Skip to content

Commit f9bc6c9

Browse files
committed
chore: Add permissions for GitHub Actions workflows
- Updated publish-prerelease.yml and publish-stable-release.yml to include permissions for reading contents and writing id-token. - Modified service_publish-node-package.yml to add permissions for the publish job, ensuring proper access for trusted publishing.
1 parent 5b522b4 commit f9bc6c9

3 files changed

Lines changed: 16 additions & 3 deletions

File tree

.github/workflows/publish-prerelease.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,10 @@ on:
55
release:
66
types: [prereleased]
77

8+
permissions:
9+
contents: read
10+
id-token: write
11+
812
jobs:
913
publish-prerelease:
1014
uses: ./.github/workflows/service_publish-node-package.yml

.github/workflows/publish-stable-release.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,10 @@ on:
55
release:
66
types: [released]
77

8+
permissions:
9+
contents: read
10+
id-token: write
11+
812
jobs:
913
publish-stable-release:
1014
uses: ./.github/workflows/service_publish-node-package.yml

.github/workflows/service_publish-node-package.yml

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,9 @@ on:
1515

1616
jobs:
1717
publish:
18+
permissions:
19+
contents: read
20+
id-token: write
1821
runs-on: ${{ inputs.runs-on }}
1922

2023
steps:
@@ -26,11 +29,13 @@ jobs:
2629

2730
- name: checkout
2831
uses: actions/checkout@v6
32+
33+
# Trusted publishing (OIDC) requires npm CLI >= 11.5.1 (Node images may ship older npm).
34+
- name: Upgrade npm for OIDC trusted publishing
35+
run: npm install -g npm@^11.5.1
2936

3037
- name: Set NPM version (${{ github.ref_name }}).
3138
run: npm version --git-tag-version=false --commit-hooks=false ${{ github.ref_name }}
3239

3340
- name: Publish release (${{ inputs.release-tag }})
34-
run: npm publish --access public --tag ${{ inputs.release-tag }}
35-
env:
36-
NODE_AUTH_TOKEN: ${{secrets.NODE_AUTH_TOKEN_SECRET}}
41+
run: npm publish --access public --tag ${{ inputs.release-tag }}

0 commit comments

Comments
 (0)