From 9dd856db3d7b23e91f7135f05186ed9200841def Mon Sep 17 00:00:00 2001 From: eric sciple Date: Wed, 25 Feb 2026 13:15:38 -0600 Subject: [PATCH] Switch to npm trusted publishing (OIDC) (#327) Replace NPM_TOKEN-based authentication with OIDC trusted publishing. This eliminates the need for long-lived npm access tokens. Changes: - Add id-token: write permission to the release job - Add registry-url to setup-node - Remove the setup authentication step (.npmrc token write) - Remove NPM_TOKEN env var from the Publish packages step Requires trusted publisher configuration on npmjs.com for each package. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/release.yml | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f331485..313ef2f 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -60,6 +60,7 @@ jobs: permissions: contents: write packages: write + id-token: write env: PKG_VERSION: "" # will be set in the workflow @@ -71,6 +72,7 @@ jobs: with: node-version: 22.x cache: "npm" + registry-url: 'https://registry.npmjs.org' scope: '@actions' - name: Parse version from lerna.json @@ -97,13 +99,6 @@ jobs: core.summary.addLink(`Release v${{ env.PKG_VERSION }}`, release.data.html_url); await core.summary.write(); - - name: setup authentication - run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - - name: Publish packages run: | - lerna publish ${{ env.PKG_VERSION }} --yes --no-git-reset --no-git-tag-version - env: - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} \ No newline at end of file + lerna publish ${{ env.PKG_VERSION }} --yes --no-git-reset --no-git-tag-version \ No newline at end of file