Use npm trusted publishing (OIDC) instead of NPM_TOKEN (#586)

carlostxm · web-flow · commit bbbfe2605c94 · 2026-05-14T16:18:55.000+02:00
Removes dependency on long-lived npm tokens that expire every 90 days.
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -6,8 +6,16 @@ on:
 
 jobs:
   publish-npm:
-    uses: cabify/javascript-actions/.github/workflows/npm_publish.yml@main
-    with:
-      tag: ${{ contains(github.ref_name,'beta') && 'beta' || 'latest' }}
-    secrets:
-      token: ${{ secrets.NPM_TOKEN }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+          registry-url: https://registry.npmjs.org
+      - run: yarn install
+      - run: yarn build
+      - run: npm publish --provenance --tag ${{ contains(github.ref_name,'beta') && 'beta' || 'latest' }}
