Skip to content

Commit 8eb18c2

Browse files
authored
ci(publish): clear npm tokens for trusted publishing (#198)
Clear NODE_AUTH_TOKEN and NPM_TOKEN on the npm publish steps so npm uses GitHub OIDC trusted publishing instead of an injected token from setup-node. The failed autoevals@0.3.0 release had a NODE_AUTH_TOKEN present during npm publish, which caused npm to attempt token-based publishing and return a misleading 404 for the package. This mirrors the working publish setup in braintrust-sdk-javascript while preserving provenance publishing for both stable and prerelease releases.
1 parent f372f07 commit 8eb18c2

1 file changed

Lines changed: 6 additions & 0 deletions

File tree

.github/workflows/publish-js.yaml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -146,10 +146,16 @@ jobs:
146146

147147
- name: Publish stable release to npm
148148
if: ${{ env.RELEASE_TYPE == 'stable' }}
149+
env:
150+
NODE_AUTH_TOKEN: ""
151+
NPM_TOKEN: ""
149152
run: npm publish --provenance --access public
150153

151154
- name: Publish prerelease to npm
152155
if: ${{ env.RELEASE_TYPE == 'prerelease' }}
156+
env:
157+
NODE_AUTH_TOKEN: ""
158+
NPM_TOKEN: ""
153159
run: npm publish --tag rc --provenance --access public
154160

155161
- name: Create and push stable release tag

0 commit comments

Comments
 (0)