Switch to npm trusted publishing (OIDC) (#327)
Replace NPM_TOKEN-based authentication with OIDC trusted publishing. This eliminates the need for long-lived npm access tokens. Changes: - Add id-token: write permission to the release job - Add registry-url to setup-node - Remove the setup authentication step (.npmrc token write) - Remove NPM_TOKEN env var from the Publish packages step Requires trusted publisher configuration on npmjs.com for each package. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This commit is contained in:
@@ -60,6 +60,7 @@ jobs:
|
||||
permissions:
|
||||
contents: write
|
||||
packages: write
|
||||
id-token: write
|
||||
|
||||
env:
|
||||
PKG_VERSION: "" # will be set in the workflow
|
||||
@@ -71,6 +72,7 @@ jobs:
|
||||
with:
|
||||
node-version: 22.x
|
||||
cache: "npm"
|
||||
registry-url: 'https://registry.npmjs.org'
|
||||
scope: '@actions'
|
||||
|
||||
- name: Parse version from lerna.json
|
||||
@@ -97,13 +99,6 @@ jobs:
|
||||
core.summary.addLink(`Release v${{ env.PKG_VERSION }}`, release.data.html_url);
|
||||
await core.summary.write();
|
||||
|
||||
- name: setup authentication
|
||||
run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
|
||||
env:
|
||||
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
|
||||
|
||||
- name: Publish packages
|
||||
run: |
|
||||
lerna publish ${{ env.PKG_VERSION }} --yes --no-git-reset --no-git-tag-version
|
||||
env:
|
||||
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
|
||||
lerna publish ${{ env.PKG_VERSION }} --yes --no-git-reset --no-git-tag-version
|
||||
Reference in New Issue
Block a user