Skip to content

Commit 589c427

Browse files
piotrskipiotrski
committed
ci: use npm trusted publishing with OIDC provenance
1 parent 626a21a commit 589c427

2 files changed

Lines changed: 19 additions & 3 deletions

File tree

.github/workflows/changesets.yml

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,11 @@ jobs:
1010
release:
1111
runs-on: ubuntu-latest
1212

13+
permissions:
14+
contents: write
15+
pull-requests: write
16+
id-token: write
17+
1318
steps:
1419
- uses: actions/checkout@v4
1520

@@ -30,4 +35,4 @@ jobs:
3035
version: bun run version
3136
env:
3237
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
33-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
38+
NPM_CONFIG_PROVENANCE: true

.github/workflows/snapshot-release.yml

Lines changed: 13 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,10 @@ jobs:
1010
snapshot:
1111
runs-on: ubuntu-latest
1212

13+
permissions:
14+
contents: read
15+
id-token: write
16+
1317
steps:
1418
- uses: actions/checkout@v4
1519

@@ -26,9 +30,16 @@ jobs:
2630
- name: Unit tests
2731
run: bun run test:unit
2832

33+
- name: Setup npm auth
34+
run: |
35+
echo "//registry.npmjs.org/:_authToken=\${NODE_AUTH_TOKEN}" > .npmrc
36+
env:
37+
NODE_AUTH_TOKEN: ""
38+
2939
- name: Publish snapshot to npm
3040
run: |
3141
npx changeset version --snapshot canary
32-
npx changeset publish --tag canary
42+
npx changeset publish --tag canary --no-git-tag
3343
env:
34-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
44+
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
45+
NPM_CONFIG_PROVENANCE: true

0 commit comments

Comments
 (0)