2929 - name : Checkout repository
3030 uses : actions/checkout@v4
3131
32- - name : Authenticate to npm
33- shell : bash
34- run : |
35- echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ${{ env.NPM_CONFIG_USERCONFIG }}
36- env :
37- NPM_TOKEN : ${{ secrets.NPM_TOKEN }}
38- NPM_CONFIG_USERCONFIG : ${{ github.workspace }}/.npmrc
39-
4032 - uses : ./.github/workflows/steps/setup-node
4133
4234 - uses : ./.github/workflows/steps/setup-submodules
@@ -137,6 +129,9 @@ jobs:
137129 publish :
138130 name : 📦 Publish Packages
139131 runs-on : ubuntu-latest
132+ permissions :
133+ contents : read
134+ id-token : write
140135 # needs: [build, lint, unit-tests, e2e-tests]
141136 needs : [build, lint, unit-tests]
142137 if : github.ref == 'refs/heads/main' && github.event_name == 'push'
@@ -147,16 +142,13 @@ jobs:
147142 # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
148143 fetch-depth : 0
149144
150- - name : Authenticate to npm
151- shell : bash
152- run : |
153- echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ${{ env.NPM_CONFIG_USERCONFIG }}
154- env :
155- NPM_TOKEN : ${{ secrets.NPM_TOKEN }}
156- NPM_CONFIG_USERCONFIG : ${{ github.workspace }}/.npmrc
157-
158145 - uses : ./.github/workflows/steps/setup-node
159146
147+ - name : Ensure OIDC trusted publishing has latest npm
148+ run : |
149+ # install a recent npm (11.5.1+) which supports OIDC trusted publishing
150+ npm install -g npm@^11.5.1
151+
160152uses : ./.github/workflows/steps/setup-submodules
161153
162154 - name : Restore build artifacts
@@ -179,4 +171,3 @@ jobs:
179171 publish : yarn changeset publish
180172 env :
181173 GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
182- NPM_TOKEN : ${{ secrets.NPM_TOKEN }}
0 commit comments