Skip to content

Commit d5e71ab

Browse files
authored
ci(npm): switch to OIDC trusted publishing (tokenless) (#698)
1 parent 1b3f3a0 commit d5e71ab

1 file changed

Lines changed: 9 additions & 3 deletions

File tree

.github/workflows/npm-publish.yml

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,11 @@ jobs:
2424
node-version-file: .nvmrc
2525
registry-url: https://registry.npmjs.org/
2626

27+
# OIDC trusted publishing (tokenless) requires npm >= 11.5.1.
28+
# Node 22 (lts/jod) ships npm 10, so upgrade explicitly.
29+
- name: Upgrade npm for trusted publishing
30+
run: npm install -g npm@latest
31+
2732
- name: Build bashunit single-file binary
2833
shell: bash
2934
run: ./build.sh bin
@@ -33,7 +38,8 @@ jobs:
3338
run: |
3439
test -x bin/bashunit || { echo "bin/bashunit missing or not executable"; exit 1; }
3540
41+
# No token: npm authenticates via GitHub OIDC (Trusted Publishing).
42+
# Configure the trusted publisher once at npmjs.com -> bashunit -> Settings.
43+
# Provenance is generated automatically.
3644
- name: Publish to npm
37-
run: npm publish --access public --provenance
38-
env:
39-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
45+
run: npm publish --access public

0 commit comments

Comments
 (0)