react-native-fula/.github/workflows/npm-publish-github-packages.yml at main · functionland/react-native-fula · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# Publishes @functionland/react-native-fula to npmjs.com via OIDC "trusted publishing".
# No npm token is used: auth comes from GitHub's OIDC id-token, which npm verifies
# against the Trusted Publisher configured at npmjs.com (Package > Settings).
# Docs: https://docs.npmjs.com/trusted-publishers/

name: Node.js Package

on:
  workflow_dispatch:
  release:
    types: [published]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
      - run: npm ci
      - run: npm test

  publish-npm:
    needs: build
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write # REQUIRED: lets the job mint the OIDC token npm verifies
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
          # Deliberately NO registry-url: it makes setup-node write an empty
          # _authToken into .npmrc that shadows OIDC (the classic 404/ENEEDAUTH).
          # The publish registry is already pinned by publishConfig in package.json.
      # Trusted publishing needs npm >= 11.5.1; Node 22 ships npm 10.x, so upgrade.
      - run: npm install -g npm@latest
      # Sanity check: this MUST print npm >= 11.5.1, or OIDC publishing won't work.
      # ("packageManager: yarn@..." + Corepack could otherwise shadow the upgrade.)
      - run: node -v && npm -v
      - run: npm ci
      - run: npm publish --provenance --access public