Skip to content

Commit b1e51ab

Browse files
committed
ci: use npm OIDC trusted publishing with provenance for releases
1 parent 0304930 commit b1e51ab

1 file changed

Lines changed: 7 additions & 2 deletions

File tree

.github/workflows/release.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ jobs:
1212
permissions:
1313
contents: write
1414
pull-requests: write
15+
# Required for npm OIDC trusted publishing (tokenless) + provenance.
16+
id-token: write
1517
steps:
1618
- uses: actions/checkout@v4
1719
- uses: pnpm/action-setup@v4
@@ -21,11 +23,14 @@ jobs:
2123
cache: pnpm
2224
registry-url: https://registry.npmjs.org
2325
- run: pnpm install --frozen-lockfile
26+
# npm OIDC trusted publishing requires npm >= 11.5.1; node 22 ships an older npm.
27+
- run: npm install -g npm@latest
2428
- uses: changesets/action@v1
2529
with:
2630
version: pnpm changeset:version
2731
publish: pnpm changeset:publish
2832
env:
2933
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
30-
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
31-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
34+
# Auth comes from OIDC (id-token) once the package's trusted publisher
35+
# is registered on npmjs.com. Provenance is attached automatically.
36+
NPM_CONFIG_PROVENANCE: "true"

0 commit comments

Comments
 (0)