From fbbc26d0a38c51a88c2baec4beab75f620fa53dd Mon Sep 17 00:00:00 2001 From: agarciar Date: Mon, 25 May 2026 18:01:31 +0200 Subject: [PATCH] ci: publish via npm Trusted Publishing (OIDC), drop NPM_TOKEN Switch the release workflow to OIDC trusted publishing: remove the NODE_AUTH_TOKEN/NPM_TOKEN secret and let npm (>=11.5.1, installed in the job) exchange the GitHub Actions id-token for a short-lived publish credential, attaching provenance automatically. Requires a Trusted Publisher configured for the package on npmjs.com (repo lostium/angular-deploy-bunny, workflow publish.yml). Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/publish.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index c0c0fd1..4d01e75 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -9,7 +9,7 @@ jobs: runs-on: ubuntu-latest permissions: contents: read - id-token: write # required for npm provenance + id-token: write # required for OIDC trusted publishing + provenance steps: - uses: actions/checkout@v4 - run: corepack enable @@ -21,6 +21,9 @@ jobs: - run: pnpm install --frozen-lockfile - run: pnpm run build - run: pnpm test + # Trusted Publishing (OIDC) — no NPM_TOKEN. npm >= 11.5.1 exchanges the + # GitHub Actions id-token for a short-lived credential and attaches + # provenance automatically. Requires a Trusted Publisher configured for + # this package on npmjs.com (repo + workflow file). + - run: npm install -g npm@latest - run: npm publish --provenance --access public - env: - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}