Skip to content

Commit c3b6e38

Browse files
committed
ci(npm): drop registry-url so OIDC trusted publishing engages
setup-node's registry-url writes an .npmrc with _authToken=${NODE_AUTH_TOKEN}, which forces token auth and prevents the OIDC fallback. Removing it lets npm authenticate via GitHub OIDC against the default npmjs.org registry.
1 parent d5e71ab commit c3b6e38

1 file changed

Lines changed: 3 additions & 1 deletion

File tree

.github/workflows/npm-publish.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,11 +18,13 @@ jobs:
1818
with:
1919
fetch-depth: 1
2020

21+
# Note: no `registry-url` here on purpose. setup-node's registry-url writes
22+
# an .npmrc with `_authToken=${NODE_AUTH_TOKEN}`, which forces token auth and
23+
# blocks OIDC. npm publish defaults to registry.npmjs.org anyway.
2124
- name: Set up Node.js
2225
uses: actions/setup-node@v4
2326
with:
2427
node-version-file: .nvmrc
25-
registry-url: https://registry.npmjs.org/
2628

2729
# OIDC trusted publishing (tokenless) requires npm >= 11.5.1.
2830
# Node 22 (lts/jod) ships npm 10, so upgrade explicitly.

0 commit comments

Comments
 (0)