Skip to content

Commit 72531b1

Browse files
rgarciacursoragent
andcommitted
chore: switch npm publish from token to OIDC trusted publishers
- Add id-token:write permission for npm OIDC - Ensure npm >= 11.5.1 (required for OIDC trusted publishing) - Remove NPM_TOKEN / NODE_AUTH_TOKEN secrets from goreleaser step GitHub is already configured as a trusted publisher on npmjs.com. GoReleaser's npm pipe will use the OIDC token automatically. Co-authored-by: Cursor <cursoragent@cursor.com>
1 parent 95a6543 commit 72531b1

1 file changed

Lines changed: 4 additions & 2 deletions

File tree

.github/workflows/release.yaml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ on:
77

88
permissions:
99
contents: write
10+
id-token: write # Required for npm OIDC trusted publishers
1011

1112
jobs:
1213
release:
@@ -29,6 +30,9 @@ jobs:
2930
node-version: '20'
3031
registry-url: 'https://registry.npmjs.org'
3132

33+
- name: Ensure latest npm (>= 11.5.1 for OIDC)
34+
run: npm install -g npm@latest
35+
3236
- name: Clean templates
3337
run: make clean-templates
3438

@@ -41,5 +45,3 @@ jobs:
4145
env:
4246
GITHUB_TOKEN: ${{ secrets.GH_PAT }}
4347
GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
44-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
45-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

0 commit comments

Comments
 (0)