Skip to content

Commit 42c64ff

Browse files
committed
ci: switch npm publish to OIDC trusted publishing (no NPM_TOKEN)
1 parent c17713c commit 42c64ff

1 file changed

Lines changed: 6 additions & 2 deletions

File tree

.github/workflows/publish.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,9 @@ concurrency:
1111
jobs:
1212
publish:
1313
runs-on: ubuntu-latest
14+
permissions:
15+
contents: read
16+
id-token: write # OIDC trusted publishing — authenticates to npm without a long-lived token
1417
steps:
1518
- uses: actions/checkout@v4
1619

@@ -23,6 +26,9 @@ jobs:
2326
node-version: 20
2427
registry-url: https://registry.npmjs.org
2528

29+
# Trusted publishing (OIDC) requires npm >= 11.5.1; Node 20 ships npm 10.
30+
- run: npm install -g npm@latest
31+
2632
- run: pnpm install --no-frozen-lockfile
2733
- run: pnpm build
2834

@@ -38,5 +44,3 @@ jobs:
3844
npm publish --access public
3945
echo "Published $PACKAGE_NAME@$LOCAL_VER"
4046
fi
41-
env:
42-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

0 commit comments

Comments
 (0)