Skip to content

Commit 315aa0f

Browse files
committed
ci: switch release to npm Trusted Publishing (OIDC)
1 parent a9c27e6 commit 315aa0f

1 file changed

Lines changed: 5 additions & 4 deletions

File tree

.github/workflows/release.yml

Lines changed: 5 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ on:
88

99
permissions:
1010
contents: write # needed to upload binaries to the GitHub Release
11+
id-token: write # needed for npm Trusted Publishing (OIDC) — no NPM_TOKEN required
1112

1213
jobs:
1314
release:
@@ -26,6 +27,10 @@ jobs:
2627
node-version: 20
2728
registry-url: "https://registry.npmjs.org"
2829

30+
# Trusted Publishing (OIDC) needs npm >= 11.5; setup-node's Node 20 ships npm 10.
31+
- name: Upgrade npm for Trusted Publishing
32+
run: npm install -g npm@latest
33+
2934
- name: Derive version from tag
3035
id: ver
3136
run: echo "version=${GITHUB_REF_NAME#v}" >> "$GITHUB_OUTPUT"
@@ -49,13 +54,9 @@ jobs:
4954
echo "publishing $dir"
5055
(cd "$dir" && npm publish --access public)
5156
done
52-
env:
53-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
5457
5558
- name: Publish main package
5659
run: npm publish --access public
57-
env:
58-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
5960

6061
# Also attach the raw binaries to the GitHub Release (for the install-script channel).
6162
- name: Upload binaries to GitHub Release

0 commit comments

Comments
 (0)