From 21621ca32992864b9e9f306dc3086e94fa541474 Mon Sep 17 00:00:00 2001 From: johnxie Date: Tue, 9 Jun 2026 12:30:22 -0700 Subject: [PATCH] fix(ci): convert release.yml npm publish to OIDC trusted publishing MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The auto-release failed with npm E404-on-PUT (npm's unauthorized symptom): the repo switched to OIDC trusted publishing (#26) but release.yml was never converted — it still passed the retired NPM_TOKEN and lacked id-token: write. Align the Publish step with the proven force-release.yml config: - job permissions: id-token: write (+ contents/PRs for the changesets PR) - setup-node@v4 / Node 22, NPM_CONFIG_PROVENANCE: true - drop NPM_TOKEN / NODE_AUTH_TOKEN --- .github/workflows/release.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 6d929c1..1a48c09 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,6 +8,13 @@ jobs: release: name: Release runs-on: ubuntu-latest + # npm publishes via OIDC trusted publishing (no tokens) — same config as the + # proven force-release.yml. contents/pull-requests are for the changesets + # version PR. + permissions: + id-token: write + contents: write + pull-requests: write steps: - name: Checkout uses: actions/checkout@v4 @@ -15,9 +22,9 @@ jobs: fetch-depth: 0 - name: Install Node.js - uses: actions/setup-node@v3 + uses: actions/setup-node@v4 with: - node-version: 20 + node-version: 22 registry-url: "https://registry.npmjs.org" - name: Install dependencies @@ -38,5 +45,4 @@ jobs: run: yarn run publish env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} \ No newline at end of file + NPM_CONFIG_PROVENANCE: true \ No newline at end of file