Skip to content

ci: migrate npm publishing to trusted publishing (OIDC)#522

Merged
RichardLindhout merged 1 commit intomasterfrom
copilot/fix-trusted-publishing-issue
Apr 4, 2026
Merged

ci: migrate npm publishing to trusted publishing (OIDC)#522
RichardLindhout merged 1 commit intomasterfrom
copilot/fix-trusted-publishing-issue

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 4, 2026

Replaces the long-lived NPM_TOKEN secret with npm's OIDC-based trusted publishing, which was already configured on npmjs.com but not wired up in the workflow.

Changes

  • Removed the .npmrc token injection step (_authToken=${{ secrets.NPM_TOKEN }}) — no longer needed
  • Added permissions: id-token: write to let the job request a GitHub OIDC token, and contents: write for git tagging / GitHub release creation
  • Added NPM_CONFIG_PROVENANCE: true env var so release-it's internal npm publish passes --provenance, triggering the automatic OIDC token exchange with the npm registry

@RichardLindhout RichardLindhout marked this pull request as ready for review April 4, 2026 14:00
@RichardLindhout RichardLindhout merged commit 063dcba into master Apr 4, 2026
3 checks passed
@RichardLindhout
Copy link
Copy Markdown
Member

RichardLindhout commented Apr 4, 2026

@copilot still not working? Run yarn release
yarn run v1.22.22
$ release-it --ci --github.autoGenerate
ERROR Not authenticated with npm. Please npm login and try again.
Documentation: https://git.io/release-it-npm

error Command failed with exit code 1.
info Visit https://yarnpkg.com/en/docs/cli/run for documentation about this command.
Error: Process completed with exit code 1.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@RichardLindhout RichardLindhout

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RichardLindhout