Switch to npm trusted publishing (OIDC) (#327)

Replace NPM_TOKEN-based authentication with OIDC trusted publishing.
This eliminates the need for long-lived npm access tokens.

Changes:
- Add id-token: write permission to the release job
- Add registry-url to setup-node
- Remove the setup authentication step (.npmrc token write)
- Remove NPM_TOKEN env var from the Publish packages step

Requires trusted publisher configuration on npmjs.com for each package.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
eric sciple
2026-02-25 13:15:38 -06:00
committed by GitHub
parent 4a881d9ea1
commit 9dd856db3d
+3 -8
View File
@@ -60,6 +60,7 @@ jobs:
permissions:
contents: write
packages: write
id-token: write
env:
PKG_VERSION: "" # will be set in the workflow
@@ -71,6 +72,7 @@ jobs:
with:
node-version: 22.x
cache: "npm"
registry-url: 'https://registry.npmjs.org'
scope: '@actions'
- name: Parse version from lerna.json
@@ -97,13 +99,6 @@ jobs:
core.summary.addLink(`Release v${{ env.PKG_VERSION }}`, release.data.html_url);
await core.summary.write();
- name: setup authentication
run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
- name: Publish packages
run: |
lerna publish ${{ env.PKG_VERSION }} --yes --no-git-reset --no-git-tag-version
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
lerna publish ${{ env.PKG_VERSION }} --yes --no-git-reset --no-git-tag-version