Skip to content

Commit 6a44c9b

Browse files
chore(ci): restore NPM_TOKEN env on publish step (#62)
Re-attaches NODE_AUTH_TOKEN: secrets.NPM_TOKEN to the publish step. The OIDC-only approach blocked on a 2FA-on-publish org enforcement that can't be flipped quickly; a fresh automation token (no-2FA scope) replaces the rotated/expired secret that has been failing since v0.29.0. --provenance + id-token: write retained so each publish still ships a signed Sigstore attestation alongside the token-authed publish. Unblocks v0.31.0 (541 adapters) reaching npm. Co-authored-by: Drew Stone <hello@tangle.tools>
1 parent 258972f commit 6a44c9b

1 file changed

Lines changed: 6 additions & 6 deletions

File tree

.github/workflows/publish.yml

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -66,12 +66,10 @@ jobs:
6666
- run: pnpm run build
6767

6868
# Idempotent: re-running a tag whose npm version is already published
69-
# must not fail the workflow. Auth is npm OIDC trusted publishing —
70-
# configured at npmjs.com/package/@tangle-network/agent-integrations/access
71-
# → Trusted Publishers → GitHub Actions (org=tangle-network,
72-
# repo=agent-integrations, workflow=publish.yml). The id-token: write
73-
# permission on this job exchanges a GitHub OIDC token for an
74-
# npm-side publish credential at request time. No NPM_TOKEN secret.
69+
# must not fail the workflow. Auth is the NPM_TOKEN repo secret
70+
# (automation token scoped to @tangle-network with publish
71+
# permission). The id-token: write permission stays so we can
72+
# opportunistically attach Sigstore provenance attestations.
7573
- name: Publish to npm (skip if already published)
7674
run: |
7775
NAME=$(node -p "require('./package.json').name")
@@ -81,3 +79,5 @@ jobs:
8179
else
8280
pnpm publish --no-git-checks --access public --provenance
8381
fi
82+
env:
83+
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

0 commit comments

Comments
 (0)