From a5de54e9cc79caf3d9dc251ccf3011fd6b050933 Mon Sep 17 00:00:00 2001 From: Yogesh Chaudhary Date: Tue, 13 Jan 2026 12:11:47 +0530 Subject: [PATCH 1/2] feat: enable trusted publishing for npm packages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Add id-token: write permissions to workflows - Update npm CLI to version 11 (includes trusted publishing support) - Remove --provenance flag (auto-generated with trusted publishing) - Remove npm-token dependency Post-merge: Configure trusted publisher on npmjs.com Package Settings → Trusted Publisher → GitHub Actions: - Organization: auth0 - Repository: auth0-angular - Workflow: release.yml - Environment: release --- .github/actions/npm-publish/action.yml | 9 +++++---- .github/workflows/npm-release.yml | 7 ++++--- .github/workflows/release.yml | 3 +-- 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/.github/actions/npm-publish/action.yml b/.github/actions/npm-publish/action.yml index 57679d5c..e2fa1970 100644 --- a/.github/actions/npm-publish/action.yml +++ b/.github/actions/npm-publish/action.yml @@ -3,8 +3,6 @@ name: Publish release to npm inputs: node-version: required: true - npm-token: - required: true version: required: true require-build: @@ -26,6 +24,10 @@ runs: cache: 'npm' registry-url: 'https://registry.npmjs.org' + - name: Update npm to version 11 + shell: bash + run: npm install -g npm@11 + - name: Install dependencies shell: bash run: npm ci --include=dev @@ -46,7 +48,6 @@ runs: else TAG="latest" fi - npm publish --provenance --tag $TAG + npm publish --tag $TAG env: - NODE_AUTH_TOKEN: ${{ inputs.npm-token }} VERSION: ${{ inputs.version }} diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml index 4f88a2a2..cafe4bba 100644 --- a/.github/workflows/npm-release.yml +++ b/.github/workflows/npm-release.yml @@ -15,8 +15,10 @@ on: secrets: github-token: required: true - npm-token: - required: true + +permissions: + contents: write + id-token: write jobs: release: @@ -66,7 +68,6 @@ jobs: node-version: ${{ inputs.node-version }} require-build: ${{ inputs.require-build }} version: ${{ steps.get_version.outputs.version }} - npm-token: ${{ secrets.npm-token }} release-directory: ${{ inputs.release-directory }} # Create a release for the tag diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 1a71fd76..bfd1191c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,7 +8,7 @@ on: permissions: contents: write - id-token: write # For publishing to npm using --provenance + id-token: write # For trusted publishing to npm ### TODO: Replace instances of './.github/workflows/' w/ `auth0/dx-sdk-actions/workflows/` and append `@latest` after the common `dx-sdk-actions` repo is made public. ### TODO: Also remove `get-prerelease`, `get-release-notes`, `get-version`, `npm-publish`, `release-create`, and `tag-exists` actions from this repo's .github/actions folder once the repo is public. @@ -36,5 +36,4 @@ jobs: require-build: true release-directory: './dist/auth0-angular' secrets: - npm-token: ${{ secrets.NPM_TOKEN }} github-token: ${{ secrets.GITHUB_TOKEN }} From a4f3cabd88c082b257986a9a08ad8f4be10de8a0 Mon Sep 17 00:00:00 2001 From: Yogesh Chaudhary Date: Tue, 13 Jan 2026 12:16:28 +0530 Subject: [PATCH 2/2] fix: move permissions to job level for better scoping --- .github/workflows/npm-release.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml index cafe4bba..d4aca321 100644 --- a/.github/workflows/npm-release.yml +++ b/.github/workflows/npm-release.yml @@ -16,15 +16,14 @@ on: github-token: required: true -permissions: - contents: write - id-token: write - jobs: release: if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/')) runs-on: ubuntu-latest environment: release + permissions: + contents: write + id-token: write steps: # Checkout the code