Skip to content

Commit 91c0dec

Browse files
authored
fix(ci): publish to npm via OIDC trusted publishing (#85)
Drop registry-url (placeholder NODE_AUTH_TOKEN shadowed OIDC -> masked 404) and bump Node 22->24 (npm >= 11.5.1) so the publish-npm job uses OIDC trusted publishing. Refs #82
1 parent c4b5d7f commit 91c0dec

1 file changed

Lines changed: 8 additions & 2 deletions

File tree

.github/workflows/publish.yml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -56,11 +56,17 @@ jobs:
5656

5757
- uses: pnpm/action-setup@v4
5858

59+
# No registry-url here on purpose: actions/setup-node writes an
60+
# .npmrc with a placeholder NODE_AUTH_TOKEN when registry-url is set,
61+
# and a present-but-bogus token makes pnpm authenticate by token
62+
# (rejected, masked as 404) instead of falling back to OIDC trusted
63+
# publishing. Node 24 ships npm >= 11.5.1, which the OIDC handshake
64+
# requires. Trust is established by the npm trusted-publisher entry
65+
# (workflow=publish.yml, env=blank) + the id-token: write permission.
5966
- uses: actions/setup-node@v4
6067
with:
61-
node-version: 22
68+
node-version: 24
6269
cache: pnpm
63-
registry-url: https://registry.npmjs.org
6470

6571
- run: pnpm install --frozen-lockfile
6672
- run: pnpm run build

0 commit comments

Comments
 (0)