Skip to content

Commit 5ab9717

Browse files
sunya9claude
andauthored
ci: switch npm publish to OIDC trusted publishing (#157)
Replace static NPM_TOKEN with GitHub Actions OIDC-based provenance publishing. This eliminates the need for secret rotation and improves supply chain security. - Add id-token: write permission for OIDC token - Use --provenance flag on npm publish - Remove NPM_TOKEN secret dependency - Update node-version to 24 Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent 5b5d758 commit 5ab9717

1 file changed

Lines changed: 3 additions & 4 deletions

File tree

.github/workflows/release-please.yml

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ permissions:
88
contents: write
99
pull-requests: write
1010
issues: write
11+
id-token: write # required for npm oidc
1112

1213
jobs:
1314
release-please:
@@ -38,7 +39,7 @@ jobs:
3839

3940
- uses: actions/setup-node@v6
4041
with:
41-
node-version: 22
42+
node-version: 24
4243
cache: "pnpm"
4344
registry-url: "https://registry.npmjs.org"
4445

@@ -48,6 +49,4 @@ jobs:
4849
# build will be executed in prepublishOnly script
4950

5051
- name: Publish to npm
51-
run: npm publish --access public
52-
env:
53-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
52+
run: npm publish --access public --provenance

0 commit comments

Comments
 (0)