted Publishing
Switch the npm publish workflow from a long-lived NPM_TOKEN secret to short-lived OIDC tokens via npm Trusted Publishing. Grant id-token: write, upgrade npm to @latest (Trusted Publishing needs npm >= 11.5.1), drop NODE_AUTH_TOKEN, and add --provenance for attestation. Required setup on npmjs.com before the next release tag: 1. npmjs.com -> @snap/react-camera-kit settings -> Publishing access -> Add trusted publisher -> GitHub Actions 2. Org: Snapchat, Repo: react-camera-kit, Workflow filename: publish.yml, Environment: blank 3. After the first successful OIDC publish, delete the NPM_TOKEN repo secret. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent c315e96 commit d456da1

1 file changed

Lines changed: 7 additions & 3 deletions

File tree

.github/workflows/publish.yml

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,9 @@ jobs:
1010
publish:
1111
runs-on: ubuntu-latest
1212
timeout-minutes: 10
13+
permissions:
14+
contents: read
15+
id-token: write
1316
steps:
1417
- name: Checkout code
1518
uses: actions/checkout@v4
@@ -21,6 +24,9 @@ jobs:
2124
cache: npm
2225
registry-url: "https://registry.npmjs.org/"
2326

27+
- name: Upgrade npm for Trusted Publishing
28+
run: npm install -g npm@latest
29+
2430
- name: Determine pre-release tag
2531
run: |
2632
TAG_NAME=${GITHUB_REF_NAME}
@@ -50,6 +56,4 @@ jobs:
5056
run: npm run build
5157

5258
- name: Publish
53-
run: npm publish --access public --tag ${{ env.tag }}
54-
env:
55-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
59+
run: npm publish --provenance --access public --tag ${{ env.tag }}

0 commit comments

Comments
 (0)