From 68d45fcac61f5ec0135aa56cfcc5b75981df8cff Mon Sep 17 00:00:00 2001 From: Paul Carleton Date: Tue, 14 Apr 2026 11:41:12 +0100 Subject: [PATCH] ci: switch npm publish to OIDC trusted publishing - Upgrade npm to ^11.5.1 in the publish job (Node 22 bundles npm 10.x, which lacks OIDC trusted publishing support) - Drop NODE_AUTH_TOKEN / NPM_TOKEN secret in favor of OIDC - Enable provenance attestation via NPM_CONFIG_PROVENANCE The publish job already had id-token: write and registry-url configured. --- .github/workflows/main.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 22409b349..6fd8a6dfb 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -61,10 +61,13 @@ jobs: # - run: npm ci - run: npm install --no-package-lock - # TODO: Add --provenance once the repo is public + # OIDC trusted publishing requires npm >=11.5.1; Node 22's bundled npm is 10.x. + - name: Ensure npm CLI supports OIDC trusted publishing + run: npm install -g npm@^11.5.1 + - run: npm run publish-all env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} + NPM_CONFIG_PROVENANCE: "true" publish-github-container-registry: runs-on: ubuntu-latest