Skip to content

Commit 4307b95

Browse files
cliffhallclaude
andcommitted
ci(release): enable provenance and pin npm version for OIDC publish
Align with modelcontextprotocol/inspector#1199: - set NPM_CONFIG_PROVENANCE so published packages get provenance attestations - pin the npm upgrade to ^11.5.1 instead of latest Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01AViME1R9ES2UXT1uQDx1TG
1 parent 1a4ecb7 commit 4307b95

1 file changed

Lines changed: 5 additions & 3 deletions

File tree

.github/workflows/release.yml

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -171,9 +171,9 @@ jobs:
171171
cache: npm
172172
registry-url: 'https://registry.npmjs.org'
173173

174-
# Trusted publishing requires npm >= 11.5.1; Node 22 bundles an older npm
175-
- name: Update npm for trusted publishing
176-
run: npm install -g npm@latest
174+
# OIDC trusted publishing requires npm >=11.5.1; Node 22's bundled npm is 10.x.
175+
- name: Ensure npm CLI supports OIDC trusted publishing
176+
run: npm install -g npm@^11.5.1
177177

178178
- name: Install dependencies
179179
working-directory: src/${{ matrix.package }}
@@ -199,6 +199,8 @@ jobs:
199199
working-directory: src/${{ matrix.package }}
200200
run: |
201201
npm publish --access public
202+
env:
203+
NPM_CONFIG_PROVENANCE: "true"
202204

203205
create-release:
204206
needs: [update-packages, create-metadata, publish-pypi, publish-npm]

0 commit comments

Comments
 (0)