1- # This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
2- # For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages
1+ # Publishes @functionland/react-native-fula to npmjs.com via OIDC "trusted publishing".
2+ # No npm token is used: auth comes from GitHub's OIDC id-token, which npm verifies
3+ # against the Trusted Publisher configured at npmjs.com (Package > Settings).
4+ # Docs: https://docs.npmjs.com/trusted-publishers/
35
46name : Node.js Package
57
@@ -12,10 +14,10 @@ jobs:
1214 build :
1315 runs-on : ubuntu-latest
1416 steps :
15- - uses : actions/checkout@v3
16- - uses : actions/setup-node@v3
17+ - uses : actions/checkout@v4
18+ - uses : actions/setup-node@v4
1719 with :
18- node-version : 20
20+ node-version : 22
1921 - run : npm ci
2022 - run : npm test
2123
@@ -24,14 +26,19 @@ jobs:
2426 runs-on : ubuntu-latest
2527 permissions :
2628 contents : read
27- packages : write
29+ id-token : write # REQUIRED: lets the job mint the OIDC token npm verifies
2830 steps :
29- - uses : actions/checkout@v3
30- - uses : actions/setup-node@v3
31+ - uses : actions/checkout@v4
32+ - uses : actions/setup-node@v4
3133 with :
32- node-version : 20
33- registry-url : https://registry.npmjs.org/
34+ node-version : 22
35+ # Deliberately NO registry-url: it makes setup-node write an empty
36+ # _authToken into .npmrc that shadows OIDC (the classic 404/ENEEDAUTH).
37+ # The publish registry is already pinned by publishConfig in package.json.
38+ # Trusted publishing needs npm >= 11.5.1; Node 22 ships npm 10.x, so upgrade.
39+ - run : npm install -g npm@latest
40+ # Sanity check: this MUST print npm >= 11.5.1, or OIDC publishing won't work.
41+ # ("packageManager: yarn@..." + Corepack could otherwise shadow the upgrade.)
42+ - run : node -v && npm -v
3443 - run : npm ci
35- - run : npm publish --scope=@functionland --access=public
36- env :
37- NODE_AUTH_TOKEN : ${{secrets.npm_token}}
44+ - run : npm publish --provenance --access public
0 commit comments