ci: harden npm trusted publishing workflow

kody-bot · kody-bot · commit 8cfbd058063c · 2026-05-12T17:23:27.000-06:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -16,21 +16,22 @@ concurrency:
   cancel-in-progress: false
 
 permissions:
-  id-token: write # to enable use of OIDC (npm trusted publishing and provenance)
-  contents: write # to be able to publish a GitHub release
-  issues: write # to be able to comment on released issues
-  pull-requests: write # to be able to comment on released pull requests
+  contents: read
 
 jobs:
   verifications:
     name: Verifications
+    permissions:
+      contents: read
+      id-token: write # required by Codecov in the reusable workflow
     uses: ./.github/workflows/verifications.yml
 
-  publish:
-    name: Publish package
+  build-release-artifact:
+    name: Build release artifact
     runs-on: ubuntu-latest
     needs: [verifications]
-    # Avoid publishing in forks
+    permissions:
+      contents: read
     if: github.repository == 'testing-library/eslint-plugin-testing-library'
     steps:
       - name: Checkout
@@ -45,18 +46,50 @@ jobs:
           cache: 'pnpm'
           node-version-file: '.nvmrc'
 
-      # Ensure npm 11.5.1 or later is installed for correct OIDC publishing
-      - name: Update npm
-        # (using v11.10.0 to avoid Node.js bug causing an installation failure) https://github.com/npm/cli/issues/9151
-        run: npm install -g npm@~11.10.0
-
       - name: Install dependencies
-        run: pnpm install
+        run: pnpm install --ignore-scripts
 
       - name: Build package
         run: pnpm run build
 
+      - name: Upload package artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: npm-package-dist
+          path: dist
+          if-no-files-found: error
+          retention-days: 7
+
+  publish:
+    name: Publish package
+    runs-on: ubuntu-latest
+    needs: [build-release-artifact]
+    permissions:
+      id-token: write # to enable use of OIDC (npm trusted publishing and provenance)
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+    if: github.repository == 'testing-library/eslint-plugin-testing-library'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Set up Node
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+        with:
+          node-version-file: '.nvmrc'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Update npm
+        run: npm install -g npm@~11.10.0
+
+      - name: Download package artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: npm-package-dist
+          path: dist
+
       - name: Release new version
-        run: pnpm exec semantic-release
+        run: npx --yes semantic-release@25.0.3
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
