fix: add trusted publisher to v4-client-js (#478)

jaredvu · web-flow · commit 4fa2fc1bb7d7 · 2026-02-20T12:27:25.000-08:00
Remove GAT usage in publish script
diff --git a/.github/workflows/js-publish.yml b/.github/workflows/js-publish.yml
@@ -12,36 +12,27 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  build-and-publish:
+  publish:
     runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: ./v4-client-js
     permissions:
       contents: write
+      id-token: write
+
     steps:
-      - name: Checkout
-        uses: actions/checkout@v3
+      - uses: actions/checkout@v3
         with:
-          fetch-depth: 0 # fetch all history for all tags and branches
+          fetch-depth: 0
 
-      - name: Npm
-        uses: actions/setup-node@v3
+      - name: Setup Node
+        uses: actions/setup-node@v4
         with:
-          node-version: 20.8.1
-          registry-url: https://registry.npmjs.org
-          cache: "npm"
+          node-version-file: '.nvmrc'
+          registry-url: https://registry.npmjs.org/
+          cache: npm
           cache-dependency-path: '**/package-lock.json'
 
-      - name: Install
+      - name: Install dependencies
         run: npm ci
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_READ }}
-
-    # Run semantic-release to automatically bump the version based on PR title
-      - name: Run semantic-release
-        run: npm run release
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_WRITE }}
-
 
+      - name: Publish if needed
+        run: ./v4-client-js/scripts/publish-if-not-exists.sh
diff --git a/v4-client-js/.nvmrc b/v4-client-js/.nvmrc
@@ -1 +1 @@
-v20.8.1
+v24
diff --git a/v4-client-js/scripts/publish-if-not-exists.sh b/v4-client-js/scripts/publish-if-not-exists.sh
@@ -1,21 +1,40 @@
-#!/bin/bash
-set -euxo pipefail
+#!/usr/bin/env bash
+set -euo pipefail
 
-VERSION=$(cat package.json | jq -r '.version')
-NAME=$(cat package.json | jq -r '.name')
+VERSION=$(jq -r '.version' package.json)
+NAME=$(jq -r '.name' package.json)
+TAG="v${VERSION}"
 
-test -z "$(npm info $NAME@$VERSION)"
-if [ $? -eq 0 ]; then
-	set -e
+echo "Checking npm registry for ${NAME}@${VERSION}..."
 
-	git config --global user.email "ci@dydx.exchange"
-	git config --global user.name "github_actions"
+set +e
+VIEW_OUTPUT=$(npm view "${NAME}@${VERSION}" 2>&1)
+VIEW_EXIT=$?
+set -e
 
-	# Get version and tag
-	git tag v4-client-js@${VERSION}
-	git push --tags
+if [ $VIEW_EXIT -eq 0 ]; then
+  echo "Skipping publish: ${NAME}@${VERSION} already exists"
+  exit 0
+fi
+
+if ! echo "$VIEW_OUTPUT" | grep -qiE 'E404|not found|No matching version'; then
+  echo "Registry check failed unexpectedly:"
+  echo "$VIEW_OUTPUT"
+  exit 1
+fi
 
-	npm publish
+echo "Version not found. Proceeding with release."
+
+git fetch --tags --quiet
+git config user.email "ci@dydx.exchange"
+git config user.name "github_actions"
+
+if git show-ref --tags --verify --quiet "refs/tags/$TAG"; then
+  echo "Tag $TAG already exists"
 else
-	echo "skipping publish, package $NAME@$VERSION already published"
+  git tag -a "$TAG" -m "Release $TAG"
+  git push origin "$TAG"
 fi
+
+unset NODE_AUTH_TOKEN
+npm publish --provenance --access public
