ci: migrate to npm OIDC trusted publishing (#2261)

josephfusco · web-flow · commit 227ec3c7e354 · 2026-02-12T08:49:55.000-05:00
Replace NPM_TOKEN with OIDC authentication for npm publishing:
- Add id-token permission for OIDC authentication
- Upgrade to Node.js 22.x (includes npm with OIDC support)
- Remove .npmrc creation step and NPM_TOKEN references
- Add publishConfig with provenance to all published packages
diff --git a/.github/workflows/release-packages.yml b/.github/workflows/release-packages.yml
@@ -5,6 +5,11 @@ on:
     branches:
       - canary
 
+permissions:
+  contents: write      # For creating releases/tags
+  pull-requests: write # For creating version PRs
+  id-token: write      # For npm OIDC authentication
+
 jobs:
   release_packages:
     name: Release Packages
@@ -16,22 +21,15 @@ jobs:
           # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
           fetch-depth: 0
 
-      - name: Setup Node.js 18.x
+      - name: Setup Node.js 22.x
         uses: actions/setup-node@v4
         with:
-          node-version: 18.x
+          node-version: 22.x
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Install Dependencies
         run: npm ci
 
-      - name: Create .npmrc
-        run: |
-          cat << EOF > "$HOME/.npmrc"
-            //registry.npmjs.org/:_authToken=$NPM_TOKEN
-          EOF
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
       - name: Create Release Pull Request or Publish to npm
         id: changesets
         uses: changesets/action@v1
@@ -41,7 +39,6 @@ jobs:
           version: npm run version
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       - name: Save Plugin version
         run: |
           json=${{ toJSON(steps.changesets.outputs.publishedPackages) }}
diff --git a/packages/block-editor-utils/package.json b/packages/block-editor-utils/package.json
@@ -58,5 +58,9 @@
 	"engines": {
 		"node": ">=18",
 		"npm": ">=8"
+	},
+	"publishConfig": {
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/blocks/package.json b/packages/blocks/package.json
@@ -43,5 +43,9 @@
   "engines": {
     "node": ">=18",
     "npm": ">=8"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
   }
 }
diff --git a/packages/faustwp-cli/package.json b/packages/faustwp-cli/package.json
@@ -59,5 +59,9 @@
 	"engines": {
 		"node": ">=18",
 		"npm": ">=8"
+	},
+	"publishConfig": {
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/faustwp-core/package.json b/packages/faustwp-core/package.json
@@ -98,5 +98,9 @@
 	"engines": {
 		"node": ">=18",
 		"npm": ">=8"
+	},
+	"publishConfig": {
+		"access": "public",
+		"provenance": true
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -58,5 +58,9 @@`
`58`	`58`	`"engines": {`
`59`	`59`	`"node": ">=18",`
`60`	`60`	`"npm": ">=8"`
	`61`	`+ },`
	`62`	`+ "publishConfig": {`
	`63`	`+ "access": "public",`
	`64`	`+ "provenance": true`
`61`	`65`	`}`
`62`	`66`	`}`
Original file line number	Diff line number	Diff line change
`@@ -43,5 +43,9 @@`
`43`	`43`	`"engines": {`
`44`	`44`	`"node": ">=18",`
`45`	`45`	`"npm": ">=8"`
	`46`	`+ },`
	`47`	`+ "publishConfig": {`
	`48`	`+ "access": "public",`
	`49`	`+ "provenance": true`
`46`	`50`	`}`
`47`	`51`	`}`
Original file line number	Diff line number	Diff line change
`@@ -59,5 +59,9 @@`
`59`	`59`	`"engines": {`
`60`	`60`	`"node": ">=18",`
`61`	`61`	`"npm": ">=8"`
	`62`	`+ },`
	`63`	`+ "publishConfig": {`
	`64`	`+ "access": "public",`
	`65`	`+ "provenance": true`
`62`	`66`	`}`
`63`	`67`	`}`
Original file line number	Diff line number	Diff line change
`@@ -98,5 +98,9 @@`
`98`	`98`	`"engines": {`
`99`	`99`	`"node": ">=18",`
`100`	`100`	`"npm": ">=8"`
	`101`	`+ },`
	`102`	`+ "publishConfig": {`
	`103`	`+ "access": "public",`
	`104`	`+ "provenance": true`
`101`	`105`	`}`
`102`	`106`	`}`