Skip to content

Migrate to NPM trusted publishing#82

Merged
liuliu-dev merged 2 commits intomainfrom
liuliu/update-publish-workflow
Jan 14, 2026
Merged

Migrate to NPM trusted publishing#82
liuliu-dev merged 2 commits intomainfrom
liuliu/update-publish-workflow

Conversation

@liuliu-dev
Copy link
Contributor

@liuliu-dev liuliu-dev commented Jan 14, 2026

Updates the publish workflow to use NPM's trusted publishing feature, which uses OIDC authentication instead of npm tokens.

Migration guide: https://docs.npmjs.com/trusted-publishers

@liuliu-dev liuliu-dev requested a review from jonrohan January 14, 2026 22:08
@liuliu-dev liuliu-dev marked this pull request as ready for review January 14, 2026 22:08
@liuliu-dev liuliu-dev requested a review from a team as a code owner January 14, 2026 22:08
Copilot AI review requested due to automatic review settings January 14, 2026 22:08
Copilot AI reviewed Jan 14, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR migrates the NPM publish workflow to use NPM's trusted publishing feature, which replaces manual token-based authentication with OIDC (OpenID Connect) authentication. This enhances security by eliminating the need to manage long-lived NPM tokens.

Changes:

  • Added id-token: write permission to enable OIDC authentication
  • Updated actions/setup-node from v3 to v4 for trusted publishing support
  • Removed the npm whoami debug command and the NODE_AUTH_TOKEN secret usage

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/publish.yml
- run: npm whoami; npm --ignore-scripts publish
env:
NODE_AUTH_TOKEN: ${{secrets.npm_token}}
- run: npm --ignore-scripts publish
Copy link

Copilot AI Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When using NPM trusted publishing with OIDC, it's recommended to add the --provenance flag to the publish command. This generates signed provenance attestations that provide verifiable information about how the package was built, enhancing supply chain security. Change this line to: npm --ignore-scripts publish --provenance

Suggested change
- run: npm --ignore-scripts publish
- run: npm --ignore-scripts publish --provenance

Copilot uses AI. Check for mistakes.
jonrohan
jonrohan approved these changes Jan 14, 2026
View reviewed changes
.github/workflows/publish.yml

on:
release:
types: [created]
Copy link
Member

@jonrohan jonrohan Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this will work now, but we might want to add another trigger here so we can manually run it

@liuliu-dev liuliu-dev merged commit a2f81a0 into main Jan 14, 2026
4 checks passed
@liuliu-dev liuliu-dev deleted the liuliu/update-publish-workflow branch January 14, 2026 22:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jonrohan jonrohan jonrohan approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@liuliu-dev @jonrohan